Skip to Main Content

Your privacy rights when you’ve been given access to a member’s NEST account

This web page expands on the privacy information that has previously been made available to you (a copy of which can be found here).

The purpose of this notice is to explain how the National Employment Savings Trust Corporation (NEST) as Trustee of the NEST pension scheme (the Scheme) collects and uses your personal information and how we comply with data protection law. NEST looks after all aspects of the Scheme, in line with the NEST Order and Rules and the law. Where NEST determines the reasons we use your personal information and the means of processing your personal information, it is the controller.

In this notice, we explain some things about the personal information NEST holds, and your rights regarding this information. It’s important that you read it carefully, together with any other privacy notices and information that we provide you, from time to time. 

About your personal information and where we obtain it

We collect and receive different types of personal information about you, in order to administer the member’s NEST account where you were added as a delegate. Personal information we hold about you includes any information that identifies you (e.g name, address, phone number etc).   

It may also include, on rare occasions, personal information which relates to specific topics which are thought to be more privacy sensitive (e.g information about your health, your gender, etc).

You can find more details about the type of information we hold about you in “What personal information we use and how long we keep it ” below.

We received personal information about you when you were added as a delegate to a member’s NEST account. The member provided these details to us and their details are outlined in the email that was sent to you to activate your appointment. You may be appointed delegate by more than one member, in such case you’ll receive separate notices for each appointment.

 This is explained further in the communication sent to you to validate your appointment as delegate to that Member’s NEST account.

You need to help us keep the personal information we hold about you accurate. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Please note: The personal information you provide to us, as well as that we collect about you, is necessary for us to administer the Scheme, the member’s NEST account where you were added as a delegate and action your requests.  Without it we may not be able to do so.

How we’ll use your personal information

As a trustee, NEST has a legal obligation to provide pensions and other benefits in relation to its members and must comply with the legal obligations applicable to it (such as trust law, pensions law and our Order and Rules).   In order to meet these requirements, we need to process your personal information. 

In addition, NEST is also a public body, whose function is to be the trustee of the Scheme. In carrying out this function, we will need to process your data in order to run the Scheme in line with our powers.

To meet these obligations, we’ll use your personal information to:

  • administer the NEST account of the member who added you as a delegate
  • communicate and interact with you and the member that added you as a delegate, in relation to that member’s NEST account. This can be by phone, webchat, email, post, secure mail, app
  • provide services and information you request from us in relation to the NEST account of that member
  • inform you about changes to our services
  • improve our service offering, including through surveys and research activities 
  • ensure we run a scheme that is compliant with regulation and legislation
  • see if and when you have opened secure messages we send you, in your NEST account
  • prevent and detect crimes such as fraudulent activities

When NEST needs to use information about your health or other sensitive personal information, we may ask for your consent. However, from time to time, there may be cases where due to legal reasons or public interest, NEST can use this personal information without your consent. 

NEST may also use your personal information in order to establish, exercise and defend its legal rights.

We’ll use your personal details to provide you with other information you’ve consented to receive. You can easily withdraw your consent at any time. We explain how you can do so, each time we ask for your consent.

For example: when logging in to your NEST account for the first time, you will be asked whether you are happy to receive news and other information about NEST that may interest you. If you have consented to receive such information, you can withdraw your consent at any time, by logging into your NEST account going to “edit my profile” and changing your marketing preference.

We may also use your personal information to see if and when you open emails or links we send you, where you have consented to receive them.

If you use our website, you’ll see a message asking you to consent to the use of non-essential cookies, at your first visit. If you consent to the use of cookies, we’ll also use your personal information to monitor the traffic and performance of our website.
If you want more information about cookies we use or if you’d like to change your cookie settings, please go to our cookies policy page.

What personal information we use and how long we keep it

Pensions are for the long term, so we will retain your personal information for a long time. You can find more details below.

Including: surname, forenames, relationship to member phone recordings and transcripts of your interaction with us, emails, secure messages, and details of the level of access applicable to the member’s NEST account who added you as a delegate, physical address, e-mail address and telephone number (for professional representatives, this will be work address/email).

We’ll keep this information for 15 years after the earliest of:

(a) the date we pay out your last relevant member’s retirement pot in full; 

(b) the date we transfer your last relevant member’s retirement pot out of NEST or 

(c) the date of death of your last relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death. 

A relevant member is a member where you’ve provided or viewed their details.

Appointment as a delegate

Includes: date of appointment as a delegate and date each delegate role ended, records of change of addresses

  • In relation to your dates of appointment and end dates of each such appointments:

 We’ll keep this information for 15 years after the earliest of:

 (a) the date we pay out your relevant member’s retirement pot in full; 
(b) the date we transfer your relevant member’s retirement pot out of NEST or 

  • (c) the date of death of your  relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death. In relation to the records of change of addresses:

We’ll retain all records of changes to addresses for fifteen years after you notify us.

Any other data not described above:

Any other data we collect, not specifically mentioned above will be brought to your attention with a specific message at the point of collection from you.

