SEARCH

BTPS

BTPS

BTPS

Brightwell Privacy Notice

(Updated November 2024)

1. Introduction

Brightwell[1] are registered at One America Square, 17 Crosswall, London, England, EC3N 2LB (we, us, our) and are the data controllers for any relevant Data Protection Regulations, including EU GDPR, UK GDPR and DPA 2018.

This Privacy Notice (Notice) sets out the basis on which we will process any personal data we collect from you, or that you or third parties provide to us.

Please read this Notice carefully so that you understand your rights in relation to your personal data, and how we will collect, use, and process your personal data.

In a situation where you provide us with your personal data to share with a third party who will provide a service to you directly, they are the data controller of that personal data and you are strongly advised to review their own privacy notice for details as to how they handle your personal data.

We are committed to protecting and respecting your privacy and this Notice explains our policy in relation to:

  • what information we collect about you,
  • how we use your information,
  • who we share your information with,
  • where and how long we will keep your data,
  • how we keep your information safe,
  • your rights regarding the personal information you provide to us,
  • technical information that we collect about you (including via the use of cookies on our website), and
  • who you can contact if you have questions or complaints about how we process your personal data.

2. What types of information do we collect about you?

We hold the following information about you:

  • personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number,
  • marriage, partnerships and marital history, details of family and dependants,
  • employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, voluntary deduction choices, benefits, grants and insurance details,
  • information on your trade union membership, (if relevant),
  • details in relation to your physical and mental health, (if relevant) and
  • technical information and other information about your visits to our website and the Pensions Portal. When using the online pensions portal, we may also obtain certain information which enables members to manage their membership by contacting us online, by phone, email, post or any other engagement or correspondence that you or your employer may have with us.

If you provide us with information about someone else, for example your family members and dependants, we will assume that you have their permission to do so. We will process their personal data in accordance with this Notice. Please let them know you have provided their information to us and encourage them to read this Notice.

3. How do we use your information

We will use your personal information for the purposes of administering and managing your pension. We may receive information from third parties who collect your personal data and pass it on to us. For example, a claim organisation contacts us on your behalf. Where this is the case, the third party is responsible for obtaining the relevant consents from you to ensure you are happy with the ways in which your personal data will be used.

More information on the purposes for which we process your data and the legal bases for this processing can be found in section 14 of this Notice - 'Additional Information'.

4. Who we share your personal data with

We do not sell, rent, or lease your personal information. We share your information with selected recipients as set out in this Notice. This includes sharing information with those who may have a legal or regulatory right to request such information. Please see section 14.2 for more information about who your personal data is shared with.

5. Where do we store your personal data

The information that we collect from you will be transferred to and stored at/processed in the UK/EEA. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Notice.

We will only transfer your information outside of the UK/EEA where we have your consent and there are adequate measures in place to provide appropriate safeguards such as Model Clauses (Standard Contractual Clauses (SCCs) produced by the EU Commission) and other appropriate safeguards such as (Code of Conduct and Certification). Please see section 14.5 for more information about Transfer Mechanisms.

6. Keeping your information safe

The transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through this website or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access, or modification.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping such password confidential. Please do not share your password with anyone.

7. How long will we keep your personal data

Pension benefits are paid over a long period and your right to benefits payable is based on information that may date back many years. We will decide to delete some of the data held in relation to you after 6 years.

However, your personal information may be held for longer where:
      I.       it is required by law or a court order,
      II.      it is needed to establish, exercise, defend or pursue legal claims,
      III.     we consider it is necessary to ensure benefits are paid correctly,
      IV.     to deal with any queries relating to your benefits as they may arise after that time, and
      V.      to protect the rights of another natural or legal person.

After the retention periods have elapsed, we will store your information in an aggregated and anonymised format.

8. Your rights regarding the personal information you provide to us

You have certain rights in relation to the personal information we hold about you, which we detail below. Some of these only apply in certain circumstances as set out below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before we respond to any of your requests. We must respond to a request by you to exercise those rights without undue delay and at least within one calendar month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please complete the Data Subject Rights Request Form.

Name of Rights Right Description
Right of information You have the right to know the personal information we hold about you, how we use it, who we share it with and how long we keep your personal data.
Right of access You have the right to know whether we process your personal information, and if we do, to access information we hold about you, how we use it and who we share it with.

If you require more than one copy of information, we hold about you, it is free of charge, unless we deem it necessary to charge you an administration fee.

We may not provide you with certain personal information if providing it would interfere with a person’s rights and freedom (e.g., where providing the personal information would reveal information about another person) or where another exemption applies.

