Your privacy rights when
you’ve been given
access to a Nest
account

Personal information you provide will be used to enable us to identify you as an individual permitted to administer the Nest account of the employer or Nest Connector you set up. We need your personal information to administer the Nest account(s) of the employer(s) or Nest Connector(s) you’ve set up. It may also include, on rare occasions, personal information which relates to specific topics which are thought to be more privacy sensitive (e.g. information about health, ethnicity, religion etc.).

When we use sensitive personal information such as health records, we may ask for your consent. However, from time to time there may be cases where due to legal reasons or public interest, Nest can use this personal information without your consent. Nest may also use your personal information, in order to establish, exercise and defend its legal rights.    

You can find more details about the type of information we hold about you in “What personal information we use and how long we keep it” below.

We may also receive information from regulatory authorities (such as The Pensions Regulator).

You need to help us keep the personal information we hold about you accurate. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Please note: The personal information you provide to us, as well as that we collect about you, is necessary for us to administer the Scheme, your Nest account and action your requests. Without it we may not be able to do so.

As a trustee, Nest has a legal obligation to provide pensions and other benefits in relation to its members and must comply with the legal obligations applicable to it (such as trust law, pensions law and our Order and Rules). In order to meet these requirements, we need to process your personal information. 

In addition, Nest is also a public corporation, whose function is to be the trustee of the Scheme. In carrying out this function, we will need to process your data in order to run the Scheme in line with our powers.

To meet these legal obligations, we need to use your personal information in relation to the administration of the Nest account(s) you’ve set up.

For instance, we can use this to:

• administer the Nest accounts you’ve set up
• communicate and interact with you (and the Nest Connector or the employer), in relation to  the Nest accounts you’ve set up. This can be by phone, webchat, email, post, secure mail
• provide services and information you request from us in relation to the Nest accounts you’ve set up
• inform you about changes to our services
• improve our service offering, including through surveys and research activities 
• see if and when you open the secure messages, emails or links we send you
• ensure we run a scheme that is compliant with regulation and legislation
• see if and when you have opened secure messages we send you, in the Nest accounts you’ve  set up
• prevent and detect crimes such as fraudulent activities.

Nest may also use your personal information in order to establish, exercise and defend its legal rights.

We’ll use your personal details to provide you with other information you’ve consented to receive. You can easily withdraw your consent at any time. We explain how you can do so, each time we ask for your consent.

For example: when setting up Nest accounts, you will be asked whether you are happy to receive news and other information about Nest that may interest you. If you have consented to receive such information, you can withdraw your consent at any time by logging into your Nest account, going to “edit my profile” and changing your marketing preference.

We may also use your personal information to see if and when you open emails or links we send you, where you have consented to receive them.

If you use our website, you’ll see a message asking you to consent to the use of non-essential cookies, at your first visit. If you consent to the use of cookies, we’ll also use your personal information to monitor the traffic and performance of our website.

If you want more information about cookies we use or if you’d like to change your cookie settings, please go to our cookies policy page.

• surname, forenames 
• relationship to organisation
• phone recordings and transcripts 
• details of the level of access applicable to the Nest Connector or the employer account who added you as a delegate 
• physical address (correspondence and billing), email address
• telephone number (for professional representatives, this will be work address/email)
• address history
• employer’s name
• the date of appointment and end date of your appointment as a delegate for each relevant  Nest Connector’s or employer’s account.

Where you provide this information to us:

• and setting up the employer’s Nest scheme isn’t completed, we’ll keep it for 15 years  following the date this information was provided
• and setting up the employer’s Nest scheme is completed but no one has enrolled any  members, we’ll keep it for 15 years following the date the employer stop using Nest.

In all other circumstances, we’ll keep this information for 15 years after the earliest of:

(a)    the date we pay out your last relevant member’s retirement pot in full;
(b)    the date we transfer your last relevant member’s retirement pot out of Nest or
(c)    the date of death of your last relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

Except for records of change of address, which we’ll keep for 15 years after you notify us.

A relevant member is a member where you’re provided or viewed their details

Includes bank name, bank account number, sort code and any changes to those details.

We’ll keep this information for 15 years after the earliest of: 

(a)  the date we pay out your last relevant member’s retirement pot in full; 

(b)  the date we transfer your last relevant member’s retirement pot out of Nest or 

(c)  the date of death of your last relevant member where contributions were received from the Nest Connector or employer’s bank account or where contributions were refunded to that account

(d)  the date of your last relevant member’s 150th anniversary of birth in circumstances where we’ve not been notified of their death and where contributions were received from the Nest Connector or employer’s bank account or where contributions were refunded to that account.

Includes start and end date of each appointment as a primary contact for an employer Nest account or for a Nest Connector account.

