Skip to Main Content

Your privacy rights as a third party to a NEST account

This web page expands on the privacy information that has previously been made available to you (a copy of which can be found here).

The purpose of this notice is to explain how the National Employment Savings Trust Corporation (NEST) as Trustee of the NEST pension scheme (the Scheme) collects and uses your personal information and how we comply with data protection law. NEST looks after all aspects of the Scheme, in line with the NEST Order and Rules and the law. Where NEST determines the reasons we use your personal information and the means of processing your personal information, it is the controller.

In this notice, we explain some things about the personal information NEST holds, and your rights regarding this information. It’s important that you read it carefully, together with any other privacy notices and information that we provide you, from time to time.

About your personal information and where we obtain it

We collect and receive different types of personal information about you, in order to administer the NEST account of the member or employer you are linked to. Personal information we hold about you includes any information that identifies you (e.g name, address, phone number etc). It may also include, on rare occasions, personal information which relates to specific topics which are thought to be more privacy sensitive (e.g information about your health, your gender, etc).

You can find more details about the type of information we hold about you, in “What personal information we use and how long we keep it” below.

We have received information about you, either from one of our members or one of our employers, in relation to an event affecting them. This is further explained in the communication you received with this notice or that you may have received separately.  In some instances, you may have provided us this information directly.

Please note: Your personal information is necessary for us to administer the Scheme, the members’ or employers’ NEST account that you are linked to and to action their or your requests. Without it we may not be able to do so.

How we’ll use your personal information

As a trustee, NEST has a legal obligation to provide pensions and other benefits in relation to its members and must comply with the legal obligations applicable to it (such as trust law, pensions law and our Order and Rules). In order to meet these requirements, we need to process your personal information. 

In addition, NEST is also a public body, whose function is to be the trustee of the Scheme. In carrying out this function, we will need to process your data in order to run the Scheme in line with our powers.

To meet these obligations, we’ll use your personal information to:

  • administer the NEST accounts of the employer or member you are linked to
  • communicate with you, or the relevant member or employer, in relation to their NEST account. This can be by phone, webchat, email, post, secure mail, app
  • provide services and information you request from us in relation to their account
  • improve our service offering, including through surveys and research activities
  • ensure we run a scheme that is compliant with regulation and legislation
  • prevent and detect crimes such as fraudulent activities.

When NEST needs to use information about your health or other sensitive personal information, we may ask for your consent. However, from time to time, there may be cases where due to legal reasons or public interest, NEST can use this personal information without your consent. 

NEST may also use your personal information in order to establish, exercise and defend its legal rights.

We’ll use your personal details to provide you with other information you’ve consented to receive. You can easily withdraw your consent at any time. We explain how you can do so, each time we ask for your consent.

If you use our website, you’ll see a message asking you to consent to the use of non-essential cookies, at your first visit. If you consent to the use of cookies, we’ll also use your personal information to monitor the traffic and performance of our website. 

If you want more information about cookies we use or if you’d like to change your cookie settings, please go to our cookies policy page.

What personal information we use and how long we keep it

Pensions are for the long term, so we will retain your personal information for a long time. You can find more details below.

As an individual who makes a payment into a NEST member’s retirement pot:

Including: surname, forenames, telephone number, address, email address, phone recordings and transcripts of your interaction with us, emails


We’ll keep this information for 15 years after the earliest of:

(a) the date we pay out the member’s retirement pot in full;

(b) the date we transfer the member’s retirement pot out of NEST or

(c) the date of death of the member or 150 years from the date of their birth in circumstances where we’ve not been notified of their death.

As a beneficiary of a NEST member’s retirement pot value

Including: surname, forenames, address, relationship to member, phone recordings and transcripts of your interaction with us, emails, benefit percentage, copies of identification documents (including birth, marriage/civil partnership, death certificates)

We’ll keep this information for 15 years after the date of death of the member where death benefits are paid to you or 150 years from the member’s date of birth in circumstances where we’ve not been notified of their death and death benefits are not paid to any beneficiary;

Where the member takes their retirement pot in full, we’ll keep this information for 15 years after the earliest of:
(a) the date we pay out the member’s retirement pot in full;

(b) the date we transfer the member’s retirement pot out of NEST or

(c) the date of submission of a new expression of wish/death benefit nomination form, where the member completes a new form and replaces the beneficiary.

As someone else connected to a NEST member or a NEST employer

This category covers a variety of individuals. This could include:

  • professionals, 
  • doctors, 
  • consultants, 
  • ex-spouses, 
  • solicitors,

who interact with the Scheme in respect of a specific member event such as ill-health application, death benefit or divorce cases 

  • professionals,
  • consultants, 

who interact with the Scheme in relation to a specific employer event.

Including: 

  • name, contact details (such as physical address, email, phone number(s)), phone recordings and transcripts of your interaction with us, emails and,
  • where applicable:
  • data on your qualification/profession and employer/practice from time to time when communicating with NEST, 
  • pension sharing order, 
  • ear marking order.

This will follow the same principles as the member retention period relating to the activity where the data is gathered. To know more about this please see the Fair Processing Notice for members at: https://www.nestpensions.org.uk/schemeweb/dam/nestlibrary/personal-information-member.pdf.

Data will be kept with the relevant member record. We won’t keep a separate record of your data.

