Introduction
The purpose of this Privacy Policy is to explain why and how the Civil Service Pension Scheme arrangements collect and use your personal information, your rights regarding this information and how we comply with data protection law.
If you are not yet a member of the Civil Service Pension Scheme arrangements then this policy explains how we would use your personal information if you were to become a member, for example if you became employed by an organisation that offers the schemes as part of its benefits package.
We keep this privacy policy under regular review and any changes we make to our Privacy policy in the future will be posted on this page.
Contents
1. Overview of Data Protection Legislation
2. The Civil Service Pension Scheme Arrangements
3. Why we use your personal information
4. How we use your personal information
5. What personal information we use
6. How long we keep your personal information for
7. Sharing your personal information with third parties
8. Security and safe storage of your personal information
9. Your rights in relation to the personal information we hold about you
12. Further information, contact details and concerns
Data protection legislation refers to all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018 and any further or additional laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time. All EU (including UK) organisations must comply with the General Data Protection Regulations (GDPR) from 25 May 2018. The GDPR builds on the existing Data Protection legislation in order to respond to advances in technology, making accountabilities for Data Protection clearer, provide greater rights to ‘data subjects’ (individuals who organisations hold personal information for) and increase the size of fines that can be levied in the event of a personal information breach.
Legislation sets out the data protection principles. These are that personal information shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information is processed; and
- Processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The Civil Service Pension Scheme arrangements include the provision of multiple schemes, in line with the Pensions Act 2015. These are listed below along with whether they are covered under this Privacy Policy.
|
Civil Service Pension Scheme |
Covered in this Privacy Policy |
|
Defined Benefit pension schemes - classic, classic plus, premium, nuvos, alpha |
Y |
|
Civil Service Compensation Scheme (CSCS) |
Y |
|
Civil Service Injury Benefits Scheme (CSIBS) |
Y |
|
Defined Contribution pension scheme – partnership |
See Section 11 |
|
Civil Service Additional Voluntary Contribution Scheme (AVC) |
See Section 11 |
The Cabinet Office is the Scheme Manager responsible for all of the Civil Service Pension Scheme arrangements. This means, they are the ‘data controller’ for the personal information collected to provide the arrangements to you.
If you are an active employee that is in employment and contributing to a pension scheme, then your employer is also the ‘joint controller’ of your personal information, as they collect and process personal information about you and pass it to the Civil Service Pension Scheme arrangements. For more information see the memorandum of understanding between the Scheme Manager and employers.
MyCSP is the Scheme Administrator for the schemes covered in this policy and is known as the ‘data processor’. The data controller (Cabinet Office) sets out what and how the data processor (MyCSP) can use your personal information.
a. Use of your personal information to comply with a legal obligation or to perform a public interest task
The Cabinet Office will only use your personal information where it has a ‘lawful basis’ under the GDPR for doing so. We reply upon the following lawful bases:
- where we must comply with a legal obligation; or
- where we must perform a task carried out in the public interest.
As the Scheme Manager, the Cabinet Office has legal obligations set out in scheme legislation to provide pensions and other benefits to eligible members, as well as complying with other legal requirements affecting the schemes.
In addition, the Cabinet Office is carrying out a task in the public interest by managing and administering a public service pension scheme.
The Cabinet Office may also use your personal information where it suspects that you have committed a criminal offence such as fraud or to defend its legal rights.
The main purposes for which we may use your personal information are to:
- Administer your Civil Service Pension;
- Pay any benefits due to you;
- Communicate and interact with you. This can be by phone, email, post or online (via our website, portal or App);
- Provide services and information you request from us;
- Inform you about changes to the schemes;
- Improve our service offering, including through collection and responding to feedback;
- To protect your interests and those of the schemes.
- Conduct research and surveys. We will only ever contact by SMS to ask about our service and never to ask for bank details or personal information; and
- Comply with our legal obligations such as co-operating with the Pensions Regulator or the Pensions Ombudsman.
As pensions are long term, the reason for processing your personal information is likely to change over time as your circumstances change, for example:
- If you are an active member, in employment and contributing to a pension scheme, then we need to collect details such as your salary and amount of time worked in order to calculate the level of pension you will receive in the future;
- If you are a deferred member, meaning you were an active employee but have left the scheme but have not retired and taken any benefits from the scheme, then we need to hold your personal details collected during employment, so we can pay your deferred benefits at a later date;
- If you are a pensioner member, you are being paid benefits from the scheme, then we need to hold your personal details in order to pay you your benefits.
b. Use of your personal information where it is in our legitimate interests or the legitimate interests of a third
party
We use your data for analysis of data quality to better inform commercial procurement activities concerning pension administration. Where we use your data in this way we will anonymise it before sharing it with any third parties.