We’ll keep this information for 15 years after the earliest of:

(a)   the date we pay out your last relevant member’s retirement pot in full;

(b)   the date we transfer your last relevant member’s retirement pot out of Nest 

(c)   the date of your last relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

Any other data we collect, not specifically mentioned above will be brought to your attention with a specific message at the point of collection from you.

We’ll keep this information for 15 years after the earliest of your last relevant member’s:

(a)  date of payment of retirement pot in full, 

(b)  date of transferring their retirement pot out of Nest, or 

(c)  date of death or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

We need to pass your personal information as requested and required, to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal, regulatory and statutory obligations, for compliance purposes.

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.

As part of the legal requirements when looking after the Scheme, Nest has to be able to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, Nest needs to conduct research and surveys. Some of those activities may require us to use your personal information.

When conducting such activities, we may need, from time to time, to share your personal information with other government bodies or departments, as well as with third party research partners (such as universities, think tanks, etc.). Wherever appropriate, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.

We also use market research agencies and survey providers to help us carry out these activities. We seek to ensure that we have the necessary safeguards and security measures in place, when we do so.

When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them. When we share data with third parties, they may be a processor acting on instructions from us, or a controller in their own right.

Most of our scheme administration is carried out by our outsourced supplier, Tata Consultancy Services (TCS). As part of their services, some of your personal information may be processed from India. Where this occurs, Nest relies on model contract clauses (if you want more information, please see the section below ‘Transfers outside the UK').

In the course of providing scheme administration services, TCS uses other processors, such as:

• data centre hosting providers, based in the UK and the EEA
• letter printing and postal service providers
• software providers, such as email campaign providers
• identity checking service providers.

Where this occurs, Nest requires sufficient guarantees from TCS that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to Nest.

In certain circumstances, we may need to disclose your personal information to other trusted third parties, who will receive it as controllers in their own right (such as auditors, consultants, legal advisers, identity and bank checking service providers). In such cases, we will ensure that the appropriate contracts and safeguards are in place.

Nest uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. We also share information about your use of our site with those web analytics providers. You’ll find more information in our cookies policy.

From that page, you’ll also be able to manage your preferences and be able to opt in or out from cookies that are not essential to the operation of the website. We may also share your personal information with any other third party where you have given your consent.

Some of the services TCS are providing are carried out from India. In order to make sure that your data is secure when transferred to India, Nest uses the Model Contract Clauses which includes the UK's international data transfer agreement (ITDA) or the EU's standard contractual clauses (EU SCCs) supplemented by the ITDA addendum.

The administration of the Scheme and your Nest account can be done using modern technology such as smartphones and tablets. In such cases, your personal information can be accessible from those devices. Where this occurs, Nest may access and review your personal information while transiting via countries outside the UK. Nest will carry out a risk assessment and seek to implement that in these cases, strong security controls protect your data both in transit to, and on Nest devices.

As mentioned above, Nest conducts research into the way our customers interact and save with us, using third party processors such as market research agencies, survey providers and third party research partners.

When those third parties are not based in the UK, Nest carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and Nest seeks to ensure that the necessary safeguards are written into a contract.

When procuring new suppliers that may be processing personal information, Nest conducts a risk assessment into where and how personal information will be processed and to determine what safeguards are appropriate, such as, for instance, entering into Model Contract Clauses (and/or any replacements applicable in the UK) or relying on adequacy decisions.

In order to administer the Scheme and your Nest account, it is important that we have accurate and complete information about you. We encourage you to notify us of any changes regarding your personal information, as mentioned just below. You must help us keep your personal information accurate.

You can correct the information we hold about you by logging into your online Nest account, then selecting “edit your profile”.  

You can also contact us at Nest, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY.

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a “data subject access request”.

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your right to request access to or rectification of the personal information we hold about you, you’ll have the right, under certain circumstances, to make a request to:

• restrict or object to the processing of the personal information we hold about you (see  Note1)
• erase your personal information (see Note1)
• receive personal information about you that you have provided to us in a structured,  commonly used, machine-readable format where we use it with your consent (‘right to data  portability’) (see Note2)
• withdraw your consent for us to process your personal information, where based on consent  (see Note3).

Note1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest processes your personal information for the purposes of scheme administration (as explained above), in most instances, it does so in order to comply with its legal obligations. In this case, the right to data portability will not apply.

Note3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.

To make a request under these rights you can:

• write to us at Nest, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY; or 
• email us at support@nestpensions.org.uk

The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, webchat, telephone etc.). 

We may update this notice from time to time. We will keep you updated on material changes to this notice. We also encourage you to check this notice on a regular basis.

If you want more information about the use of cookies on the Nest website, please view our cookies policy.

If you want to contact us, you can 

• by phone on 0300 020 0393
• write to us at Nest, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY
• email us at support@nestpensions.org.uk
• contact our data protection officer at dpo@nestcorporation.org.uk

If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint

• by phone on +44 303 123 1113
• by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,  SK9 5AF
• via their website at www.ico.org.uk/concerns