PRIVACY NOTICE – PENSION BENEFICIARY PERSONAL DATA

1. ABOUT THIS NOTICE

You are receiving this notice because Crown Agents Bank Limited (“CAB”, “we” or "our" within this notice), has a contract for services with your pension provider which results in CAB having access to personal data belonging to you.  The purpose of this notice is to make you aware of how and why CAB will process your personal data. 

For the purposes of this notice, CAB will be classified as a “data controller” as defined within the UK General Data Protection Regulation or “GDPR”. This means that we are responsible for how we use the personal data we hold about you. Your pension provider is also a data controller with respect to your personal data.

In relation to Proof of Life services, unless the consent request states otherwise, CAB will be classified as a “data processor”, and your pension provider will be acting as the data controller. This means that in relation to the Proof of Life services, your pension provider is responsible for how we use your personal data.

CAB will only use your personal data for the purposes set out in our contract with your pension or other payment provider, for example to:

  • Make payments to you at regular periods as agreed with our client;

  • Assess your continued eligibility to receive payments through a “Proof of Life” process;

  • Evidence our performance of the contract through the keeping of records;

  • Comply with our legal and regulatory obligations as a UK-based bank.

If you have any questions about this privacy notice or you wish to exercise your privacy rights as set out in this notice, please contact our Data Protection Officer using the contact details set out below.

2. DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles as set out in the GDPR, which means that your personal data will be:

  • Used lawfully, fairly and in a transparent way;

  • Collected only for valid purposes that we have clearly explained to you, and not used in any way that is incompatible with those purposes;

  • Adequate and relevant to the purposes we have told you about and limited only to those purposes;

  • Accurate and kept up-to-date;

  • Kept only for as long as necessary for the purposes we have told you about;

  • Stored securely.

3. THE PERSONAL DATA WE COLLECT ABOUT YOU

We will collect the following information about you:

  • Your name and contact details (i.e. address, phone numbers, email address);

  • Your identification details (i.e. date of birth, gender, images of and details contained in ID documents such as passport);

  • Your national insurance or other social security number;

  • Your personal bank details;

  • Your pension entitlement;

We may also collect a limited amount of personal information classified as "special category data", for example certain biometric information such as images and liveness checks, if you use the facial authentication service in the EMpower Pensions Portal.

4. HOW WE COLLECT THE INFORMATION

In the first instance, personal data will be collected from your pension provider, who will share your personal data to enable us to perform our contractual obligation to provide services to you. We may also collect personal data directly from you in the course of our performance of the contract, including through the EMpower Pensions Portal.

5. IF YOU FAIL TO PROVIDE YOUR PERSONAL DATA

If you fail to provide your personal data when requested, we may not be able to perform our contract with your pension or payment provider (such as making payments to you or your estate) or we may be prevented form complying with our legal obligations, such as making payments to you or your estate, or providing the Proof of Life services.

6. WHY WE COLLECT, AND HOW WE WILL USE YOUR PERSONAL DATA

 We will typically collect and use this information for the following purposes:

  • To make payments to you;

  • To assess whether you remain entitled to receive pension or other payments;

  • To communicate with you about your entitlement to receive pension or other payments, and to update you as to any changes to amount or frequency;

  • To make statutory deductions at source from your pension payments;

  • On your death, to make payments to an estate or recover monies from an estate if overpayments have been made; and

  • to provide you with tax documentation.

The law requires CAB to have a legal basis for processing personal data. We rely on one of the following legal basis to use your personal data:

  • where you have given us your consent.

  • where it is necessary for compliance with a legal obligation; and

  • where it is necessary for the purposes of our legitimate interests (or those of a third party), but only if these are not overridden by your interests, rights or freedoms.

