The purpose of this Privacy Policy is to explain why and how the Royal Mail Statutory Pension Scheme (RMSPS) uses your personal information, your rights regarding this information and how we comply with data protection law.
In this Privacy Policy we explain some things about the personal information RMSPS holds and your rights regarding this information. It’s important that you read it carefully.
We keep this Privacy Policy under regular review and any changes we make to our Privacy Policy in the future will be posted on this page and will become effective when we post the revised Privacy Policy. This version was last updated on 15/07/2019.
Data protection legislation refers to all applicable privacy and data protection laws including the General Data Protection Regulation (GDPR) ((EU) 2016/679), the Data Protection Act 2018 and any additional laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time. The GDPR builds on the previous data protection legislation in order to respond to advances in technology, make accountabilities for data protection clearer, provide greater rights to 'data subjects' (individuals whose personal information is held by organisations) and increase the size of fines that can be levied in the event of a personal information breach.
Legislation sets out the data protection principles. These are that personal information shall be:
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The Cabinet Office is the scheme manager responsible for the RMSPS. This means they are the ‘data controller’ for the personal information collected to provide the arrangements to you.
From 1 October 2018 Capita Employee Solutions is the pension administrator for the scheme covered by this policy and is known as the ‘data processor’. The data controller (Cabinet Office) sets out what and how the data processor can use your personal information.
The Cabinet Office will only use your personal information where it has a ‘lawful basis’ under the GDPR for doing so. Most commonly, it will use your personal data in order to enable it to:
As the scheme manager, the Cabinet Office has legal obligations set out in scheme legislation, the Postal Services Act 2011, to provide pensions and other benefits to eligible members, as well as complying with other legal requirements affecting the scheme.
In addition, the Cabinet Office is carrying out a task in the public interest by managing and administering a public service pension scheme.
The Cabinet Office may also use your personal information where it suspects that you have committed a criminal offence such as fraud or to defend its legal rights.
The main purposes for which we may use your personal information are to:
As pensions are long term, the reason for processing your personal information is likely to change over time as your circumstances change, for example:
We do not generally require your consent to use your personal information, since we are entitled to do so in reliance on the two lawful bases outlined above. However, if you apply for payment of your benefits on the grounds of ill health under the RMSPS, we will need your explicit consent in order to be able to process your health details. This is because health details are classed as a ‘special category’ of personal information under the GDPR.
You will be asked for your consent to sharing the information with relevant parties, for example the Scheme Medical Advisor.
You may withdraw your consent to our processing of your health details at any time.
You may provide us with your personal information, for example you will need to inform us of your Death Benefit Nominee(s), spouse, Civil Partner or any other dependents.
As a deferred or pensioner member you need to inform the scheme administrator, Capita Employee Solutions, of any such changes directly.
Any online, postal, email or phone communications you have with Capita Employee Solutions are also classed as personal information. These communications are retained in order to protect your interests and those of the schemes. Email and any postal communications are stored electronically and phone calls are recorded.
The security of your personal information is very important to us. The information security management systems operated by the scheme administrator and our IT managed services providers are all independently certified to the ISO 27001:2013 standard. This provides the assurance that our systems and processes are suitably robust and secure to protect your information from cyber attack.
Personal information is defined as any information relating to an identified or identifiable living person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a unique identification number (for example your National Insurance Number), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that person.
In the context of the RMSPS we can require the following information to administer the scheme:
These are required to make sure we can communicate with you and can satisfy our regulatory obligations, such as informing HMRC of any tax due. With the exception of a member number which is allocated by the administrator and an email address, we received this information from your employer at the time of employment:
These are required in the event of your death so that we can pay any death benefits due. We receive this information from you:
Important Note: the RMSPS does not notify your chosen nominees of the fact that you have nominated them for any benefits that may be due upon your death. This is because it is your right to choose who may benefit, you may not wish the beneficiary to know and you may change your mind in the future. Our first contact with your Death Benefit Nominee(s) will be in the event of your death. We do request though that if you nominate a child and you do not have parental responsibility for that child then you seek consent from a parent or legal guardian before making that nomination.
These are required to calculate your pension benefits or if you wish to transfer benefits to a different pension scheme. This information is received from your employer during your employment.
You may have transferred benefits into the RMSPS from another pension provider in line with the scheme rules. We received this information from your previous pension provider and from you directly.