Please See “how long will we keep your personal data”.
Right to rectification The accuracy of the information we hold about you is important to us. Under the DPA 2018 and EU GDPR, you have the right to access the information we hold about you and have any inaccuracies corrected. Where you request correction, please explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required.

Please note that whilst we assess whether the personal data, we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data.
Right to erasure This is also known as the “right to be forgotten”. Please see section 14.3 for more information about the circumstances in which you may request that we erase the personal data we hold about you.
Right to data portability You have the right to receive a subset of the personal data we collect from you in a structured, commonly used, and machine-readable format and a right to request that we transfer such personal data to another third party. Please see section 14.1 for more information on the data we hold.

If you wish for us to transfer the personal data to another third party, please ensure you detail that third party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal data or it’s processing once received by the third party. We also may not provide you with certain data if providing it would interfere with right and freedom of another person (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property).
Restriction of processing to storage only You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g. for the defence of legal claims or to protect to right and freedom of another person.

Please See “how long will we keep your personal data”.

Please see section 14.4 for more information on the circumstances in which you may request that we stop processing and just store the personal data we hold about you.
Make a complaint You have a right to lodge a complaint with relevant data protection supervisory authorities. In the UK, it is the Information Commissioner’s Office (ICO).

9. Third Parties

We may share your personal data with a third party where it is necessary

      I.       for the performance of the services, you have requested
      II.      for us to comply with our legal obligations or
      III.     for our legitimate business interest.

10. Technical information (including cookies) that we collect about you

When you visit our website, we collect technical information about your computer, such as your internet protocol address (which is a number that can uniquely identify a specific computer on the internet), time zone setting, your login information, browser type and version, browser plug-in types and versions, operating systems and platforms.

We use cookies to collect information about your browsing activities over time following your use of our services. This allows us to recognise and count the number of users and to see how users navigate on our website when they are using it. This helps us to improve the services we provide to you and the way our website works. 

11. Complaints

If you wish to make a complaint about how we process your personal data, please contact us using the contact details below and we will endeavour to deal with your request as soon as possible. This does not interfere with your right to raise a complaint with a relevant data protection supervisory authority.

12. Changes to our Privacy Notice

We keep this notice under regular review and may change it from time to time. When we make changes, the date at the bottom of this notice will be updated accordingly. Any amendment to this notice will be applied as of that date. We encourage you to check this from time to time for any updates or changes.

13. Contact

If you have any questions, comments, or requests regarding any aspect of this Notice, please do not hesitate to contact us as soon as possible at:

By email: dpqueries@brightwellpensions.com

By post: The Data Governance Officer,
                One America Square,
                17 Crosswall,
                 London
                 EC3N 2LB

14. Additional Information

Category of Personal Data Purpose for Processing Legal Basis of Processing
Personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number
  • In relation to any correspondence for the purpose of administration of the Scheme
  • To notify you about our services and changes to our services
  • To conduct member satisfaction surveys
  • For internal record keeping
  • To verify your identity, to prevent and detect fraud and to comply with our legal and regulatory obligations
  • Performance of a contract as required.
  • Legitimate interest to run an effective business
Personal details and family, lifestyle and social circumstances such as details about current marriage and partnerships and marital history, details of family and dependents
  • To carry out our obligations arising from any agreement that we have with, or concerning you and to provide you with the information, benefits and services that you request from us
  • Risk management including credit risk analysis and the insurance of longevity risks and related demographic risks
  • Performance of a contract as required
  • Legitimate interests to run an effective business
Personal details and employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, benefits, grants and insurance details
  • Processing of data to calculate and pay benefits.
  • To comply with any present or future law, rule, regulation, guidance, or directive, and complying with any industry or professional rules and regulations or any applicable voluntary codes
  • To comply with requests made by local and foreign regulators, governments, and law enforcement authorities, and complying with any subpoena or court process, or in connection with any litigation
  • Performance of a contract as required
  • Legitimate interests to run an effective business
Personal details and pension entitlement
  • To comply with and carry out your instructions in relation to your benefits and investment choices including in relation to additional voluntary contributions and voluntary deductions, (e.g. charities and trade unions) where applicable
  • Performance of a contract
  • Legitimate interests to run an effective business
Personal details and details in relation to your physical and mental health
  • Compliance with our legal obligations
  • Necessary for carrying out our legal obligations in the field of social security law
  • Legitimate interests to run an effective business
  • Explicit consent
Technical information and other information about your visits to our website/Pensions Portal
  • To improve the services, we provide to you and the way our website and Pensions Portal works
  • Legitimate interest to ensure our website and Pensions Portal is operating effectively
Voice recordings of calls made to or from Brightwell
  • For training and quality purposes to improve the services we provide to you.
  • Performance of a contract
  • Legitimate interests to run an effective business