We will use your personal data for the purposes of our legitimate interests where the use of your personal data is necessary:

  • to further our business and commercial activities and objectives, or those of a third party, e.g. to provide our products and services and produce management information on our performance and the performance of third parties;

  • to assist your pension provider in respect of the administration, governance and evaluation of a pension scheme, including pension planning services for employees;

  • to help us better understand our customers and improve our customer engagement including by carrying out marketing analytics and profiling, e.g. by making certain predictions and assumptions about your interests;

  • to comply with our legal and regulatory obligations, guidelines, standards and codes of conduct, e.g. background checks or the prevention, detection and investigation of financial crime or fraud;]

  • to retain records for a period of time in order to ensure we have appropriate records in place in respect of any future claims that may be made against us;

  • to safeguard our business, shareholders, employees and customers, or those of a third party, e.g. maintaining the security of our IT network and information, enforcing claims, including debt collection;

  • to facilitate the purchase, sale, transfer or disposal of any part of our business; and

  • to analyse and assess competition in the market for our products services, e.g., by carrying out market research.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

7. HOW WE WILL USE ANY SPECIAL CATEGORY DATA

We will use any special category data you provide to us strictly for the purpose of performing our obligations under our contract with your pension or other payment provider.

Where you provide us with biometric data in the EMpower Pensions Portal, we rely on your explicit consent to collect and process this data. You may withdraw your consent at any time by contacting us at PensionsServices@crownagentsbank.com.

8. PROVIDING INFORMATION TO THIRD PARTIES

 We will share your information with your pension or other payment provider, in connection with our obligation to make payments to you, and in order for both parties to verify that your personal data remains up-to-date. 

If you are resident in the UK, we will share your data with  our screening service provider who carries out “Proof of Life” screening for us as an outsourced provider.

If you use the facial authentication proof of life service through EMpower Pensions Portal, we will share your data with our facial authentication provider, who carries out the facial authentication service for us as an outsourced provider.

We may also share your data with administrative service providers, such as printing service providers which produce printed copies of mail communications. 

We ensure that any third-party service providers we use are required to take appropriate security measures to protect your personal data in line with our policies and we only permit them to process your personal data for specified purposes and in accordance with our instructions. We will never share any of the information you provide to us with any third parties for marketing purposes.

9. TRANSFER OF YOUR PERSONAL DATA OUT OF THE EEA

If you are resident in the UK or EEA, we will not transfer your personal information to countries or entities located outside the UK or EEA in order to perform our obligations to our client and to make payments to you.

If you are resident outside of the UK or EEA, we will send you written communications in relation to your pension or other payments which will contain items of personal data, such as your name and your address. We will not send such communications to any third parties located outside the UK or EEA, except for your pension or other payment service provider where relevant. In such cases, if the third party is located in a country outside the UK or EEA that has not received a binding adequacy decision by the UK Information Commissioner’s Office (“ICO”), CAB will comply with the GDPR’s requirements in respect of such transfers, including the execution of the standard contractual clauses prescribed by the ICO from time-to-time where required.

10. DATA RETENTION

We will retain your personal information for a period of up to 7 years following the end of your entitlement (or the entitlement of your spouse or other dependent) to receive pension or other payments. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have complied with our obligations under our contract with your pension or other payment services provider, or that we have treated your information in a fair and transparent way. After this time, we will securely destroy your personal information in accordance with our data retention policy.

Where we collect and process your biometric information under the Proof of Life services, we will retain your personal information for a period of up to 3 months. After this time, we will securely destroy your personal information in accordance with our data retention policy.

11. DATA SECURITY

We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a data breach where we are legally required to do so.

12. PROCESSING IN LINE WITH YOUR RIGHT UNDER THE GDPR

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;

  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;

  • Request the transfer of your personal information to another party.

  • Withdraw consent in the limited circumstances you have provided your consent to the collection and use of your personal data.

  • Complain to the Information Commissioner's office which is the supervisory authority in the UK.

13. DATA PRIVACY MANAGEMENT

We have appointed an internal team to oversee compliance with this privacy notice.  If you have any questions about this privacy notice or how we handle your personal information, please contact us in the first instance: email: DataProtection@crownagentsbank.com; telephone: +44 (0)20 3903 3000.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us in writing at: DataProtection@crownagentsbank.com, or

Data Protection
Crown Agents Bank
3 London Bridge St,
London,
SE1 9SG,
UK

14. BREACHES OF DATA PROTECTION PRINCIPLES

We hope that we can resolve any query or concern you raise about our use of your information. If not, contact the Information Commissioner at https://ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information about your rights.