We’ll keep this information for 15 years after the earliest of your last relevant member’s:
(a) date of payment of retirement pot in full, 
(b) date of transferring their retirement pot out of NEST or 
(c) date of death or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims, complaints or data migration. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Passing on your personal information to third parties

From time to time, we may need to pass your personal information on to trusted third parties. The third parties we may share information with are:

We need to pass your personal information as requested and required, to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal, regulatory and statutory obligations, for compliance purposes. 

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to 3rd parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.

As part of the legal requirements when looking after the Scheme, NEST has to be able to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, NEST needs to conduct research and surveys. Some of these activities may require us to use your personal information.

When conducting such activities, we may need, from time to time, to share your personal information with other government bodies or departments, as well as with third party research partners (such as universities, think tanks, etc.). Wherever appropriate, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.

We also use market research agencies and survey providers to help us carry out these activities. We seek to ensure that we have the necessary safeguards and security measures in place, when we do so.

Most of our scheme administration is carried out by our outsourced supplier, Tata Consultancy Services (TCS).  As part of their services, some of your personal information may be processed from India. Where this occurs, NEST relies on model contract clauses (if you want more information, please see the section below).

In the course of providing scheme administration services, TCS uses other processors, such as:

•    data centre hosting providers, based in the E.E.A 
•    letter printing and postal service providers
•    software providers, such as email campaign providers
•    identity checking service providers

  Where this occurs, NEST requires sufficient guarantees from TCS that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to NEST.

In certain circumstances, we may need to disclose your personal information to other trusted third parties, who will receive it as controllers in their own right (such as auditors, consultants, legal advisers, identity and bank checking service providers).  In such cases, we will ensure that the appropriate contracts and safeguards are in place.

NEST uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. We also share information about your use of our site with those web analytics providers. You’ll find more information in our cookies policy.

From that page, you will also be able to manage your preferences and be able to opt in or out from cookies that are not essential to the operation of the website.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously.  We’ll use appropriate procedures and security features to process and protect your information.  We have in place a robust framework to ensure the security of your data.

The information security management systems operated by NEST Corporation, our scheme administrator and our IT managed services provider are all independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ data

Transfers outside the European Economic Area (E.E.A)

Some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the EEA, we will only make that transfer if:

  • the country to which the personal information is to be transferred ensures an adequate level of protection for personal information
  • we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Model Contract Clauses  issued by the European Commission) with the recipient
  • the transfer is necessary for one of the reasons specified in data protection law
  • sometimes, we will request your consent to the transfer. 

Please find below more detailed information in relation to our scheme administration, our research activities and our procurement activities.

Some of the services TCS are providing are carried out from India. In order to make sure that your data is secure when transferred to India, NEST uses the Model Contract Clauses  issued by the European Commission, along with stringent security measures.

The administration of the Scheme and the NEST account(s) for which you have been added as a delegate can be done using modern technology such as smartphones and tablets.  In such cases, your personal information can be accessible from those devices.  Where this occurs, NEST may access and review your personal information while transiting via non-EEA countries.  NEST will carry out a risk assessment and seek to implement strong security controls protect your data both in transit to, and on NEST devices.  

As mentioned above, NEST conducts research into the way our customers interact and save with us, using 3rd party processors such as market research agencies, survey providers, 3rd party research partners.

When those 3rd parties are not based in the EEA, NEST carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and NEST seeks to ensure that the necessary safeguards are written into a contract.

When procuring new suppliers that may be processing personal information, NEST conducts a risk assessment into where and how personal information will be processed and to determine what safeguards are appropriate.  Where necessary, NEST aims to use the Model Contract Clauses issued by the European Commission or the U.S. Privacy Shield.

How you can access and correct your personal information

In order to administer the Scheme, and the NEST account of the member who added you as a delegate, it is important that we have accurate and complete information about you. We encourage you to notify us of any changes regarding your personal information, as mentioned just below.

You can correct the information we hold about you by logging into your online NEST account, then selecting “edit your profile”.

You can also contact us at NEST, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY.

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a “data subject access request”. 

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your rights to request access to or rectification of the personal information we hold about you, you’ll have the right, under certain circumstances, to make a request to:

  • restrict or object to the processing of the personal information we hold about you (see Note1)
  • erase your personal information (see Note1) 
  • receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability’) (see Note2)
  • withdraw your consent for us to process your personal information, where based on consent (see Note3)

Note1: It is important to note that your request to restrict or object to processing, or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted.  For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When NEST processes your personal information for the purposes of scheme administration (as explained above), in most instances, it does so in order to comply with its legal obligations. In this case, the right to data portability will not apply. 

Note3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.

To make a request under these rights you can: 

Queries and further information

The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, webchat, telephone etc.). 

We may update this notice from time to time. We will keep updated you on material changes to this notice. We also encourage you to check this notice on a regular basis.

If you want more information about the use of cookies on the NEST website, please view our cookies policy 

If you want to contact us, you can

If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at http://www.ico.org.uk/concerns

Last updated on May 2018