Pensions

Pensions and data protection

Privacy notice for the members and beneficiaries of the London Borough of Hillingdon Pension Fund.

As the Administering Authority of the fund, we hold certain information about you ("personal data") which we need in order to administer the fund.

We have summarised some of the key ways in which we deal with this information below. Further information can be found in the Pensions privacy notice (PDF) [171KB] .

What personal data do we hold?

The types of data we hold and process will typically include:

  • contact details, including name, address, telephone numbers and email address
  • identifying details, including date of birth and national insurance number
  • information relating to your benefits in the Fund, including length of service or membership and salary
  • other information in relation to your membership of the Fund or to enable the calculation or payment of benefits, for example bank account details
  • information about your family, dependents or personal circumstances, for example, marital status and information relevant to the distribution and allocation of benefits payable on death
  • information about your health, for example, to assess eligibility for benefits payable on ill health, or where your health is relevant to a claim for benefits following the death of a member of the fund
  • information about a criminal conviction if this has resulted in you owing money to your employer or the Fund and the employer or Fund may be reimbursed from your benefits.

We obtain some of this personal data directly from you.  We may also obtain data from your employer (for example, salary information)and from other sources including public databases.

What will we do with your personal data?

We will use this personal data to administer the Fund and to calculate and provide you (and, if you are a member of the Fund, your beneficiaries if you die) with benefits. We will also use this personal data for statistical and financial modelling and reference purposes (for example, when we assess how much money is needed to provide members' benefits and how that money should be invested), and to comply with our legal obligations.

From time to time we will share your personal data with third parties, including our contractors, advisors, government bodies and dispute resolution and law enforcement agencies and insurers in order to comply with our obligations under law, and in connection with the provision of services that help us carry out our duties, rights and discretions in relation to the Fund. These organisations are listed in the full Privacy Notice.

In some cases these recipients may be outside the UK. If this occurs, we will make sure that appropriate safeguards are in place to protect your data in accordance with applicable laws.  Please use the contact details below if you want more information in connection with this.

What is the legal basis for our use of your personal data?

The legal basis for our use of your personal data will generally be 1 or more of the following.

  1. We need to process your personal data to satisfy our legal obligations as the administering authority of the fund.
  2. We need to process your personal data to carry out a task in the public interest or in the exercise of official authority in our capacity as a public body.
  3. We need to process your personal data for the legitimate interests of administering and managing the Fund and liabilities under it, calculating, securing and paying benefits and performing our obligations and exercising any rights, duties and discretions the Administering Authority has in relation to the fund.
  4. We need to process your personal data to meet our contractual obligations in relation to the fund (for example, under an agreement that you will pay additional voluntary contributions to the fund), or to take steps, at your request, before entering into a contract.

How long will we hold your data?

We will only keep your personal data for as long as we need it to administer the Fund and to deal with any questions or complaints that we may receive about this, unless the law requires us to keep it for a longer period. In practice, this means that your personal data may be retained for as long as you (or any beneficiary who receives benefits after your death) are entitled to benefits from the Fund and for a period of 15 years after those benefits stop being paid. For the same reason, your personal data may also need to be retained where you have received a transfer, or refund, from the Fund in respect of your benefit entitlement.

Your rights

You have a right to access and obtain a copy of the personal data that we hold about you and to ask us to correct your personal data if there are any errors or it is out of date.  In some circumstances you may also have a right to ask us to restrict the processing of your personal data until any errors are corrected, to object to processing or to transfer or (in very limited circumstances) erase your personal data.  You can obtain further information about these rights from the Information Commissioner's Office at: www.ico.org.uk or via their telephone helpline (0303 123 1113).

If you wish to exercise any of these rights, please contact the Fund Administrator below. You also have the right to lodge a complaint in relation to this summary notice, the full Privacy Notice or our processing activities with the Information Commissioner's Office, which you can do through the website above or their telephone helpline.

We may from time to time ask for further information from you.  If you do not provide such information, or ask that the personal data we already hold is deleted or restricted, this may affect the benefits payable to you under the Fund. In some cases it could mean that we are unable to put your pension into payment or have to stop your pension (if already in payment).

Contacting us

Please write to the fund administrator for further information:

Pensions
Hilingdon Council 
Civic Centre (4W/02)
High Street
Uxbridge
UB8 1UW

You may also contact our data protection officer for further information:

Glen Egan
Data Protection Officer
Civic Centre
High Street
Uxbridge
UB8 1UW

Email: GEgan2@hillingdon.gov.uK
Telephone: 01895 250617

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new set of European Union (EU) regulations due to come into force on 25 May 2018. It will change how organisations process and handle data, with the key aim of giving greater protection and rights to individuals.

