What information we hold and what we do with it
HSBC Bank Pension Trust (UK) Limited is the trustee of the HSBC Bank (UK) Pension Scheme (“the Scheme”).
We gather, hold and use personal information (also known as personal data) relating to members and former members of the Scheme, their family and dependents. We are committed to protecting, keeping secure and processing fairly and lawfully the personal information we gather, hold and use. This Privacy Notice explains how we do this.
We will amend this Privacy Notice from time to time to keep it up to date.
This Privacy Notice is available on futurefocus. If you would like a hard copy please contact the Scheme administrator, see section 12 below.
Where you have provided us with personal data about other individuals, such as family members or your other dependents, please ensure that they are aware of the information contained within this notice.
1 About the Trustee
For the purposes of the data protection laws, we are a 'controller' of the personal information we gather, hold and use about you, your family and other dependents as we decide the purposes for and how the personal information we gather and use is processed.
2 The kinds of personal information we gather and use
We use different types of personal information depending on a person’s circumstances at the time. This may include some or all of the following information about you, your family and other dependents:
name (including former names), date of birth, gender, status – whether single, married, in a civil partnership or other relationship akin to marriage or civil partnership, postal address (and former addresses), telephone number(s), email address, recordings of phone calls made to the Scheme administrator, Cookie id, IP address, national insurance number, employee and/or scheme number, tax details, details of bank account for the purpose of paying benefits, details about your dependents and/or beneficiaries (including their names and possibly details of their gender), relevant employment information (including current and past salary information, employment dates, absence information and working hours), details about pension benefits and, where you have a DC pension pot, relevant details including investment choices, contribution history and your intended retirement date. We will also retain copies of identification materials e.g. passports/birth certificates etc., where appropriate.
As part of running the Scheme, we may also need to hold and process particularly sensitive information about you and/or your dependants and beneficiaries (known as “sensitive personal data” or “special categories of personal data”). See section 5 below for further details.
3 How we gather your personal information
We gather personal information from many sources including the following:
• directly from you
• the futurefocus or My Pension websites
• from your current or former employer, including any payroll provider
• from persons acting as personal representatives of a deceased person’s estate
• from a public body such as HMRC
• from public databases such as the Register of Births, Deaths and Marriages
• from schemes where transfers into the Scheme have been made
• from an independent financial adviser, solicitor or other person instructed by you to provide us with information
• our advisers or others set out in section 7 below.
4 Our legal basis for using your personal information
We use personal information to comply with our legal obligations to provide benefits as well as complying with the legal requirements governing the operation of pension schemes. In addition, we have a legitimate interest in processing personal information about you so that we can, amongst other things, properly administer the Scheme and calculate and pay benefits.
Although you can object to processing on this latter ground, this objection can be overridden where there are compelling reasons (e.g. because we need to process personal information to meet our legal obligation to pay benefits).
5 Special categories of data
Special categories of personal information include information about an individual’s health or sexual orientation or information about a criminal conviction (this will be particularly relevant to us where a conviction has resulted in an individual owing money to an employer or former employer and that employer may be reimbursed from the person’s benefits). Further legal grounds apply before we can process special categories of personal data, these being that:
• you must give your explicit consent (unless an exemption applies)
• where you have made the special category of personal information manifestly public
• the information is required to establish, exercise or defend legal claims.
Where we have your consent, you have the right to withdraw it. We will let you know how to do that at the time we gather your consent.
6 How we use your personal information
We gather, hold and use personal data to meet the legal requirements referred to in section 4 above:
• to provide benefits as they fall due and ensure they are paid to or in respect of the right person
• to manage liabilities
• for internal statistical, financial modelling and reference purposes (e.g. when we assess how much money is needed to provide members’ benefits and how that money should be invested)
• to administer (where relevant) DC members’ DC pension pots including allocation of contributions, investment choice
• to communicate with members and others and help with the development of communication strategies to provide an enhanced member experience
•to provide members with education and guidance services.
We may, subject to compliance with the data protection laws, process personal information for another purpose if that purpose is compatible with the purposes set out above.
7 Sharing your personal information with others
We share personal data we hold with trusted third parties including those set out below.