14.2 Who Do We Share Your Personal Data With

Who do we share your personal data with
  • Our affiliate companies to manage and administer the Scheme and your pension.
  • IT Services providers, including but not limited to identification & verification services, cloud-based voice, contact centre, risk software, member communications, satisfaction surveys, member feedback and google analytics.
  • Cloud and other data storage providers, to store the personal data you provide and for disaster recovery services, as well as for the performance of any contract we enter into with you.
  • External printing and office support providers, such as postal and scanning services.
  • Payment providers including banks, located in the UK and, if you are not resident in the UK and are in receipt of a pension, the country of your residence.
  • Insurance companies and their affiliates with member data being retained within EEA.
  • External providers of additional voluntary contribution funds only if you have chosen to make such contributions.
  • Annuity provider, to provide annuity quotes for members who hold residual additional voluntary contributions.
  • UK trade unions you are a member of, if you have chosen to make contributions to a trade union from your pension receipts. Other voluntary deduction societies, only if you have chosen to make such deductions directly from your pension receipts.
  • Legal and other professional advisers located in UK / EEA, to provide us with legal and other professional services (who in certain circumstances will also be ‘data controllers’).
  • Actuarial administration and consultancy services providers located in UK / EEA (who in certain circumstances will also be ‘data controllers’)
  • The Pensions Advisory Service and the Pensions Ombudsman, to deal with complaints and resolve disputes.
  • HMRC to account for payments made to you and other government agencies when requested for example but not limited to court production orders, fraud investigations.
  • Financial Advisers if you have given us authority to share data to enable them to provide you with financial advice.
  • Independent audit bodies for the purpose of financial and organisational reporting, and maintenance of certifications and standards.
  • Member or beneficiary tracing services
We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to
  • Comply with a legal obligation, process, or request.
  • Enforce our terms and conditions and other agreements, including investigation of any potential violation thereof.
  • Detect, prevent, investigate, or otherwise address security, fraud or technical issues; or
  • Protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
We will also disclose your information to third parties
  • If we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
  • If we or a significant number of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.

14.3 Your Right to Erasure

You may request that we erase the personal data we hold about you in the following circumstances
  • You believe that it is no longer necessary for us to hold the personal data we hold about you.
  • We are processing the personal data we hold about you based on your consent (please contact us via our contact details above, and you wish to withdraw your consent and there is no other ground under which we can process the personal data.
  • We are processing the personal data we hold about you based on our legitimate interest (please contact us via our contact details above), and you object to such processing. Please provide us with details as to your reasoning via our contact details above so that we can assess whether there is an overriding interest for us to retain such personal data; or
  • You believe the personal data we hold about you is being unlawfully processed by us.
Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.

Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for us to erase your personal data. Please note, however, that we may retain the personal data if there are valid grounds under law for us to do so (e.g., for the defence of legal claims or freedom of expression) but we will let you know if that is the case.

Where you have requested that we erase your personal data that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the data or providing links to the data to erase the personal data too.

14.4 Restriction of Processing to Storage Only

You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or to protect the rights and freedom of another person).

You may request we stop processing and just store the personal data we hold if
  • You believe the personal data is not accurate for the period it takes for us to verify your claim.
  • We wish to erase the personal data as the processing we are doing is unlawful, but you want us to retain the personal data for storage but not further process it.
  • We wish to erase the personal data as it is no longer necessary for our purposes, but you require it to be stored for the establishment, exercise, or defence of legal claims; or
  • You have objected to us processing personal data we hold about you based on our legitimate interest (please contact us via our contact details above), and you wish us to stop
    • processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.
You may object where:
  • We are processing the data we hold about you based on our legitimate interest or public interest (please contact us via our contact details above and you object to such processing. Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims. Also note that you may exercise your right to request that we stop processing the data whilst we make the assessment on an overriding interest by ticking the box for that purpose on the Data Subject Rights Form.
  • We are processing the data based on historical/scientific research or statistics and you have a particular reason to object. Your right would not apply where we have been tasked with and it is necessary for us to undertake such processing in the public interest.

14.5 Transfer Mechanism

  • Model Clauses: The personal data that we collect from you will be transferred to, stored at and/or processed by the relevant recipient under a written agreement incorporating the EU Commission’s model clauses for the transfer of personal data to third countries (the “Model Clauses”), pursuant to Decision 2010/87/EU. A copy of these Model Clauses is available upon request.
  • Please see section “Contact” of this Privacy Notice on how to request a copy.

[1] BTPS Group including BT Pension Scheme Management Limited and BT Pension Administration Limited trading as Brightwell. Registered in England and    Wales (No. 05154287) Authorised and regulated by the Financial Conduct Authority (Firm Reference Number: 486368).