Your privacy matters to us, so you can be confident that we take good care of all the personal data we hold about you. One of the ways we do this is by adhering to the requirements and principles of data protection legislation. In this privacy notice we explain the reasons we handle your personal data, what happens to it and your rights in relation to it.
- Data controller
Controller name: The Board of the Pension Protection Fund (PPF)
Data Protection Officer
12 Dingwall Road
- What personal data we collect
We have separate privacy notices for PPF members and FAS members which explain how we use our members’ personal data. We collect the following data, which we’ve grouped into broad categories, about other individuals:
- contact details – name, address, email address, telephone number(s)
- online activity – IP address, pages accessed
- social media – username, profile, posts
- images – photographs, surveillance camera (CCTV) footage
- assessment data – job applications, candidate scoring, interview notes, test results, results of criminal record checks, references, contractor CVs, notes on performance of contractors
- sensitive data - racial or ethnic origin, religious or philosophical beliefs, health, sexual orientation
- identity checks – proof of identity (copy of passport, driving licence, utility bills, etc.), proof of entitlement to act on a member’s behalf (e.g. power of attorney)
- interaction records – correspondence (letters, emails, etc.), recordings and notes of telephone calls, online transactions, survey responses.
- Why we use your personal data
The PPF has a very specific function: to pay compensation or provide assistance whilst providing excellent customer service to our members. All the reasons that we use your personal data are designed to enable us to do that.
The Pensions Act 2004 set up the PPF and most of the time is the reason why we need to use your personal data. Either complying with our legal obligations in the Act or providing an excellent service to you would not be possible without using your personal data.
Below we provide details of the different ways that your personal data is used and our lawful basis for using it. Beneath each explanation, we have set out which of the categories of personal data listed above is affected and details of why the data is shared with third parties in support of that activity.
There are specific circumstances where it is necessary for third parties to have access to your data. Where this is the case we ensure that appropriate contractual, technological and other safeguards are in place:
- We will disclose your personal data if required to by law. For example, to Her Majesty’s Revenue and Customs (HMRC) for tax purposes or to the police for the prevention or detection of crime. Regulators, such as the Information Commissioner (ICO), also require us to share information on occasion.
- Like most organisations we rely on companies to support our services, and in some cases they will need to collect, access or handle your personal data. For example, increasingly our IT infrastructure operates in the cloud, which means that suppliers store data for us. Suppliers and their employees are only allowed to access or handle personal data with our permission and where it is strictly necessary for them to fulfil their contract with us. In some cases they will appoint sub-contractors and where this is the case, suppliers will be expected to ensure they are subject to the same requirements. A table at the end of this privacy notice lists the main suppliers who process personal data for us (including accessing, collecting or storing it).
Website and online activity
If you consent to performance cookies when you visit our website we use a third-party service to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow our provider to make, any attempt to find out the identities of those visiting our website. We use the information to report on visitor numbers, and to make improvements to our website. We also use a provider to ensure that our website remains secure and that suspicious traffic is blocked. This requires IP addresses to be processed by our provider. If you have consented to ‘targeting cookies’ a cookie is placed when you visit our recruitment page which is used to ensure that you are kept up-to-date with details of relevant jobs at the PPF via Facebook. You can find out more about the cookies that we use on our cookies page.
Cookies allow you to consent to our use of data for analytics and to place targeting cookies for recruitment. We need to use your IP address for our legitimate interest of keeping our website secure.
- Type of personal data: online activity
- Data sharing: website analytics provider; web security provider; social media promotion of vacancies
Media and stakeholders
Where you make a media enquiry to our Press Office we’ll process your personal data to respond to your request. In some circumstances we collect personal data from publicly available sources such as social media or acquire personal data from commercial databases. This data may be used in a number of different ways to support our statutory functions. Examples include for intelligence purposes and for us to send communications to journalists and other key industry stakeholders. On occasion, we, or an authorised third party, may contact you for research purposes so that we can improve our services and better meet the needs of our members.
It’s in the public interest that we use personal data to promote our statutory role, respond to media enquiries and ensure information about the PPF in the public domain does not mislead the public or our stakeholders.
- Type of personal data: contact details; social media; interaction records
- Data sharing: social media portal; research bodies; public relations provider
Responding to your enquiries and complaints and assessing the quality of our customer service
If you are a member, please read the PPF members’ or FAS members’ privacy notice for details of how your data is used when you make an enquiry. The following relates to enquiries and contact from other stakeholders such as trustees of eligible schemes.
If you’ve contacted us to make an enquiry or complaint we’ll hold your personal data so that we can deal with it. This includes if you complete a form on our website such as a section 120 or section 122 notification. We don’t need to collect a lot of information but we need to know who you are, what you’ve asked and how we can reply to you.
