If you are not yet a member of the Civil Service Pension Scheme arrangements then this policy explains how we would use your personal information if you were to become a member, for example if you became employed by an organisation that offers the schemes as part of its benefits package.
1. Overview of Data Protection Legislation
Data protection legislation refers to all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018 and any further or additional laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time. All EU (including UK) organisations must comply with the General Data Protection Regulations (GDPR) from 25 May 2018. The GDPR builds on the existing Data Protection legislation in order to respond to advances in technology, making accountabilities for Data Protection clearer, provide greater rights to ‘data subjects’ (individuals who organisations hold personal information for) and increase the size of fines that can be levied in the event of a personal information breach.
Legislation sets out the data protection principles. These are that personal information shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information is processed; and
- Processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The Civil Service Pension Scheme Arrangements
Civil Service Pension Scheme
Defined Benefit pension schemes - classic, classic plus, premium, nuvos, alpha
Civil Service Compensation Scheme (CSCS)
Civil Service Injury Benefits Scheme (CSIBS)
Defined Contribution pension scheme – partnership
See Section 11
Civil Service Additional Voluntary Contribution Scheme (AVC)
See Section 11
The Cabinet Office is the Scheme Manager responsible for all of the Civil Service Pension Scheme arrangements. This means, they are the ‘data controller’ for the personal information collected to provide the arrangements to you.
If you are an active employee that is in employment and contributing to a pension scheme, then your employer is also the ‘joint controller’ of your personal information, as they collect and process personal information about you and pass it to the Civil Service Pension Scheme arrangements.
MyCSP is the Scheme Administrator for the schemes covered in this policy and is known as the ‘data processor’. The data controller (Cabinet Office) sets out what and how the data processor (the Scheme Administrator) can use your personal information.
3. Why we use your personal information
As the Scheme Manager, Cabinet Office has legal obligations set out in scheme legislation to provide pensions and other benefits to eligible members, as well as complying with other legal requirements affecting the schemes. This is the lawful basis for processing your personal information required under data protection legislation.
We use your personal information for the following purposes:
a. Administration of Civil Service Pension Scheme arrangement benefits
We use your personal information to:
- Administer your Civil Service Pension;
- Pay any benefits due to you;
- Communicate and interact with you. This can be by phone, email, post or online (via our website or portal);
- Provide services and information you request from us;
- Inform you about changes to the schemes;
- Improve our service offering, including through collection and responding to feedback.
As pensions are long term, the reason for processing your personal information is likely to change over time as your circumstances change, for example:
- If you are an active member, in employment and contributing to a pension scheme, then we need to collect details such as your salary and amount of time worked in order to calculate the level of pension you will receive in the future;
- If you are a deferred member, meaning you were an active employee but have left the scheme but have not retired and taken any benefits from the scheme, then we need to hold your personal details collected during employment, so we can pay your deferred benefits at a later date;
- If you are a pensioner member, you are being paid benefits from the scheme, then we need to hold your personal details in order to pay you your benefits.
b. Use of your personal information based on consent
The lawful basis for processing your personal information is that we have a legal obligation to do so under legislation. Therefore, we do not require your consent in order to process your personal information.
There is an exception to this, which is, if you apply for ill health retirement under the Civil Service Injury Benefit Scheme. Health details are classed as a “special category” of personal information under legislation and you will be asked for your consent to sharing the information with the relevant parties, for example the Scheme Medical Advisor, if you apply for ill health retirement.
c. Use of your personal information for legal or public interest reasons
There may be cases where due to legal reasons or public interest, the Civil Service Pension Scheme arrangements can or are required to use your personal information, for example, to defend its legal rights and to prevent and detect crimes such as fraudulent activities.
4. How we use your personal information
a. Receiving information about you, from your employer
When your employer enrolled you into the Civil Service Pension Scheme arrangements, your personal information was sent to us to set you up as a member of the Civil Service Pension Scheme arrangements. This was explained to you in your New Entrant letter.
If you are an active member, your employer continues to send us your personal information (usually monthly), including for example salary and amount of time worked. This is so we are able to maintain your pension record, send you an Annual Benefit Statement and be in a position to calculate your benefits when they become payable, or if you wish to leave the scheme.
Your employer keeps us informed of any changes to address or marital status therefore it is important that you keep your employer updated of any changes to your personal circumstances.
In some instances we may receive additional personal information, about your health, for example if you are applying for benefits from the Civil Service Injury Benefits Scheme. This is so we can assess your eligibility for benefits from that scheme
b. Receiving information from you
You may provide us with your personal information, for example you will need to inform us of your Death Benefit Nominee(s) or you may provide us directly with details of changes to your personal circumstances such as change of address.