Your data will be securely transferred for the purposes of migrating from the incumbent pensions administrator to a new supplier following the procurement of administration services for the Civil Service Pension Scheme.
c. Use of your ‘special category’ personal information based on consent
We do not generally require your consent to use your personal information, since we are entitled to do so in reliance on the two lawful bases outlined above. However, if you apply for payment of your benefits on the grounds of ill health, we will need your explicit consent in order to be able to process your health details. This is because health details are classed as a ‘special category’ of personal information under the GDPR.
You will be asked for your consent to sharing the information with relevant parties, for example the Scheme Medical Advisor.
You may withdraw your consent to our processing of your health details at any time.
a. Receiving information about you, from your employer
When your employer enrolled you into the Civil Service Pension Scheme arrangements, your personal information was sent to us to set you up as a member of the Civil Service Pension Scheme arrangements. This was explained to you in your New Entrant letter.
If you are an active member, your employer continues to send us your personal information (usually monthly), including for example salary and amount of time worked. This is so we are able to maintain your pension record, send you an Annual Benefit Statement and be in a position to calculate your benefits when they become payable, or if you wish to leave the scheme.
Your employer keeps us informed of any changes to address or marital status therefore it is important that you keep your employer updated of any changes to your personal circumstances.
In some instances we may receive additional personal information, about your health, for example if you are applying for benefits from the Civil Service Injury Benefits Scheme. This is so we can assess your eligibility for benefits from that scheme.
b. Receiving information from you
You may provide us with your personal information, for example you will need to inform us of your Death Benefit Nominee(s) spouse, Civil Partner or any other dependents. You may provide us directly with details of changes to your personal circumstances such as change of address.
When you are an active member your employer will also keep us informed of any changes to address or marital status, but when you are a deferred or pensioner member then you need to inform MyCSP directly of such changes.
Any online, postal, email or phone communication you have with the Scheme Administrator (MyCSP), are also classed as your personal information. These communications are retained in order to protect your interests and those of the schemes. Online, email and any postal communications are securely stored electronically and phone calls are recorded.
c. Storing your personal information securely
The security of your personal information is very important to us. The information security management systems operated by the Scheme Administrator and our IT managed services providers are all independently certified to the ISO 27001:2013 standard. This provides the assurance that our systems and processes are suitably robust and secure to protect your information from cyber-attack.
Personal information is defined as any information relating to an identified or identifiable living person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a unique identification number (for example your National Insurance Number), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
In the context of the Civil Service Pension Scheme arrangements we can require the following current and previous (where applicable) information to administer the schemes:
a. Your personal details:
These are required to make sure we record your employment details correctly for pension purposes, can communicate with you and can satisfy our regulatory obligations, such as informing HMRC of any tax due. With the exception of a member number which is allocated by the administrator we receive this information from your employer:
- Name and title;
- Date of birth;
- Gender;
- Marital status;
- Address;
- Telephone number;
- Email address;
- National Insurance Number (NINo);
- Member number;
- Any medical records if applied for Civil Service Injury Benefits Scheme.
b. Your death benefit nominee details:
These are required in the event of your death so that we can pay any death benefits due. We receive this information from you:
- Nominee name(s);
- Nominee address(es).
Important Note: the Civil Service Pension Scheme arrangements do not notify your chosen nominees of the fact that you have nominated them for any benefits that may be due upon your death. This is because it is your right to choose who may benefit, you may not wish the beneficiary to know and you may change your mind in the future. Our first contact with your Death Benefit Nominee(s) will be in the event of your death. We do request though that if you nominate a child and you do not have parental responsibility for that child then you seek consent from a parent or legal guardian before making that nomination.
c. Your employment details:
These are required to calculate your pension benefits, either when they become payable, if you are eligible for a refund or if you wish to transfer benefits to a different provider. We receive this information from your employer:
- Salary details including any bonus or allowances;
- Employment (service) history, including any breaks in service, or where service has been transferred in, in order to calculate your ‘reckonable service’ (this is the amount of time worked that is used to calculate your pension benefits). Note that any days where you have been on strike are recorded, as these days do not count towards your reckonable service. This may suggest, but not categorically confirm that you are a member of a Trade Union which the GDPR classes as more sensitive information;
- Pension contribution history.
