Hymans Robertson LLP is committed to protecting and respecting your privacy.
We provide administration and other services to UK pension schemes and local government pension funds.
Under data protection laws, the trustees of your pension scheme or administering authority of your local government pension fund are the data controllers of your personal data in most cases. This means they are generally responsible for deciding what information to collect about you and how it is used.
In some situations, we’re the data controller. For example, when we record calls to our administration telephone lines or carry out biometric identity verification. In other situations, both we and the trustees or administering authority will be data controllers, for example when we provide actuarial consulting services to them.
This privacy notice explains these situations in more detail. It explains what personal data we collect about you, how and why we use it, who we disclose it to, and how we protect it. It also tells you about your rights.
It applies to you if:
If you’re a corporate or business client or contact, please instead review our corporate privacy notice at https://www.hymans.co.uk/information/privacy-notice/.
Your scheme or fund privacy notice
Your scheme or fund also has its own privacy notice, which you can obtain from the trustees or administering authority. It explains what information the scheme or fund collects about you, how it’s used and what information is shared with us. The trustees or administering authority are separately responsible for complying with data protection laws when processing your personal data in connection with the scheme or fund.
What is personal data?
Personal data broadly means any information about a living individual who can be identified from that information directly, or indirectly (for example if it is combined with other available information).
1. What personal data we collect, how we use it, and why it’s lawful
What we do |
What personal data do we collect or process? |
How do we use your personal data? |
What is the lawful basis for processing my personal data? |
Recording calls to and from our administration telephone lines
For more information please read our call recording privacy statement. |
We’ll collect a recording of the conversation, your phone number, the date and time of the call and your personal details, in order to identify you. |
We’ll use call recordings to assist in quality monitoring, to investigate and resolve a complaint or dispute and for the detection, investigation and prevention of crime (including fraud).
We may be asked to share a call recording with the trustees of your pension scheme.
We may also share recording where necessary for law enforcement, investigation of fraud, criminal or court proceedings or at the request of a regulator or ombudsman, for example the Financial Conduct Authority, the Pensions Regulator or the Pensions Ombudsman. |
Recording calls is necessary for our legitimate interests.
These include protecting you, us and our staff and complying with FCA consumer duty rules.
Because we’re regulated by the UK’s Financial Conduct Authority (FCA) we’re under a duty to act in a way that helps to protect consumers, which includes pension scheme members and beneficiaries. This is known as “consumer duty”.
As part of our consumer duty, we record telephone calls to and from our administration telephone numbers. |
Verifying your identity using IDScan
For more information please read the information leaflet and FAQs we’ve sent to you with your invitation to use IDScan.
GBG Group plc provide the IDScan software, and they are a separate data controller. Please read their privacy notice for more information about how GBG uses your personal data. You can find it at www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy/
In particular, the section headed “Biometrics Notice” explains how the technology works. |
We’ll collect the personal data appearing on your identity documents and your selfie photograph. We’ll use this information to check your identity and the validity of your identity documents.
We’ll also perform a “passive liveness check”. This means comparing the image on your photo ID with your selfie.
This is called biometric data because it relates to your physical characteristics, is processed using technical means and uniquely identifies you. |
We’ll use this information to check your identity and the validity of your identity documents.
We’ll perform the “passive liveness check” to confirm that a live human being is using IDScan and that it’s you. |
When you claim your pension scheme benefits, the scheme’s trustees need to verify your identity. This is because they have an obligation to make sure benefits are paid to the right people.
If we ask you to verify your identify using IDScan, we will ask for your consent for this purpose.
As we are also processing biometric data we also ask separately for your explicit consent for this processing.
If you don’t consent, you won’t be able to use IDScan. We’ll have to verify your identity another way. For example, you might need to post your ID documents to us. This will take longer.
You can withdraw your consent at any time. Please see “Your rights” below.
|
Providing actuarial advice and other professional services to your pension scheme or fund |
We need personal details including name, address, date of birth, sex, marital status and NI number. We also need employment membership details, including length of service, salary, pension contributions and benefits paid. In some cases, we need limited health information, for example whether retirement was due to ill health – this is sometimes referred to as special category data. |
We’ll process this information to provide actuarial and other professional services to the scheme or fund.
This includes things like calculating the value of the pension scheme or fund, calculating benefits for members and advising on how much money the pension scheme or fund needs to pay all of the benefits.
We may also help the scheme or fund to manage its risk by transferring some of the liabilities to others, for example insurance and reinsurance companies, so we may share personal data with them for that purpose.
For some private sector pension schemes, one of our qualified actuaries may be personally appointed by the trustees as the scheme actuary. This is a special position under the Pensions Act 1995. Although the scheme actuary works for Hymans Robertson, he or she provides advice independently to the trustees. |
We process your personal data for our legitimate interests, which are to provide services to the scheme or fund.
The trustees or administering authority also have a legitimate interest or legal obligation to manage the scheme or fund and its liabilities to comply with the law and to ensure members get their benefits.