When you are an active member your employer will also keep us informed of any changes to address or marital status, but when you are a deferred or pensioner member then you need to inform the Scheme Administrator (MyCSP) directly of such changes.
Any online, postal, email or phone communication you have with the Scheme Administrator (MyCSP), are also classed as personal information. These communications are retained in order to protect your interests and those of the schemes. Online, email and any postal communications are stored electronically and phone calls are recorded.
c. Storing your personal information securely
The security of your personal information is very important to us. The information security management systems operated by the Scheme Administrator and our IT managed services providers are all independently certified to the ISO 27001:2013 standard. This provides the assurance that our systems and processes are suitably robust and secure to protect your information from cyber-attack.
5. What personal information we use
Personal information is defined as any information relating to an identified or identifiable living person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a unique identification number (for example your National Insurance Number), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
In the context of the Civil Service Pension Scheme arrangements we can require the following current and previous (where applicable) information to administer the schemes:
a. Your personal details:
These are required to ensure we record your employment details to your pension account correctly, can communicate with you and can satisfy our regulatory obligations, such as informing HMRC of any tax due. We receive this information from your employer:
- Name and title;
- Date of birth;
- Marital status;
- Telephone number;
- Email address;
- National Insurance Number (NINo);
- Member number;
- Any medical records if applied for Civil Service Injury Benefits Scheme.
b. Your death benefit nominee details:
These are required in the event of your death so that we can pay any death benefits due. We receive this information from you:
- Nominee name(s);
- Nominee address(es).
Important Note: the Civil Service Pension Scheme arrangements do not notify your chosen nominees of the fact that you have nominated them for any benefits that may be due upon your death. This is because it is your right to choose who may benefit, you may not wish the beneficiary to know and you may change your mind in the future. Our first contact with your Death Benefit Nominee(s) will be in the event of your death. We do request though that if you nominate a child and you do not have parental responsibility for that child then you seek consent from a parent or legal guardian before making that nomination.
c. Your employment details:
These are required to calculate your pension benefits, either when they become payable, if you are eligible for a refund or if you wish to transfer benefits to a different provider. We receive this information from your employer:
- Salary details including any bonus or allowances;
- Employment (service) history, including any breaks in service, or where service has been transferred in, in order to calculate your ‘reckonable service’ (this is the amount of time worked that is used to calculate your pension benefits). Note that any days where you have been on strike are recorded, as these days do not count towards your reckonable service. This may suggest, but not categorically confirm that you are a member of a Trade Union which the GDPR classes as more sensitive information;
- Pension contribution history.
d. Your previous pension benefits:
The Civil Service Pension Scheme arrangements allow you to transfer in other pension benefits (outside of the arrangements we administer) in line with the scheme rules. If you wish to transfer benefits in we will receive details about your previous pension in order to convert into benefits under the Civil Service Pension Scheme arrangements. We receive this information from your previous pension provider and from you directly.
e. Information required to pay/administer benefits:
The Civil Service Pension Scheme arrangements may pay benefits to you, your spouse, your dependants and your nominees over the period of your membership of the scheme arrangements. In some instances we may require official documentation to verify your personal circumstances or the identity of others in order to pay those benefits. This information will be provided by either yourself or others and include:
- Identification documents;
- Legal certificates (for example birth certificates, marriage/civil partnership certificates, death certificates);
- Pension sharing orders;
- Information relating to your entitlement to benefits (on grounds of loss to the employer/scheme, or arising from criminal, negligent or fraudulent activity).
f. Information relating to your satisfaction with the service provided:
The Civil Service Pension Scheme arrangements operate a continuous improvement approach and as such may request feedback from you, either by the phone or written/electronic. We also progress any complaints you may have in order that we can make improvements to our service. We receive this information from you.
g. Information relating to using our website:
If you use our website, https://www.civilservicepensionscheme.org.uk you’ll be informed of the presence of cookies which are used to collect information relating to how you use the website. The cookies cannot identify you as the information collected is anonymous, and therefore cannot be classed as personal. We use the data collected to improve the site for members. Please view our cookies policy for more information.
6. How long we keep your personal information for
The Civil Service Pension Scheme arrangements will retain information in line with our Data Retention Policy. This is under regular review and may change, however as pensions are long term, it is normal for us to retain your personal information for a long time, including after your death. This is because benefits may still be payable to others following your death.
