Border to Coast Pensions Partnership Limited respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website and tell you about your privacy rights and how the law protects you.
Border to Coast Pensions Partnership Limited is the controller and responsible for your personal data (referred to as “Border to Coast”, “we”, “us” or “our” in this privacy notice).
WHAT IS PERSONAL DATA AND WHAT PERSONAL DATA DOES BORDER TO COAST HOLD?
The data protection laws define Personal Data as “data relating to living, identifiable individuals”.
Prospective employees only: We are required by law to treat certain categories of Personal Data with even more care than usual. These are called sensitive or Special Categories of Personal Data and different lawful bases apply to them. Information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying you, data concerning health or concerning your sex life or sexual orientation will fall within the Special Categories of Personal Data.
The term “process” means any activity relating to Personal Data, including, by way of example, collection, storage, use, consultation and transmission.
Border to Coast is a “Controller” of your Personal Data. This is a legal term – it means that we make decisions about how and why we process your Personal Data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.
It should be noted that Border to Coast’s clients are corporate entities i.e. local government pension schemes rather than individuals. Border to Coast does not hold any Personal Data in relation to the underlying individual members of the pension schemes whose assets Border to Coast manages. Consequently, the Personal Data that we do hold is very limited and primarily relates to our employees, the business contacts within the local government pension schemes that we manage and the business contacts at our service providers, suppliers and other third parties.
The relevant information we collect and hold can be categorised as follows:
Prospective Employees – contact details, identification information, background information employment history, financial information, employment administration information, job performance information, remuneration information, investigation, grievance and disciplinary, benefits information, assets, systems and platform usage and communications information, healthcare and pension arrangements. We may collect some information about prospective employees which falls within the Special Categories of Personal Data (above), including race, ethnicity, religious beliefs, sexual orientation, health and trade union membership. We will use this information where we need to provide appropriate adjustments, services or to enable meaningful equal opportunities monitoring. Also, information relating to criminal convictions and offences will only be collected and stored where this is necessary. This information will only be collected and used where there is requirement for a high level of trust and integrity needs to be demonstrated and relates to FCA approval processes for specific roles.
Clients – the names and business contact details of the individuals we interact with at our local government pension scheme clients together with background and identification information that we are required to collect for regulatory purposes.
Service Providers, Suppliers and Contractors – the names and business contact details of the individuals we interact with at our service providers, suppliers and contractors together with background and identification information that we are required to collect for regulatory purposes.
Other Business Partners / Contacts (e.g. banks, brokers, registrars, lawyers, accountants, actuaries, regulators, HMRC, investee companies, property agents etc) – the names and business contact details of the individuals we interact with at these entities together with background and identification information that we are required to collect for regulatory purposes.
Further details of the Personal Data we collect, where we get it from and what we do with it are set out in Schedule 1.
HOW IS PERSONAL DATA COLLECTED?
Border to Coast uses different methods to collect Personal Data including the following:
- you provide us with Personal Data directly, for instance when you apply for a job with us and in the course of your job, when you complete forms provided by us, when you correspond with us and when you enter into a contract with us, as relevant; and
- we obtain some Personal Data from other sources, including from other people and organisations, including some publicly available sources e.g. Companies House, Registrars and background employment and credit check providers.
You can read more about the sources of Personal Data in the more detailed information set out in as explained in Schedule 1.
If any of the Personal Data you have given to us changes, such as your contact details, please inform us without delay by contacting our DPO using the contact details at the bottom of this notice.
HOW DO WE USE PERSONAL DATA?
The Personal Data we obtain and hold is used to enable us to:
- administer your application for a job with us and considering your suitability for the relevant role, conducting verification and vetting including where it is necessary for FCA approval processes for specific roles;
- communicating with you;
- manage and administer our equal opportunities reporting;
- respond to requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities;
- support the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business;
- provide investment, management and administration services to our clients;
- fulfil our contractual and other obligations to candidates, suppliers, contractors and other business partners; and
- meet our legal and regulatory obligations.