For administration purposes:
• personnel in the Pension Scheme’s Executive
• members’ own advisers (where members have authorised information to be shared)
• the Scheme administrator, who is responsible for the day-to-day administration of the Scheme
• the advisers and printers who help prepare various communications which are sent to members and others
• appointed providers of life insurance and additional voluntary contributions
• tracing bureaus for mortality screening and locating, and subsequently verifying the identity of, members (both in the UK and overseas) and other beneficiaries
• organisations to whom personal data is sent to effect pension payments
• the Scheme’s professional advisers, including the Scheme actuary, actuarial advisors, auditor, medical advisers, investment advisers, benefit consultants and lawyers.
For compliance purposes
• Government and regulatory bodies (we can be fined and subject to other action if we fail to provide certain information to certain authorities)
• UK courts for the purposes of processing pension sharing orders
For other purposes
• HSBC and other HSBC Group employers (and potential purchasers of any part of the Group’s business) so that they can understand, monitor and evaluate their liabilities to the Scheme and implement liability management exercises and for any other purpose for which the HSBC Group has a legitimate interest in processing Scheme personal data
• where we seek to provide benefits for members in other ways, such as with insurance or facilitating the provision of annuity options, then we may need to share personal data with insurers and other pension scheme operators
• insurance companies and other organisations for the purposes of liability and risk management exercises.
Some of the organisations referred to above will simply process your personal data on our behalf and in accordance with our instructions. Other organisations will be responsible to you directly for their use of personal data that we share with them. For example, the Scheme actuary is a “controller” for data protection purposes and is part of Willis Towers Watson whose privacy notice can be found at https://www.willistowerswatson.com/en-gb/notices/How-Willis-Towers-Watson-uses-personal-data-for-actuarial-services-to-UK-pension-scheme-trustees.
If this link does not work please copy and paste it into a new tab.
8 Security and save storage of your personal data
The security of the data we hold is very important to us and we take this seriously. We will use appropriate procedures and security features to process and protect your information as will the third parties we engage for the purposes of the Scheme. Any transfer of your personal data is done securely and consideration is always given to the most secure and efficient way of doing this, such as with the encryption or pseudonymisation of personal data.
9 International transfers
The data protection laws restrict transfers of personal data outside of the EEA, unless there is adequate protection for the data or prescribed steps have been taken to ensure that the data is protected. Where any third party engaged by the Trustee or a third party with whom the trustee shares data wishes to process data outside of the EEA they must inform us and commit to ensuring that such processing complies with the stringent security measures we require and which comply with the data protection laws. Further details of the measures in place may be obtained from the HSBC Administration Team (see section 12 below).
10 How long we keep your personal information for
We keep all personal data safe and secure and only hold it for as long as necessary. We will keep relevant personal information for as long as is required to meet the purposes for which it was collected. In practice, this means for the life of the member, or the life of the last remaining beneficiary associated with the member, plus 7 years. However, there may be reasons why we need to keep data for longer such as for claims, data migration or archiving purposes. We will review the personal information we hold in relation to the Scheme every three years. If the decision is taken that certain personal information is no longer needed, the personal information will generally be destroyed, erased or made inaccessible.
11 Your privacy rights
You have the following legal rights in relation to the personal information we hold about you:
Access to your personal information - you can request access to a copy of the personal information that we hold about you. Please make all requests in writing. You may be asked for evidence of your identity. Information will generally be provided to you free of charge, although we can charge a reasonable fee in certain circumstances. Please note that we can in some circumstances refuse to act on requests.
Correction - you can ask us to change or complete any inaccurate or incomplete personal information held about you.
Erasure - you can ask us to delete your personal information where it is no longer necessary for us to use it or where we have no lawful basis for keeping it.
Restriction - you can ask us to restrict the personal information we use about you in certain circumstances, for example, whilst a complaint about its accuracy is being resolved.
Objection – you can object to us processing your personal information on the grounds of legitimate interests.
Please note that your request to restrict processing, object to processing or to erase your data can be overridden in certain circumstances.
Make a complaint - if you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way which is inconsistent with the law, you can complain to the Information Commissioner’s Office (“the ICO”) whose helpline number is: 0303 123 1113. The details for the ICO’s website are ico.org.uk.
If you wish to:
• see your personal data or to exercise any of the rights mentioned at section 11 above
• make a complaint about how we have handled your personal data
Please contact the HSBC Administration Team at:
The HSBC Administration Team
Willis Towers Watson
PO Box 652
Surrey RH1 9AL
Phone: 01737 227575