- Information relating to your entitlement to benefits (on grounds of loss to the employer/scheme, or arising from criminal, negligent or fraudulent activity).
d. Your previous pension benefits:
You may have transferred benefits into the Civil Service Pension Scheme arrangements from another pension provider in line with the scheme rules. We received this information from your previous pension provider and from you directly.
e. Information required to pay/administer benefits:
The Civil Service Pension Scheme arrangements may pay benefits to you, your spouse, your dependants and your nominees over the period of your membership of the scheme arrangements. In some instances we may require official documentation to verify your personal circumstances or the identity of others in order to pay those benefits. This information will be provided by either yourself or others and include:
- Identification documents;
- Legal certificates (for example birth certificates, marriage/civil partnership certificates, death certificates);
- Pension sharing orders;
f. Information relating to your satisfaction with the service provided:
The Civil Service Pension Scheme arrangements operate a continuous improvement approach and as such may request feedback from you, either by the phone or written/electronic. We also progress any complaints you may have in order that we can make improvements to our service. We receive this information from you.
g. Information relating to using our website:
If you use our website, https://www.civilservicepensionscheme.org.uk you’ll be informed of the presence of cookies which are used to collect information relating to how you use the website. The cookies cannot identify you as the information collected is anonymous, and therefore cannot be classed as personal.
We intend to continue improving the content and function of our website. For this reason, we may monitor customer traffic patterns and site usage to help us improve the design and layout of our site and provide content of interest to you.
For more information, see our cookie policy.
The Civil Service Pension Scheme arrangements will retain information in line with our Data Retention Policy. Data will not be held for any longer than is necessary to perform the processing, and will be destroyed when all processing activity has been completed, that is six years after the last financial transaction has been made that relates to the data subject or any surviving beneficiary of the data subject.
The Civil Service Pension Scheme arrangements use a number of approved third party providers who we may share your personal information with in order to deliver the service or to comply with legislation placed upon us. These include:
a. For scheme administration purposes
The Scheme Administrator MyCSP Ltd is the processor of your personal information. MyCSP Ltd uses sub-processors to provide operational, system and infrastructure support to administer your benefits (for example IT providers, digital assistants (chat bots), live chat, letter printing, postal services, identity checking services, banks etc.).
We will also share data with your employer where it is necessary for scheme administration purposes. This would include, for example, passing communications to employers to forward on to you if you have a protected address.
We do not share your personal information outside of the European Economic Area (EEA). The only exception is if you were to request in writing for us to pay your benefits into a bank account that is outside of the EEA.
If you transfer to another pension scheme, or wish to have Additional Voluntary Contributions (AVCs) we’ll need to share your personal information with the relevant pension provider.
b. For compliance purposes
Statutory Bodies such as; The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and His Majesty’s Revenue and Customs, in accordance with our legal obligations.
In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third parties, such as His Majesty’s Courts, law enforcement agencies, auditors, and our professional advisers such as legal advisors and actuaries.
c. For research purposes
In order to continually meet the needs of members, participating employers and intermediaries, the Civil Service Pension Scheme arrangements may need to conduct research and surveys. Some of those activities may require us to use your personal information.
When conducting such activities, we may need to share your personal information with other government bodies or departments, as well as with third party research partners. Wherever possible, we’ll use aggregated datasets, anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each activity.
d. General notes relating to sharing of your information
Your personal information is not processed or stored outside of the UK, unless you specifically request to be paid your pension into a non-UK bank account;
Where third parties are in receipt of your personal information, Civil Service Pensions require sufficient guarantees that appropriate technical and organisational measures are in place to maintain the required standard of security. Prior to a new supplier being appointed a Data Protection Impact Assessment is conducted to ensure that appropriate measures and controls are in place.
Your data will be shared with Capita Business Services following the procurement of pensions administration services. The service will transition to Capita in Q4 2025. During the next two years, Capita will ensure a secure platform is implemented to store your data, and migrate the data from the current platform to their pensions administration software, Hartlink. The Scheme Manager will continue to act as Data Controller, and Capita will be the Data Processor.
The security of your personal information is very important to us and we take this matter very seriously. We use appropriate procedures and security features and have in place a robust framework to ensure the security of your personal information.