If we process special category data (for example, relating to health), we rely on the exemptions under the Data Protection Act 2018 in connection with health and social protection (which includes pensions) and in connection with occupational pension schemes.
If you would like more information about these responsibilities, please read this document if you’re in a private sector pension scheme or this document if you’re in a local government pension fund. |
Record keeping |
We’ll retain a copy of the personal data provided to us by the scheme’s trustees or fund’s administering authority after our services agreement with them ends.
This includes a copy of all membership information, records of transactions and processes carried out on their behalf, and the work we do for them.
Your scheme or fund privacy notice describes in more detail the information that we may hold on behalf of the scheme or fund.
Please also see the section headed “How long will you keep my personal data?” |
We’ll keep records to meet our audit, professional and regulatory obligations. For example, we may need to provide evidence to an auditor or regulator about something that’s happened in the past.
We may also need this information to help us defend against legal claims about something that’s happened in the past. |
We’ll keep this information because it’s in our legitimate interests to do so.
These are to meet our audit, professional and regulatory obligations and to defend against legal claims. |
Dealing with regulators |
Your personal data we hold in connection with the pension scheme or fund, as professional advisers or scheme administrators.
Please refer to your scheme or fund privacy notice to understand more about what personal data we hold on behalf of the pension scheme or fund. |
Where we receive a request from a regulator, for example the Financial Conduct Authority or the Pensions Regulator, we may disclose to them any of your personal data that we hold in connection with the pension scheme or fund, and which is relevant to the request. |
It's in our legitimate interests to deal openly and transparently with regulators and to comply with relevant regulations, rules and guidance.
We may have a legal obligation to disclose your personal data in certain circumstances, for example if a regulator uses a statutory power to request information. |
We’ll keep the amount of personal data we collect to the minimum needed.
We don’t use any form of automated decision-making (including profiling) which could have a negative impact on you.
2. Sharing your personal data with others
Sometimes we need to share your personal data with others.
We’ll only do this for the purposes explained in this privacy notice and we’ll take steps to ensure they keep the information secure and confidential and use it only for the agreed purposes.
We may share your personal data with the following:
Some of these may be located outside the UK, where data protection laws are different. However we’ll ensure that we comply with data protection laws when making any transfers outside the UK (for example, by signing appropriate contracts) to make sure your personal data is protected. Please contact us if you would like more details about transfers outside the UK.
3. How we protect your personal data
We use up to date technologies and systems to protect your personal data from unauthorised disclosure or damage or misuse. We ensure that our staff receive regular, appropriate training about information security and data protection. We meet the ISO27001 standard for information security management systems and we also have Cyber Essentials certification.
We regularly review all our systems, policies and technologies to ensure that these continue to work effectively to protect your personal data.
Click here to access more information about information security and privacy on our Trust Centre.
4. How long we keep your personal data
We’ll keep your personal data for as long as we’re using it for the purposes explained in this notice.
When we no longer need it, we’ll archive your personal data after a certain period (usually 7 years), and then delete it permanently after an additional period (usually 13 years).
We set these periods according to a range of factors, including the requirements of our contracts with pension schemes local government pension funds, statutory and regulatory requirements, and the time limits on legal claims. This is for our protection and yours.
We may in certain circumstances need to hold your personal data for longer, for example in relation to a legal dispute or because of regulatory requirements. We’ll let you know if this is the case.
5. Your rights
You have a number of rights under data protection laws. These are to:
You also have the right to:
How do I exercise my rights?
If you would like to make a request to access or correct your personal data, or to exercise any of your other rights, you can contact us at any time using the details set out under Contacting us (section 6).
We’ll respond to your request within one month from the date we receive it.
Please note that some of your rights are restricted, and apply only in certain circumstances. For example, we may refuse to delete your personal data while we need it for a valid purpose, including to defend any potential legal claims. We’ll explain in our response our reasons if we are unable to meet your request in full or in part.
To find out how to make a complaint to the Information Commissioner’s Office, see Contacting the Information Commissioner’s Office (section 7).
6. Contacting us
You can find contact details in correspondence we’ve sent you, or you can email: IdentityVerification@hymans.co.uk. You can also write to us at: Hymans Robertson, One London Wall, London, EC2Y 5EA.
If you have any queries about how we use your personal data, you can contact the Data Protection Officer through any of the following means:
By Post: Hymans Robertson, Exchange Place One, 1 Semple Street, Edinburgh, EH3 8BL
By email: dataprotection@hymans.co.uk
By Phone: 0131 656 5000
7. Contacting the Information Commissioner's Office
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights. You can find out more about the ICO on its website.
You can contact the ICO on 0303 123 1113, or by writing to:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Or visit contact us section of the ICO's website for more information.
8. Changes to this privacy notice
This privacy notice is current as at 28 June 2024. We may make changes from time to time and you should regularly check for updates.