The RMSPS may pay benefits to you, your spouse, your dependants and your nominees over the period of your membership of the scheme arrangements. In some instances we may require official documentation to verify your personal circumstances or the identity of others in order to pay those benefits. This information will be provided by either yourself or others and include:
Identification documents;
The RMSPS operate a continuous improvement approach and as such may request feedback from you, either by the phone or written/electronic mail. We also progress any complaints you may have in order that we can make improvements to our service. We receive this information from you.
If you use our website you'll be informed of the presence of cookies which are used to collect information relating to how you use the website. The cookies cannot identify you, as the information collected is anonymous, and therefore cannot be classed as personal.
We intend to continue improving the content and function of our website. For this reason, we may monitor customer traffic patterns and site usage to help us improve the design and layout of our site and provide content of interest to you.
For more information on our cookie policy, please click here.
The RMSPS will retain information in line with our Data Retention Policy. Data will not be held for any longer than is necessary to perform the processing, and will be destroyed when all processing activity has been completed, that is six years after the last financial transaction has been made that relates to the data subject or any surviving beneficiary of the data subject.
The RMSPS use a number of approved third party providers who we may share your personal information with in order to deliver the service or to comply with legislation placed upon us. These include:
The scheme administrator Capita Employee Solutions is the processor of your personal information. Capita Employee Solutions uses sub-processors to provide operational, system and infrastructure support to administer your benefits (for example IT providers, letter printing, postal services, identity checking services, banks etc.).
We do not share your personal information outside of the European Economic Area (EEA). The only exception is if you were to request in writing for us to pay your benefits into a bank account that is outside of the EEA.
If you transfer to another pension scheme we’ll need to share your personal information with the relevant pension provider. For members who have benefits in the Royal Mail Pension Plan (RMPP) as well as the RMSPS, a data sharing agreement has been set up between the Trustee of the RMPP and Cabinet Office as scheme manager of the RMSPS. This is a mechanism to allow personal information to be shared. The purpose of this is to ensure that both parties are able to pay benefits in line with the scheme rules.
Statutory Bodies such as; The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal obligations.
In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third parties, such as Her Majesty’s Courts, law enforcement agencies, auditors, and our professional advisers such as legal advisors and actuaries.
In order to continually meet the needs of members, and intermediaries, the RMSPS may need to conduct research and surveys. Some of those activities may require us to use your personal information.
When conducting such activities, we may need to share your personal information with other government bodies or departments, as well as with third party research partners. Wherever possible, we’ll use aggregated datasets, anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each activity.
Your personal information is not processed or stored outside of the EEA, unless you specifically request to be paid your pension into a non EEA bank account;
Where third parties are in receipt of your personal information, RMSPS require sufficient guarantees that appropriate technical and organisational measures are in place to maintain the required standard of security. Prior to a new supplier being appointed a Data Protection Impact Assessment is conducted to ensure that appropriate measures and controls are in place.
The security of your personal information is very important to us and we take this matter very seriously. We use appropriate procedures and security features and have in place a robust framework to ensure the security of your personal information.
The information security management systems operated by our administrators and our IT managed services providers are all independently certified to the ISO 27001:2013 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ personal information.
In addition, the scheme administrators operate a Privacy by Design Policy, which means that a structured assessment of personal information risks is conducted at the point that any new or amended data processing systems or infrastructure are considered. This ensures that data protection is built in and compliant with the data protection law for any changes or new initiatives.
Data protection legislation provides you with a number of rights with respect to your personal information. Some of these rights only apply where the personal data is being processed in reliance on certain lawful bases. The table below shows which rights are applicable to you and which are not, and there is more information regarding each right following the table:
* In relation to some data.
You have a right to understand how we process your personal information and your rights relating to it. This Privacy Policy provides this information.
You have a right to access your personal information. We routinely provide access to a summary of your information, as explained below:
The provision of Current Value Statements or P60s (as applicable) does not prevent you from requesting access to specific items or all of your personal information that the RMSPS hold.
A request for your information will be free of charge, with the exception that a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. Any fees charged will be based on the administrative cost of providing the information. Where we have identified that a charge is applicable, we will notify you in advance so that you can decide whether to continue or not.