Any other data not described above

Any other personal information we collect and use that is not described in any of the categories above.

This will follow the same principles as the member retention period relating to the activity where the data is gathered. To know more about this please click here www.nestpensions.org.uk/personal-information-members

Data will be kept with the relevant member record. We won’t keep a separate record of your data. 

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims, complaints or data migration. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Passing on your personal information to third parties

From time to time, we may need to pass your personal information on to trusted third parties. The third parties we may share information with are:

We need to pass your personal information as requested and required, to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal, regulatory and statutory obligations, for compliance purposes. 

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to 3rd parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.

As part of the legal requirements when looking after the Scheme, NEST has to be able to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, NEST needs to conduct research and surveys. Some of those activities may require us to use your personal information.  

When conducting such activities, we may need, from time to time, to share your personal information with other government bodies or departments, as well as with third party research partners (such as universities, think tanks, etc). Wherever appropriate, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal data use to what is strictly necessary for the purpose of each project.

We also use market research agencies and survey providers to help us carry out these activities. We seek to ensure that we have the necessary safeguards and security measures in place, when we do so.

Most of our scheme administration is carried out by our outsourced supplier, Tata Consultancy Services (TCS). As part of their services, some of your personal information may be processed from India. Where this occurs, NEST relies on model contract clauses (if you want more information, please see the section below).

In the course of providing scheme administration services, TCS uses other processors, such as:

  • data centre hosting providers, based in the E.E.A 
  • letter printing and postal service providers
  • software providers, such as email campaign providers
  • identity checking service provider, etc… 

Where this occurs, NEST requires sufficient guarantees from TCS that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to NEST.

When you transfer to another pension scheme, we’ll need to share some of your personal information with that pension provider.

In certain circumstances, we may need to disclose your personal information to other trusted third parties, who will receive it as controllers in their own right (such as auditors, consultants, legal advisers, identity and bank checking service providers). In such cases, we will ensure that the appropriate contracts and safeguards are in place.

NEST uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. If you use our website, we also share information about your use of our site with those webanalytics providers. You’ll find more information in our cookies policy.

From that page, you will also be able to manage your preferences and be able to opt in or out from cookies that are not essential to the operation of the website.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously.  We’ll use appropriate procedures and security features to process and protect your information.  We have in place a robust framework to ensure the security of your data.

The information security management systems operated by NEST Corporation, our scheme administrator and our IT managed services provider are all independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ data

Transfers outside the European Economic Area (E.E.A)

Some of the organisations that we share your personal information with may process it overseas.  If any sharing means that your personal information will be transferred outside the E.E.A, we will only make that transfer if:

  • the country to which the personal data is to be transferred ensures an adequate level of protection for personal information
  • we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Model Contract Clauses  issued by the European Commission) with the recipient
  • the transfer is necessary for one of the reasons specified in data protection law
  • sometimes, we will request your consent to the transfer

Please find below more detailed information in relation to our scheme administration , our research activities and our procurement activities.

Some of the services TCS are providing are carried out from India. In order to make sure that your data is secure when transferred to India, NEST uses the Model Contract Clauses issued by the European Commission, along with stringent security measures.

The administration of the Scheme and the NEST Accounts linked to you can be done using modern technology such as smartphones and tablets. In such cases, your personal information can be accessible from those devices.  Where this occurs, NEST may access and review your personal information while transiting via non-EEA countries.  NEST will carry out a risk assessment and seek to implement that in these cases, strong security controls protect your data both in transit to, and on NEST devices.  

As mentioned above, NEST conducts research into the way our customers interact and save with us, using 3rd party processors such as market research agencies, survey providers, 3rd party research partners.

When those 3rd parties are not based in the E.E.A, NEST carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and seeks to ensure that the necessary safeguards are written into a contract.

When procuring new suppliers that may be processing personal information, NEST conducts a risk assessment into where and how personal information will be processed and to determine what safeguards are appropriate.  Where necessary, NEST aims to use the Model Contract Clauses issued by the European Commission or the U.S. Privacy Shield.

How you can access and correct your personal information

You can correct the information we hold about you by logging into your online NEST account if you have one, then selecting “edit your profile”.  

Alternatively you can also contact us at NEST, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY.

Subject to certain conditions, you have the right to request access to the personal information that we hold about you.  This is commonly called a “data subject access request”. 

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your rights to request access to or rectification of the personal information we hold about you, you’ll have the right, under certain circumstances, to make a request to:

  • restrict or object to the processing of the personal information we hold about you (see Note1)
  • erase your personal information (see Note1)
  • receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent  (‘right to data portability’) (see Note2)
  • withdraw your consent for us to process your personal information, where based on consent (see Note3)

Note1: It is important to note that your request to restrict or object to processing, or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent.  When NEST processes your personal information for the purposes of scheme administration (as explained above), in most instances, it does so in order to comply with its legal obligations. In this case, the right to data portability will not apply. 

Note3: If you do decide to withdraw your consent we will stop processing your personal data for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.

To make a request under these rights you can:

Queries and further information

The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, webchat, telephone etc.).

We may update this notice from time to time. We will keep updated you on material changes to this notice. We also encourage you to check this notice on a regular basis.

If you want more information about the use of cookies on the NEST website, please view our cookies policy 

If you want to contact us, you can 

If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at http://www.ico.org.uk/concerns

Last updated on May 2018