7. Sharing your personal information with third parties
The Civil Service Pension Scheme arrangements use a number of approved third party providers who we may share your personal information with in order to deliver the service or to comply with legislation placed upon us. These include:
a. For scheme administration purposes
The Scheme Administrator (MyCSP) is the processor of your personal information. The Scheme Administrator (MyCSP) uses sub-processors to provide operational, system and infrastructure support to administer your benefits (for example IT providers, letter printing, postal services, identity checking services, banks etc.).
We do not share your personal information outside of the European Economic Area (EEA). The only exception is if you were to request in writing for us to pay your benefits into a bank account that is outside of the EEA.
If you transfer to another pension scheme, or wish to have Additional Voluntary Contributions (AVCs) we’ll need to share your personal information with the relevant pension provider.
b. For compliance purposes
Statutory Bodies such as; The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal obligations.
In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to 3rd parties, such as Her Majesty’s Courts, law enforcement agencies, auditors, and our professional advisers such as legal advisors and actuaries.
c. For research purposes
In order to continually meet the needs of members, participating employers and intermediaries, the Civil Service Pension Scheme arrangements may need to conduct research and surveys. Some of those activities may require us to use your personal information.
When conducting such activities, we may need to share your personal information with other government bodies or departments, as well as with third party research partners. Wherever possible, we’ll use aggregated datasets, anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each activity.
d. General notes relating to sharing of your information
Your personal information is not processed or stored outside of the EEA, unless you specifically request to be paid your pension into a non EEA bank account;
Where third parties are in receipt of your personal information, Civil Service Pensions require sufficient guarantees that appropriate technical and organisational measures are in place to maintain the required standard of security. Prior to a new supplier being appointed a Data Protection Impact Assessment is conducted to ensure that appropriate measures and controls are in place.
8. Security and safe storage of your personal information
The security of your personal information is very important to us and we take this matter very seriously. We use appropriate procedures and security features and have in place a robust framework to ensure the security of your personal information.
The information security management systems operated by our administrators and our IT managed services providers are all independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ personal information.
In addition, the Scheme Administrator operates Privacy by Design Policy, which means that a structured assessment of personal information risks is conducted at the point that any new or amended processes are considered. This ensures that data protection is built in from the outset of any changes or new initiatives.
9. Your rights in relation to the personal information we hold about you
Data protection legislation provides individuals with a number of rights with respect to your personal information. These are not always applicable because in some cases the lawful basis for processing overrides that right. The table below shows which rights are applicable and which are not, and there is more information regarding each right following the table:
Personal information Rights
Applicable to Civil Service Pension scheme
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
*Note that whilst the right to data portability is not applicable under data protection legislation for the Civil Service Pension Scheme arrangements, the scheme rules allow for your pensions to be transferred to another provider, as explained below.
a. The right to be informed
b. The right of access
You have a right to access your personal information. We routinely provide access to a summary of your information, as explained below:
- If you are an active member (i.e. still in work and paying into the scheme) then you will receive an Annual Benefit Statement (ABS) each year. Your ABS will contain some of your personal information (e.g. name, address, date of birth, nominee details, pension benefits). More information about the ABS can be found here;
- If you are a deferred member (i.e. you have a Civil Service pension that you have not yet claimed and are no longer contributing to) you can request a statement of your deferred benefits. To request a deferred ABS, please contact us. Please note that if you request more than one statement a year there may be a charge;
- If you are a pensioner member (i.e. you are receiving your Civil Service pension), then you will be sent a P60 after the end of each tax year. This will contain some of your personal information (e.g. name, address, NINO, pension).
The provision of an ABS or P60 (as applicable) does not prevent you from requesting access to specific items or all of your personal information that the Civil Service Pension Scheme arrangements hold.
A request for your information will be free of charge, with the exception that a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. Any fees charged will be based on the administrative cost of providing the information. Where we have identified that a charge is applicable, we will notify you in advance so that you can decide whether to continue or not.
Information will be provided within one month of receipt, however we are able to extend this by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can either charge the reasonable fee or refuse to respond. Where we refuse to respond to a request, we will explain the reason why and inform you of your right to complain to the supervisory authority and to a judicial remedy within one month.
Please contact us if you would like access to your personal information. Please be as specific as you can in relation to the personal information you would like to have access to.
c. The right to rectification (correction of data)
You have a right to have personal information rectified (corrected) if it is inaccurate or incomplete.
If you are an active employee (i.e. still in work and paying into the scheme) then your personal information can only be rectified by your employer, so you will need to contact them in the first instance. They will then pass corrected details to the Civil Service Pension Scheme arrangements.