If you speak to our switchboard or our Member Services teams by telephone, we record all calls made to us for training and compliance purposes, to improve our customer service and to verify information provided to us. You may be asked if you’re willing to complete a survey at the end of the call, and if you agree, we’ll keep a record of your responses. You may be asked to complete an online survey following the resolution of your enquiry or complaint. We also contact a sample of our contacts for eligible schemes every 18 months to ask if you are willing to complete a survey for the Institute of Customer Service.
We conduct research of our stakeholders’ views which means that we or one of our suppliers may contact you. If you’d prefer not to receive communications of this nature, please let us know.
There is a public interest in us responding to enquiries and complaints and in us finding ways to improve our service to you and we have the power to do so under the Pensions Act 2004.
- Type of personal data: contact details; identity checks (where relevant); interaction records
- Data sharing: customer service surveys; ServiceMark accreditation surveys (Institute of Customer Service); translation services; research exercises
Information rights requests
If you exercise your rights under data protection legislation (primarily the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA)) or the Freedom of Information Act 2000 (FOIA) or Environmental Information Regulations 2004 (EIR), we will need to handle your contact details, your request and relevant information. If you are making a request in relation to your personal data, we will often need to ask you for information to help confirm your identity.
We need to handle your personal data to help meet our legal obligations under GDPR/DPA and/or FOIA/EIR.
- Type of personal data: basic details; identity checks (where relevant); interaction records
If you visit our office we ask that all visitors sign in and out of reception. You may also be required to provide proof of identification but this information is not recorded. We also have surveillance cameras in place in our offices which are intended to prevent, and assist with the investigation and prosecution of, crime as well as to ensure the safety of our premises, employees and visitors. If you have an accident on our premises details will be retained.
We need to collect this information to meet our legitimate interest in maintaining the security and safety of our facilities.
- Type of personal data: contact details; images; health data (only if you are injured or take ill on our premises)
- Data sharing: building management (in Cannon Street and Renaissance); HSE (only in case of a RIDDOR reportable accident)
If you apply for one of our vacancies, the information you provide will be used to progress your application and assess your suitability for the position. For some roles you’ll be asked to complete a test and the results will form part of the assessment of suitability. If we make you a conditional offer of employment pre-employment checks will be carried out which require you to provide proof of your identity, including your national insurance number, your contact details, your address history, proof of your qualifications and contact details of suitable referees. You’ll also be asked to consent to a criminal records check, and for evidence of your eligibility to work in the UK.
You’ll be asked to provide us with equal opportunities information. Providing this information is not mandatory and will not affect the outcome of your application in any way. Any information you do provide is aggregated by role and used to monitor equality of opportunity.
Should you be successful in your application, you will be asked to provide your bank details in order to process salary payments and, where approved, process expenses claims.
If you apply for a job we use your data to perform our/enforce your obligations under the employment contract or to take steps prior to entering into that contract.
- Type of personal data: contact details; assessment data; identity checks; sensitive data
- Data sharing: recruitment portal supplier; pre-employment checks supplier; training supplier (for tests); referees
Buying goods and services
Businesses which bid for, or are awarded, contracts to provide goods or services to the PPF often provide us with contact details of employees for the purposes of negotiating or managing the contract. Where necessary we will also be provided with CVs for individuals that a company proposes to put forward to deliver the work. Where you are providing consultancy or similar services we will record information about your performance to assess delivery of the contract.
We need to use your data in this way to meet our legitimate interests in the procurement and delivery of best value goods and services.
- Type of personal data: contact details; interaction records; quality assessments
- Data sharing: data will be shared with us by prospective and current suppliers
One of the ways that compensation to members is funded is through an annual levy imposed on eligible schemes. If you are a trustee or other named contact for an eligible pension scheme we will use contact details provided by you or by The Pensions Regulator (TPR) to carry out activities in support of the levy. We have to consult schemes on the setting of the levy, answer enquiries and provide you with information about our services (e.g. through annual newsletters). We need to collect the levy by issuing invoices to schemes. We monitor our performance by recording calls and requesting feedback. Where necessary we will need to process your data in the resolution of disputes.
We’re legally required to consult on and collect the levy under the Pensions Act 2004. It’s in the public interest that we seek to continually improve our service to schemes and keep them informed about levy arrangements.
- Type of personal data: contact details; interaction records
- Data sharing: we obtain up-to-date contact details for schemes from TPR
Helping us to invest
Another source of funding is through investment management. Telephone calls with employees in our investments team are recorded to preserve client orders. Messages sent and received by these employees on the Bloomberg trading system are retained and monitored.
Retaining and monitoring these records is necessary for us to meet legal requirements.
- Type of personal data: work contact; financial details; interaction records
- Data sharing: fund managers and brokers; investments management system
Fraud Compensation Fund
We have to determine whether schemes which have applied for fraud compensation have been subject to fraud that has led to a loss. This requires details of trustees of the scheme, members, fraudsters and those suspected of fraud to be processed as part of the investigation.