We are required by law to always have a permitted reason or justification (called a “legal basis”) for processing Personal Data. In the vast majority of instances, Border to Coast will use one of the following lawful bases:
- Processing is necessary for the performance of our contract with you;
- Processing is necessary for us to comply with our legal obligations; and
- Processing is for our legitimate business interests – in this instance the processing must be “necessary” and we must balance the interests of the controller with the rights of the individual.
We are required to have an additional justification for processing any Special Category Personal Data relating to you. We will rely upon the following justifications for processing Special Category Personal Data:
- Processing is necessary to protect your vital interests or those of another person and you or they are physically or legally incapable of giving consent;
- Processing is necessary for our establishment, exercise or defence of legal claims; and
- Processing is necessary for reasons of substantial public interest.
It is important that the Personal Data we hold is accurate and current and, therefore, you, the Data Subject, should advise us as soon as possible in the event of any changes.
WHO DO WE DISCLOSE PERSONAL DATA?
We will only use your Personal Data for our internal business purposes. We do not sell any Personal Data to third parties (except as relevant in relation to the first bullet below) and we do not share Personal Data with third parties for the third parties’ marketing purposes
From time to time, we may ask third parties to carry out certain business functions for us, such as the administration of our payroll and our IT support. We may need to disclose Personal Data strictly on a need to know basis to our service providers, contractors, suppliers and other parties such as banks, brokers, registrars, lawyers, accountants, actuaries, regulators, payroll, pension providers, life assurance provider and HMRC.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. Before we disclose your Personal Data to our service providers, we will make sure that they have appropriate security standards in place to make sure your Personal Data is protected and we will enter into a written contract imposing appropriate security standards on them. We do not allow our third-party service providers to use your Personal Data for their own purposes outside of the reasons we supplied it to them (although some of them will be controllers in their own right – for instance lawyers, accountants, regulators, pension providers, life assurance provider and HMRC; and some of them will need to use it for compliance with their own legal and regulatory compliance purposes). We only permit them to process your Personal Data for specified purposes and (if they are processors acting on our behalf) in accordance with our instructions.
In certain circumstances, we will also disclose your personal data to other third parties who will receive it as controllers of your personal data in their own right, in particular:
- if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and
- if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our customers or others.
In addition to/supplementary to those persons mentioned above, we are likely to share your Personal Data with the following categories of recipients:
- consultants and professional advisors including legal advisors and accountants;
- courts, court-appointed persons/entities, receivers and liquidators;
- business partners and joint ventures;
- trade associations and professional bodies;
- insurers; and
- governmental departments, statutory and regulatory bodies including the Department for Work & Pensions, Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs.
WHAT DO WE DO TO KEEP PERSONAL DATA SECURE?
We have put in place appropriate physical and technical measures to safeguard the Personal Data we collect in connection with our services. In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Personal Data on our instructions and are subject to a duty of confidentiality.
However, please note that although we take appropriate steps to protect Personal Data no device, computer system, transmission of data or wireless connection is completely secure and, therefore, we cannot guarantee the absolute security of Personal Data shared with us over the internet.
INTERNATIONAL TRANSFER OF PERSONAL DATA
The Personal Data that we collect may be stored and processed in the United Kingdom and European Economic Area (“EEA”) or transferred to, stored at or otherwise processed outside of the United Kingdom.
Where Personal Data is going to be part of a ‘Restricted Transfer’, we must ensure that the Personal Data is kept secure and properly protected. A ‘Restricted Transfer’ is a transfer of Personal Data to another country or territory which is not deemed to provide adequate protection for personal data by its laws and so for which mechanisms for transfer are needed, including appropriate transfer agreements and mechanisms (such as the EU Model Clauses). These will be put in place to help ensure that (for example) our third party service providers provide an adequate level of protection for Personal Data. We will only make Restricted Transfers of Personal Data in accordance with applicable laws or where you have given us consent to do so.
DATA RETENTION – HOW LONG IS PERSONAL DATA STORED / KEPT?
