Privacy notice

Your privacy 

We take privacy seriously. We are committed to ensuring the security of your personal information (your “personal data”). This notice (together with our cookies policy and website terms of use) sets out how we obtain, use, store and dispose of your personal data. If we make changes to how we use your data it will be explained on this page.

How we use your data depends on the services we’re providing and this is explained in each of the areas below.

Unless otherwise stated:

• “We”, “us” and “Group companies” include the following companies:
  • XPS Pensions Group plc
  • XPS Pensions Limited
  • XPS Administration Limited
  • XPS Investment Limited
  • XPS Pensions Consulting Limited
  • XPS SIPP Services Limited
  • XPS Pensions (RL) Limited
  • XPS Pensions (Trigon) Limited
  • Penfida Limited
• It also includes the above companies when trading as:
  • XPS Administration
  • XPS Investments
  • XPS Pensions
  • XPS Pensions Group
  • XPS Transactions
  • Simply SIPP
  • XPS SIPP
  • XPS SSAS
  • Michael J Field Consulting Actuaries
  • Michael J Field SIPP
  • Michael J Field SSAS

“You”, “the user” and “data subject” mean the person about whom we hold data.  

We use the terms “Data Controller” and “Data Processor” throughout this document. In simple terms: 

• A “Data Controller” is the person who determines what data to collect and how to use it.
• A “Data Processor” acts for a Data Controller and is instructed by the Data Controller on what data to collect and how to use it.

Both a Data Controller and a Data Processor are legally responsible for ensuring that data is handled in accordance with the laws on data protection.

Set out below are details of how each part of the XPS Pensions Group processes data for each of its services. Click on each link to read more.

Business lines

• Client Contact Data
• Scheme Actuary for pension schemes
• Actuarial consulting services
• Combined Scheme Actuary and actuarial consulting services to pension schemes
• Investment advice services
• The XPS SIPP, SimplySIPP and XPS SSAS
• XPS SIPP and XPS SSAS property tenants
• Administration services to pension schemes
• Group Risk consulting services
• Transfer Value Analysis to financial advisers
• Marketing communications
• Expert Witness services
• XPS Pensions Group plc shareholders
• Suppliers, referrers, journalists & other business partner contact data
• Websites data
• XPS Pensions Group applicant and leaver privacy notices

General usage

• What are your rights?
• How long do we keep data for?
• How secure is your data?
• Changes to this privacy notice
• How to complain
• Contacting us 

Client contact data

When providing services to scheme trustees, pension scheme trustees and/or sponsoring employer (“Client”), or developing our relationship with or conducting market research on potential Clients, we will obtain Client contact data (“Data”) in order to correspond with you for our own business purposes as outlined below.

“You” means client, client representatives, certain employees, trustees, and if applicable your respective suppliers.

We are a Data Controller and are legally responsible for compliance with data protection laws in relation to the use of this Data.

Where do we get your data from?

Data will be obtained both initially and throughout the term of provision of our services, either directly from you or your advisers and/or representatives.

How is your data used?

We have what’s called a “legitimate interest” to process your data, via an appointment by the pension scheme trustees and/or sponsoring employer to provide various services, or otherwise in connection with the administration or development of our business.

Your data will only be used by us to correspond with you.   

What information is needed and why?

Your information is used to manage our engagements, relationships and day-to-day business dealings with you.  

The information we may need about you includes:

• name; and
• contact details including phone number, email address and/or postal address.  

Who is your information shared with?

Information is only shared with third parties if it’s necessary in our day-to-day dealings with you. This means that your information may be shared with:

• one or more of our Group companies, but only for the purposes of our day-to-day dealings with you; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Scheme Actuary for pension schemes

The Scheme Actuary’s role is mainly to advise the trustees on how well the pension scheme is funded. In order to be able to advise the trustees, the Scheme Actuary may need to access personal scheme member information.

The Scheme Actuary is typically a Data Controller in their own right rather than a joint controller (although they are a Data Controller “jointly” with XPS Pensions Group). This means that the Scheme Actuary (together with XPS Pensions Group) and the pension scheme trustees are each legally responsible for compliance with data protection laws in relation to each of their respective processing activities.

Where does the Scheme Actuary get your information from? 

Scheme member data is provided by the pension scheme trustees and their appointed pension scheme administrator. Some information may also be provided directly by the sponsoring employer.