We need to process this personal data to meet our legal obligations in the Pensions Act 2004.
- Type of personal data: contact details; interaction records
- Data sharing: data and intelligence is shared with us by TPR
Assessing and transferring schemes
If your employer has become insolvent and your scheme is undergoing assessment for entry to the PPF, you will be sent a privacy notice explaining how your personal data will be affected.
Restructuring and insolvency
When a qualifying employer becomes insolvent we exercise the pension scheme trustee’s creditor rights to influence the management of the insolvency process and maximise returns to the scheme. We occasionally get involved in restructuring of companies where it is inevitable that they will become insolvent with a view to ensuring a better outcome for the pension scheme. We need to handle personal data of senior employees, shareholders, trustees and members of schemes as part of these processes.
We need to use personal data to comply with our legal obligations under the Pensions Act 2004.
- Type of personal data: contact details; interaction records; financial records
- Data sharing: Insolvency Service's Redundancy Payments Service; scheme trustees; trustee advisers; scheme administrators; insolvency practitioners; external legal advisers; counterparties on restructuring transactions and their appointed advisers; TPR
- International Transfers of Personal Data
Most of our service providers are based in, and process personal data in, the UK. There are a small number of circumstances in which your personal data may be processed abroad:
- Auditing: where it is necessary for us to share your data with our auditors, this is done using data storage and sharing service Box. Box stores some data on servers outside the UK. Box has approved binding corporate rules (BCRs) in place to ensure that personal data is handled to appropriate standards wherever it is processed.
- Newsletters: if you receive newsletters and other email updates from us, your name, email address and PPF reference is shared with MailChimp, a business based in the USA, for distribution.
We have agreements with these companies which incorporate international data transfer clauses approved by the Information Commissioner’s Office. We require companies to comply with the standards set out in data protection legislation and to put in place appropriate security measures before we agree to share your data with them.
- Special Category Data
We sometimes need to use special category data about you. Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation or sex life, as well as genetic or biometric data used to identify individuals. We will also need to process criminal records on occasion.
The specific purposes for which we use such data are as follows:
- recruitment - racial/ethnic origin, religious or philosophical beliefs, health data, sexual orientation for equal opportunity monitoring; criminal convictions for pre-employment checks
- visitors - health data if you are injured during your visit
- Fraud Compensation Fund – it is sometimes necessary to handle information relating to criminal or suspected criminal activity when assessing compensation claims
- member services – as described in the members’ privacy notice.
In addition to the lawful basis set out above for each of these purposes, it is necessary to use special category data or criminal records for the purposes of monitoring and promoting equality and diversity; protecting the public against dishonesty; and to take steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.
Where possible we inform you before handling data of this kind and only collect or use it where necessary. We make it easy for you to check and update your records, and take appropriate security precautions to protect your data. Data is retained and then destroyed securely in line with the PPF’s Retention and Disposal Schedule.
- How long will we keep your data?
We’ll keep your information in line with our retention policy which varies depending on why we keep data. Some key examples are:
- Identifiable data about online activity (e.g. IP addresses) won’t be kept for any longer than a year;
- Records relating to most enquiries or requests will be retained for no longer than three years (although call recordings of investment-related calls are retained for up to seven years);
- Accident records are retained for six years after the last action taken;
- Unsuccessful job applications are deleted after one year;
- Unsuccessful bids for contracts are retained for no longer than a year, whilst contact details relating to current contracts can be kept for as long as six years after the end of a contract.
If you’d like to see our full Retention and Disposal Schedule just let us know.
- Exercising your rights
Under data protection legislation you have the right to ask to see the personal data we hold about you and to ask why we hold that information. Other rights you have are to ask us to correct data that you believe to be inaccurate or to ask us to stop using your data if you believe that we no longer need it to carry out our work.
We aim to comply with requests for access to personal data as quickly as possible and within one month of receipt unless there’s a good reason for delay. If so we’ll tell you, and let you know when you can expect to hear from us and the reason for the delay.
- The PPF’s Data Protection Officer and raising concerns
The PPF has a Data Protection Officer (DPO) whose role is to act as a point of contact for individuals and to monitor and provide advice to the PPF in relation to data protection issues. You can raise any concerns you have about the way we handle your personal data with the DPO by writing to:
Data Protection Officer
Pension Protection Fund
12 Dingwall Road
You can also email us at [email protected].
The Information Commissioner
If you’re not satisfied with our response or believe we’re not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
The Information Commissioner can be contacted at:
Address: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: +44 303 123 1113
- Changes to this privacy notice
We keep our privacy notice under regular review and we‘ll place any updates on the member website. This privacy notice was last updated in June 2022