Border to Coast retains Personal Data in line with its Information Governance and Data Retention Policies and for as long as necessary to fulfil the purposes for which the Personal Data has been collected as outlined in this Privacy Notice unless a longer retention period is required by law. Personal Data is kept under regular review to ensure that it is not held longer than is strictly necessary, whilst taking account of Border to Coast’s other regulatory obligations such as the requirement to retain evidence of anti-money laundering checks or Regulated references.
When Personal Data is no longer required for the purpose it was collected or as required by applicable law, it will be deleted or in certain circumstances returned to you in accordance with applicable law.
ACCESSING PERSONAL DATA AND YOUR RIGHTS
Border to Coast will collect, store and process Personal Data in accordance with your rights under the UK General Data Protection Regulation (UK GDPR). Under certain circumstances you have the following rights in relation to your Personal Data:
- the right to request details of your Personal Data held by Border to Coast and to request copies of such information (this is more commonly known as submitting a “data subject access request”)
- where Border to Coast’s use of Personal Data is based upon your consent, the right to withdraw such consent at any time;
- the right, in certain circumstances, to request Border to Coast to receive your Personal Data which you have provided to us and which is processed by us by automated means or to have it transmitted direct to another organisation;
- the right to challenge the accuracy or completeness of your Personal Data and to request Border to Coast to rectify or update any Personal Data that is incorrect or complete;
- the right to have Personal Data erased in certain specified circumstances;
- the right to object to or ask us to restrict the processing your Personal Data;
- the right to object to specific types of processing of Personal Data, for example where it is being used for direct marketing
- the right, in certain circumstances, not to be subject to decisions being taken solely on the basis of automated processing g. profiling).
HOW CAN YOU ENFORCE YOUR RIGHTS?
If you wish to enforce any of your rights under the UK GDPR please contact us using the details below. A response to the request will be made without undue delay and no later than one month from receipt of such a request. We will not charge a fee for processing such a request.
If you are concerned that we have not complied with your legal rights under applicable Data Protection Laws, you may contact the Information Commissioner’s Office (www.ico.gov.uk) which is the data protection regulator in the UK. Alternatively, if you are based outside the UK, you may contact your local data protection supervisory authority.
THIRD PARTY LINKS AND PRODUCTS ON OUR SERVICES
Our websites, applications and products may contain links to other third party websites that are not operated by Border to Coast, and our website may contain applications that you can download from third parties. These linked sites and applications are not under Border to Coast’s control and, as such, we are not responsible for the privacy practices or the content of any linked websites and online applications. If you choose to use any third party websites or applications, any Personal Data collected by the third party’s website or application will be controlled by the privacy notice of that third party. We strongly recommend that you take the time to review the privacy policies of any third parties to which you provide Personal Data.
CHANGES TO THIS PRIVACY NOTICE
We will update this Privacy Notice from time to time and hence it is important to check the “Date Notice Last Updated” legend at the bottom of this Notice. Any changes will become effective upon our posting of the revised Privacy Notice.
We will provide notice to you where any of the changes are material and, where required by applicable law, we will obtain your consent. We will provide this notice by e-mail or by posting notice of the changes on our website
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at DPO@bordertocoast.org.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk
Last updated: September 2023
Schedule 1 – Categories of Personal Data
|Type of personal data
|Categories of data subject
|a) Contact Information
· Email address(es) including business email address(es)
· Contact details including mobile telephone number(s)
Service providers, suppliers and contractors, other business partners / contacts
|b) Identity and Background Information
|· Details of education and qualifications and results
· Career history, experience and skills
· Passport information
· Driving licence information
· Psychometric test results
· Right to work, residency and/or other visa information (where unrelated to your race or ethnicity)
· Curriculum Vitae (CV) or resume and professional profile
· Image or photographs
· Application form
· Evaluative notes and decisions from job interviews
· Preferences relating to job location and salary
· Conflicts of interests (including where related to family networks)
Service providers, suppliers and contractors, other business partners / contacts
· Recruitment consultants and agencies
· Your previous employers
· Publicly available information from online resources