If you are a deferred or pensioner member then the common changes of personal details (e.g. name, address, bank details (pensioners only)) can be done via existing forms - please refer to the member forms page on the civil service pensions website. If you still need help, then please contact us. If we are informed of errors in data by a third party, we will contact you to validate and correct as required.
Where we have shared your information with others and it is subsequently rectified, we will share the corrected information with those parties.
d. The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal information where there is no compelling reason for its continued processing.
In the case of pension information, there are very few circumstances where the right to erasure can be invoked as the maintenance of your pension information is required in order to pay your benefits either now or in the future.
If you consider that there is no compelling reason for the scheme to continue to hold your personal information then please contact us. Note, that if you have benefits in the scheme either in payment or built up, then we will refuse your request as it would prevent you from receiving the benefits that you are entitled to.
e. The right to restrict processing
This right does not apply as the schemes will be required to continue processing your personal information in order for the scheme to administer your benefits and for any data rectification of personal information to be received and applied to your record. If you are concerned about the accuracy of personal information then your right to rectification can be invoked.
f. The right to data portability
This right does not apply as it is only relevant when the reason for processing is based upon your consent, which for the Civil Service Pension Scheme arrangements is not the case. However, the scheme rules allow for transfer of pension benefits to other schemes. More information on transfers can be found here.
g. The right to object
This right does not apply due to the legitimate grounds for us to process your information, namely that we need your personal information in order to administer your pension to ensure you receive the scheme benefits that you are entitled to.
Please note that the Civil Service Pension Scheme arrangements do not perform any direct marketing activities and we do not sell or otherwise provide your personal information to any third parties for the purposes of marketing. Your personal information is used solely for the purposes of administrating your benefits under the Civil Service Pension Scheme.
h. Rights in relation to automated decision making and profiling
This right prevents decisions being taken based solely on automated processing, including profiling. The Civil Service Pension Scheme arrangements do not perform solely automated decision making and therefore this right is not applicable.
10. Personal Data Breaches
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed.
All organisations have a duty to report certain types of personal data breach to the relevant supervisory authority (the Information Commissioners Office) within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting your individuals rights and freedoms, we must also inform you without undue delay.
We operate robust breach detection, investigation and internal reporting procedures to facilitate decision-making about whether or not we need to notify the relevant supervisory authority and you.
We maintain a record of any personal data breaches, regardless of whether they were notified to the ICO or to you.
If you believe your Personal Data has been compromised, then please contact us using the contact details provided below.
11. Civil Service Additional Voluntary Contribution (CSAVC) and Stakeholder pension scheme arrangements
a. Employers participating in the Civil Service Pension scheme arrangements will share payroll data with providers of the CSAVC and Stakeholder pension accounts in order for your plan to be established and administered.
b. The provider of the CSAVC or partnership arrangements will hold the personal data supplied by the employer and will be processed by the provider in order to administer the scheme.
c. The employer and the providers of the accounts will pass data to the Scheme Manager, their administrators and advisers for the administration of the account. Data may include but it not limited to, personal details (name, date of birth, address), date of your retirement age, investment selection and fund value.
For information from Scottish Widows - Click here
For information from Standard Life - Click here
For information from Equitable Life - Click here
e. With effect from 1 September 2018, Legal & General will become the provider of CSAVC and partnership accounts. With effect from 1 September, personal data will be provided by employers, to enable Legal & General to establish pension arrangements for all scheme members whose plans are being transferred to Legal & General, where required, to facilitate a transfer of assets.
12. Further information, Contact Details and Concerns
a. Further information
b. Contact us
If you wish, you can contact the Scheme Administrator (MyCSP) by clicking here.
You may also contact either the Scheme Manager (Cabinet Office) or Scheme Administrator’s (MyCSP) Data Protection Officers (DPO) using the following details:
Scheme Manager (Cabinet Office) DPO
Scheme Administrator (MyCSP) DPO
If you have concerns about the way we handle your personal information then we would like you to raise it to us so that we have the opportunity to put it right.
If you think that we haven’t dealt with your concerns fully and appropriately, you can contact the Information Commissioner’s Office to report your concerns. We will work cooperatively with the ICO in order to resolve your concerns. They can be contacted by:
- Phone on +44 303 123 1113;
- Post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF;
- Their website at http://www.ico.org.uk/concerns.
Any complaint to the Information Commissioner is without prejudice to your right to seek an effective judicial remedy against a legally binding decision of the Supervisory Authority. You have the right to appoint a representative to act upon your behalf.