How is your data used?

Certain calculations and advice must, by law, be provided by the Scheme Actuary to the pension scheme trustees. 

Your data will only be used by the Scheme Actuary in accordance with the Terms of Engagement with the pension scheme trustees and professional guidance standards. The Scheme Actuary will only ask for your personal information if it is necessary to provide these specific services.

What information is needed and why? 

Your information is used:

• to advise on and value the pension scheme’s liabilities, and assess how any shortfall can be funded;
• to advise on or calculate the benefits available to individuals under various scheme options (e.g. on transfer to another scheme); and
• towards a wider population of member data in order to conduct data analysis, such as demographic studies and mortality studies, in order to predict longevity which may be used in my calculations and as part of the  advice to the pension scheme trustees.

The information the Scheme Actuary may need about you in order to provide this service includes:

• name;
• date of birth;
• sex;
• marital status and dependant’s date of birth and sex;
• address;
• employment service information;
• salary and pension amounts; and
• whether a pension in payment resulted from ill health retirement. In this circumstance, the Scheme Actuary does not process data about your state of health, only that you are in receipt of such a pension, and this data will only be used if passed to the Scheme Actuary by the scheme trustees or pension scheme administrator.

Who is your information shared with? 

Information is only shared with third parties if it’s necessary for the provision of services as the Scheme Actuary. This means that your information may be shared with:

• the pension scheme trustees;
• one or more of our Group companies, but only for the purposes of providing Scheme Actuary services to the pension scheme trustees;
• law enforcement agencies (subject to any requests being legally made);
• regulators as required (including HMRC, the Pensions Regulator, the Financial Conduct Authority and the Information Commissioner’s Office);
• fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws;
• professional and research bodies, when we are required or requested to do so. For example, we provide pseudonymised datasets (i.e. without individuals' names) to the Continuous Mortality Investigation (CMI), which uses this data for research and statistical purposes; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Your data is not shared with any other party and will not be transferred to anyone outside the UK and European Economic Area.

Actuarial consulting services

Our role is to provide the pension scheme trustees and/or sponsoring employer defined benefits scheme actuarial consulting services. Whilst these services are aimed at the pension scheme trustees and the sponsor of those pension funds, we may need to access personal scheme member information.

We typically act as a Data Controller in our own right rather than a joint controller. This means that we and the pension scheme trustees and/or sponsoring employer are each legally responsible for compliance with data protection laws in relation to each of their respective processing activities.

Where do we get your information from?

Your data is provided to us by the pension scheme trustees and their appointed pension scheme administrator. Some information may also be provided directly by the sponsoring employer.

How is your data used?

We have what’s called a “legitimate interest” to process your data, via an appointment by the pension scheme trustees and/or sponsoring employer to provide actuarial consulting services.

Your data will only be used in accordance with our Terms of Engagement with the pension scheme trustees and/or sponsoring employer and only if it is necessary for us to undertake these services.

What information do we need and why?

Your information will be used:

• to advise the pension scheme trustees and/or sponsoring employer on the pension scheme’s assets and liabilities including calculating and valuing benefits;
• to provide technical guidance on pensions legislation to the trustees, the sponsoring employer and certain members of the pension scheme; and
• towards a wider population of member data in order to conduct data analysis, such as demographic studies and mortality studies, in order to predict longevity which may be used in our calculations and as part of our advice to the pension scheme trustees and/or sponsoring employer.

The information we need about you in order to provide these services includes:

• name;
• date of birth;
• sex;
• marital status and dependant’s date of birth and sex;
• address;
• employment service information;
• salary and pension amounts; and
• whether a pension in payment resulted from ill health retirement. In this circumstance, we don’t process data about your state of health, only that you are in receipt of such a pension, and this data will only be used if passed to us by the scheme trustees or pension scheme administrator.

Who do we share your information with? 

We only share your information with third parties if it is necessary for us to provide our services. This means that your information may be shared with:

• the pension scheme trustees and/or sponsoring employer;
• the pension scheme administrator and the various advisers appointed by the pension scheme trustees;
• one or more of our Group companies, but only for the purposes of providing actuarial consulting services to the pension scheme trustees and/or sponsoring employer;
• professional and research bodies, when we are required or requested to do so. For example, we provide pseudonymised datasets (i.e. without individuals' names) to the Continuous Mortality Investigation (CMI), which uses this data for research and statistical purposes; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Your data is not shared with any other party and will not be transferred to anyone outside the UK and European Economic Area.