The information security management systems operated by our administrators and our IT managed services providers are all independently certified to the ISO 27001 standard. All data is stored in two data centres hosted in the UK. This gives us assurance that our systems and processes are robust, and helps protect members’ personal information.
In addition, the Scheme Administrator operates Privacy by Design Policy, which means that a structured assessment of personal information risks is conducted at the point that any new or amended data processing systems or infrastructure are considered. This ensures that data protection is built in from the outset of any changes or new initiatives.
Data stored by Capita will be stored in two data centres hosted in the UK. The platform will be certified to ISO 27001:2022 and will be Cyber Essentials Plus accredited. Capita will maintain a Security Management Plan throughout the life of the contract.
Data protection legislation provides individuals with a number of rights with respect to your personal information. These are not always applicable because in some cases the lawful basis for processing overrides that right. The table below shows which rights are applicable and which are not where we process your data on the lawful basis that we are complying with our legal obligations, and there is more information regarding each right following the table:
|
Personal information Rights |
Applicable to Civil Service Pension scheme |
|
The right to be informed |
Y |
|
The right of access |
Y |
|
The right to rectification |
Y |
|
The right to erasure |
Y |
|
The right to restrict processing |
Y |
|
The right to data portability |
N* |
|
The right to object |
N* |
* In relation to some data.
a. The right to be informed
You have a right to understand how we process your personal information and your rights relating to it. This Privacy Policy provides this information.
b. The right of access
You have a right to access your personal information. We routinely provide access to a summary of your information, as explained below:
- If you are an active member (i.e. still in work and paying into the scheme) then you will receive an Annual Benefit Statement (ABS) each year. Your ABS will contain some of your personal information (e.g. name, address, date of birth, nominee details, pension benefits). More information about the ABS.
- If you are a deferred member (i.e. you have a Civil Service pension that you have not yet claimed and are no longer contributing to) you can request a statement of your deferred benefits. To request a deferred ABS, please contact us. Please note that if you request more than one statement a year there may be a charge;
- If you are a pensioner member (i.e. you are receiving your Civil Service pension), then you will be sent a P60 after the end of each tax year. This will contain some of your personal information (e.g. name, address, NINO, pension).
The provision of an ABS or P60 (as applicable) does not prevent you from requesting access to specific items or all of your personal information that the Civil Service Pension Scheme arrangements hold.
A request for your information will be free of charge, with the exception that a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. Any fees charged will be based on the administrative cost of providing the information. Where we have identified that a charge is applicable, we will notify you in advance so that you can decide whether to continue or not.
Information will be provided within one month of receipt, however we are able to extend this by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can either charge the reasonable fee or refuse to respond. Where we refuse to respond to a request, we will explain the reason why and inform you of your right to complain to the supervisory authority and to a judicial remedy within one month.
Please contact us if you would like access to your personal information. Please be as specific as you can in relation to the personal information you would like to have access to.
c. The right to rectification (correction of data)
You have a right to have personal information rectified (corrected) if it is inaccurate or incomplete.
If you are an active employee (i.e. still in work and paying into the scheme) then your personal information can only be rectified by your employer, so you will need to contact them in the first instance. They will then pass corrected details to the Civil Service Pension Scheme arrangements.
If you are a deferred or pensioner member then the common changes of personal details (e.g. name, address, bank details (pensioners only)) can be done via existing forms - please refer to the member forms page on the civil service pensions website. If you still need help, then please contact us.
Where we have shared your information with others and it is subsequently rectified, we will share the corrected information with those parties.
d. The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal information where there is no compelling reason for its continued processing.
In the case of pension information, there are very few circumstances where the right to erasure can be invoked as the maintenance of your pension information is required in order to pay your benefits either now or in the future.
If you consider that there is no compelling reason for the scheme to continue to hold your personal information then please contact us. Please note that, if you have benefits in the scheme either in payment or deferred, we may refuse your request if complying with it would prevent us from fulfilling our function of administering your pension, including paying the benefits that you are entitled to.
e. The right to restrict processing
You have the right to request that we restrict our processing of your personal information in the following circumstances:
- You contest the accuracy of the personal information we hold;
- The personal information has been unlawfully processed and you oppose erasure and request restriction instead;
- We no longer need the personal information but you require us to keep it in order to establish, exercise or defend a legal claim; or
- You object to our processing your personal data under Article 21(1) of the GDPR, and we are considering whether our legitimate grounds or yours should take priority override those of the individual.