What laws currently govern data protection in the UK?

Currently in the UK the Data Protection Act 1998 sets out how your personal information can be used by companies, government and other organisations. The GDPR will replace the Data Protection Act 1998 when it comes into force on 25 May 2018.

Will the GDPR still apply to the UK after Brexit?

The UK is in the process of implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small differences, but once the Bill has passed through Parliament and become an Act, UK law on data protection will largely be the same as that of the GDPR.

So what's new?

There are new and extended rights for individuals in relation to the personal data an organisation holds about them, for example, an extended right to access and a new right of data portability. You can obtain further information about these rights from the Information Commissioner's Office at: or via www.ico.org.uk their telephone helpline (0303 123 1113).

In addition, organisations will have an obligation for better data management and a new regime of fines will be introduced for use when an organisation is found to be in breach of the GDPR.

What are the main principles of the GDPR?

The GDPR states that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • held only for the absolute time necessary and no longer
  • processed in a manner that ensures appropriate security of the personal data.

What is personal data?

The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

How will the GDPR affect LGPS members? 

The London Borough of Hillingdon Pension Fund already has procedures in place which comply with similar data protection principles under the Data Protection Act 1998. The new regulations will reinforce these existing requirements, and members are unlikely to notice a change in the service they receive from the London Borough of Hillingdon Pension Fund.

How will members know that their LGPS fund is GDPR compliant?

The London Borough of Hillingdon Pension Fund have updated our privacy notice in line with the new requirements setting out, among other things, why certain data is held, the reason for processing the data, who they share the data with and the period for which the data will be retained. Within the notice, members will also be provided with additional information about their rights under the legislation.

Why do LGPS funds hold personal data?

LGPS funds require various pieces of personal data provided by both the individual member and their employer in order to administer the pension scheme. This data includes, but is not limited to, names, addresses, National Insurance numbers and salary details which are required to maintain scheme records and calculate member benefits.

Who do LGPS funds share personal data with?

On occasion, LGPS funds are required to share personal data with third parties in order to meet regulatory and government requirements, to gather necessary information for the accurate payment of member benefits and to ensure scheme liabilities are met. Each fund's privacy notice will set out who they share data with; this is likely to include bodies such as scheme employers, fund actuaries, auditors and HMRC.    

Can LGPS members ask for their data to be deleted?

The GDPR provides individuals with the 'right to be forgotten' in certain limited circumstances. However, in practical terms the exercise of this right in relation to LGPS funds is limited as the deletion of data can prevent the fund from carrying out its duties. LGPS funds are required to process personal data to comply with legal obligations under pension legislation, therefore, the 'right to be forgotten' is unlikely to apply to data held by LGPS funds.

What happens if there is a data breach?

Data breaches are a rare occurrence within LGPS funds. However, should a security breach concerning a member's personal data occur that is likely to result in a risk to that member's rights and freedoms, there will be a direct obligation under the GDPR for the fund to inform the Information Commissioners Office within 72 hours of the breach taking place. 

Further information:

LGPS Employer Data Retention Template - McCleod Case Remedy  

McCloud/Sargeant judgement allowance

It has been noted by the Government in its 15 July 2019 statement, that it expects to have to amend all public service pension schemes in light of the judgement, including the LGPS. However, any remedy will either be imposed by the Employment Tribunal or negotiated and applied to all schemes, so it is not yet clear how this judgement may affect LGPS members' benefits. The outcome of McCloud/Sargeant case is likely to mean changes to the LGPS benefit structure. However, decisions on the scope, extent and nature of the remedy will be largely driven by the views of government lawyers. More details and further updates of this case can be found on the Scheme Advisory Board (E&W) website.

Employer responsibilities

It is most likely the remedy will involve the extension of some form of underpin to members in scope who are not currently offered protection. Therefore, a full history of part time hour changes and service break information from 1 April 2014 may be needed in order to recreate final salary service. 

Employers will be responsible for providing payroll information and other data to the Administering Authority, even if those services are outsourced. The template includes a suggested form of data retention policy for adoption by individual employers in relation to their participation in the London Borough of Hillingdon Pension Fund. Data Retention templates can be found at: http://www.lgpsregs.org/resources/guidesetc.php

The LB Hillingdon Pension Fund retention policy [232KB]

Page last updated: 12 Aug 2022