Information will be provided within one month of receipt, however we are able to extend this by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can either charge a reasonable fee or refuse to respond. Where we refuse to respond to a request, we will explain the reason why and inform you of your right to complain to the supervisory authority and to a judicial remedy within one month.
Please contact us by emailing the helpline at enquiries@rmsps.co.uk if you would like access to your personal information. Please be as specific as you can in relation to the personal information you would like to have access to.
You have a right to have personal information rectified (corrected) if it is inaccurate or incomplete.
The common changes of personal details (e.g. name, address, bank details (pensioners only)) can be done by contacting Capita Employee Solutions either by phone or email.
Where we have shared your information with others and it is subsequently rectified, we will share the corrected information with those parties.
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal information where there is no compelling reason for its continued processing.
In the case of pension information, there are very few circumstances where the right to erasure can be invoked as the maintenance of your pension information is required in order to pay your benefits either now or in the future.
If you consider that there is no compelling reason for the scheme to continue to hold your personal information then please contact us. Please note that, if you have benefits in the scheme either in payment or deferred, we may refuse your request if complying with it would prevent us from fulfilling our function of administering your pension, including paying the benefits that you are entitled to.
You have the right to request that we restrict our processing of your personal information in the following circumstances:
Please note that, where you have requested the restriction of the processing of your personal information, we may be unable to carry out our function of administering your pension, including paying the benefits that you are entitled to.
Where we need to process the personal data for the establishment, exercise or defence of legal claims, we will continue to process your personal information notwithstanding your request.
Where you have provided your personal information to us in a widely used digital format, you have the right to receive such personal information and to pass it on to another data controller without hindrance from us or to request that we transmit it to another data controller directly.
This right does not apply where the processing is based on a legal obligation or in order to enable us to carry out a task in the public interest, or where the processing is not carried out by automated means.
Where we process your information solely on the basis that doing so is necessary for the performance of a task in the public interest, you have a right to object to the processing. We will then cease processing unless the processing is necessary for the establishment, exercise or defence of legal claims or there are otherwise compelling legitimate grounds for doing so.
This right does not apply where your information is being processed to comply with our legal obligation to administer your pension or, in the case of your health details, where your explicit consent has been obtained.
Please note that the RMSPS do not perform any direct marketing activities and we do not sell or otherwise provide your personal information to any third parties for the purposes of marketing. Your personal information is used solely for the purposes of administrating your benefits under the RMSPS.
This right prevents decisions being taken based solely on automated processing, including profiling. The RMSPS do not perform solely automated decision making.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed.
All organisations have a duty to report certain types of personal data breach to the relevant supervisory authority (the ICO) within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting your individual rights and freedoms, we must also inform you without undue delay.
We operate robust breach detection, investigation and internal reporting procedures to facilitate decision-making about whether or not we need to notify the relevant supervisory authority and you.
We maintain a record of any personal data breaches, regardless of whether they were notified to the ICO or to you.
If you believe your Personal Data has been compromised, then please contact us using the contact details provided below.
The information provided in this Privacy Policy is in addition to any other privacy information we may give you on this website or via other means as outlined throughout this policy.
You may also wish to view your previous employer’s Privacy Policy that will explain how they collected and provided your personal information to the scheme.
If you are a member who has benefits in both the RMSPS and the Royal Mail Pension Plan (RMPP) you may also wish to view the RMPP privacy notice which explains how they collect and use your personal data.
If you wish, you can contact the scheme administrator, Capita Employee Solutions at:
You may also contact either the scheme manager’s or scheme administrator’s Data Protection Officer (DPO) using the following details:
If you have concerns about the way we handle your personal information, we would like you to raise it with us so that we have the opportunity to put it right.
If you think that we haven’t dealt with your concerns fully and appropriately, you can contact the ICO to report your concerns. We will work cooperatively with the ICO in order to resolve your concerns. They can be contacted by:
Any complaint to the Information Commissioner is without prejudice to your right to seek an effective judicial remedy against a legally binding decision of the Supervisory Authority. You have the right to appoint a representative to act upon your behalf.
This Cookie Policy is supplemental to the Hartlink terms and conditions, and which, by continuing to access the Hartlink website you are deemed to accept and agree to be bound by.
We are committed to ensuring that your data is protected. This Cookie Policy explains how we use the information we collect about you by our use of cookies, and the purpose for which we use them.