Please note that, where you have requested the restriction of the processing of your personal information, we may be unable to carry out our function of administering your pension, including paying the benefits that you are entitled to.
Where we need to process the personal data for the establishment, exercise or defence of legal claims, we will continue to process your personal information notwithstanding your request.
f. The right to data portability
Where you have provided your personal information to us in a widely used digital format, you have the right to receive such personal information and to pass it on to another data controller without hindrance from us or to request that we transmit it to another data controller directly.
This right does not apply where the processing is based on a legal obligation or in order to enable us to carry out a task in the public interest, or where the processing is not carried out by automated means.
g. The right to object
Where we process your information solely on the basis that doing so is necessary for the performance of a task in the public interest, you have a right to object to the processing. We will then cease processing unless the processing is necessary for the establishment, exercise or defence of legal claims or there are otherwise compelling legitimate grounds for doing so.
This right does not apply where your information is being processed to comply with our legal obligation to administer your pension or, in the case of your health details, where your explicit consent has been obtained.
Please note that the Civil Service Pension Arrangements do not perform any direct marketing activities and we do not sell or otherwise provide your personal information to any third parties for the purposes of marketing. Your personal information is used solely for the purposes of administrating your benefits under the Civil Service Pension Scheme.
h. Rights in relation to automated decision making and profiling
This right prevents decisions being taken based solely on automated processing, including profiling. The Civil Service Pension Scheme arrangements do not perform solely automated decision making.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed.
All organisations have a duty to report certain types of personal data breach to the relevant supervisory authority (the Information Commissioners Office) within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting your individual rights and freedoms, we must also inform you without undue delay.
We operate robust breach detection, investigation and internal reporting procedures to facilitate decision-making about whether or not we need to notify the relevant supervisory authority and you.
We maintain a record of any personal data breaches, regardless of whether they were notified to the ICO or to you.
If you believe your Personal Data has been compromised, then please contact us using the contact details provided below.
11. Civil Service Additional Voluntary Contribution (CSAVC) and Stakeholder pension scheme arrangements
a. Employers participating in the Civil Service Pension scheme arrangements will share payroll data providers of the CSAVC arrangements and Partnership pension accounts in order for your plan to be established and administered.
b. The providers of the CSAVC or partnership arrangements will hold the personal data supplied by the employer and will be processed by the provider in order to administer the scheme.
c. The employer and the providers of the accounts will pass data to the Scheme Manager, their administrators and advisers for the administration of the account. Data may include but it not limited to, personal details (name, date of birth, address), date of your retirement age, investment selection and fund value.
d. The providers of the CSAVC and Partnership arrangements have produced Privacy Policy Statements for the handling of any personal data processed for Civil Service members:
More information on Legal and General
More information on Scottish Widows
More information on Standard Life
More information on Utmost Life and Pensions
e. In addition, from time to time the scheme managers may need to share information about members who are or have contributed to CSAVC arrangements for consultancy purposes, the appointed Actuary for this purpose is the Government Actuary's Department. They act as a data controller for these services. Read the Government Actuary's Department's privacy policy.
a. Further information
The information provided in this privacy policy is in addition to any other privacy information we may give you on this website or via other means.
You may also wish to view your current or previous employer’s Privacy Policy that will explain how they collect(ed) and provided your personal information to the Civil Service Pension Scheme arrangements.
b. Contact us
Contact the Scheme Administrator, MyCSP
You may also contact either the Scheme Manager (Cabinet Office) or Scheme Administrator’s (MyCSP) Data Protection Officers (DPO) using the following details:
|
Scheme Manager (Cabinet Office) DPO |
Scheme Administrator (MyCSP) DPO |
|
Steve Jones Email dpo@cabinetoffice.gov.uk |
Graham Barnes Email security@mycsp.co.uk |
c. Complaints
If you have concerns about the way we handle your personal information then we would like you to raise it to us so that we have the opportunity to put it right.
If you think that we haven’t dealt with your concerns fully and appropriately, you can contact the Information Commissioner’s Office to report your concerns. We will work cooperatively with the ICO in order to resolve your concerns. They can be contacted by:
- Phone on +44 303 123 1113;
- Post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF;
- Their website at http://www.ico.org.uk/concerns.
Any complaint to the Information Commissioner is without prejudice to your right to seek an effective judicial remedy against a legally binding decision of the Supervisory Authority. You have the right to appoint a representative to act upon your behalf.