Combined Scheme Actuary and actuarial consulting services to pension schemes

• The Scheme Actuary’s role is mainly to advise the pension scheme trustees on how well the pension scheme is funded. In order to be able to advise the trustees, the Scheme Actuary may need to access your personal information. 
• Our (the appropriate Group company) role is to provide the pension scheme trustees and/or sponsoring employer with defined benefits scheme actuarial consulting services. Whilst these services are aimed at the pension scheme trustees and the sponsor of those pension funds, we may need to access personal scheme member information. 

The Scheme Actuary is typically a Data Controller in their own right rather than a joint controller (although they are a Data Controller “jointly” with XPS Pensions Group). This means that the Scheme Actuary (together with XPS Pensions Group) and the pension scheme trustees are each legally responsible for compliance with data protection laws in relation to each of their respective processing activities. 

We (the appropriate Group company) typically act as a Data Controller in our own right rather than a joint controller. This means that we and the pension scheme trustees and/or sponsoring employer are each legally responsible for compliance with data protection laws in relation to each of their respective processing activities.

Where do we get your information from?

Your data is provided to us by the pension scheme trustees and their appointed pension scheme administrator. Some information may also be provided directly by the sponsoring employer.

How is your data used?

• The Scheme Actuary must, by law, provide certain calculations and advice to the pension scheme trustees.
• We (the appropriate Group company) have what’s called a “legitimate interest” to process your data, via an appointment by the pension scheme trustees and/or sponsoring employer to provide these services.

Your data will only be used in accordance with our Terms of Engagement with the pension scheme trustees and/or sponsoring employer and only if it is necessary for us to undertake these services.

What information do we need and why?

Your information will be used:

• to advise on and value the pension scheme’s liabilities, and assess how any shortfall can be funded;
• to advise on or calculate the benefits available to individuals under various scheme options (e.g. on transfer to another scheme);
• towards data analysis of a wider population of member data in order to conduct data analysis, such as demographic studies and mortality studies, in order to predict longevity which may be used in our calculations as part of our advice to the pension scheme trustees and/or sponsoring employer; and
• provide technical guidance on pensions legislation to the trustees, the sponsoring employer and certain members of the pension scheme.

The information we need about you in order to provide these services includes:

• name;
• date of birth;
• sex;
• marital status and dependant’s date of birth and sex;
• address;
• employment service information;
• salary and pension amounts; and
• whether a pension in payment resulted from ill health retirement. In this circumstance, we don’t process data about your state of health, only that you are in receipt of such a pension, and this data will only be used if passed to us by the scheme trustees or pension scheme administrator.

Who do we share your information with?

We only share your information with third parties if it is necessary for us to provide our services. This means that your information may be shared with:

• the pension scheme trustees and/or sponsoring employer;
• the pension scheme administrator and the various advisers appointed by the pension scheme trustees;
• one or more of our Group companies, but only for the purposes of providing our services to the pension scheme trustees and/or sponsoring employer);
• law enforcement agencies (subject to any requests being legally made);
• regulators as required (including HMRC, the Pensions Regulator, the Financial Conduct Authority and the Information Commissioner’s Office);
• fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws;
• professional and research bodies, when we are required or requested to do so. For example, we provide pseudonymised datasets (i.e. without individuals' names) to the Continuous Mortality Investigation (CMI), which uses this data for research and statistical purposes; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Your data is not shared with any other party and will not be transferred to anyone outside the UK and European Economic Area.

Investment advice services

Our role is to provide the pension scheme trustees and/or sponsoring employer defined benefits scheme and/or defined contribution scheme investment consulting services. In this notice we refer to “pension scheme trustees and/or sponsoring employers” as “our client”. As these services are aimed at our client, we do not normally seek to process your personal information.

However, we are very aware that in dealing with our client and the appointed advisers and administrators, we may process your personal information.

We act as a Data Controller in our own right rather than a joint controller. This means that we and our client are each legally responsible for our own compliance with data protection laws in relation to each of our respective processing activities.

Where do we get your information from?

Your data is provided to us by the pension scheme trustees and their appointed pension scheme administrator. Some information may also be provided directly by the sponsoring employer.

How is your data used?

We have what’s called a “legitimate interest” to process your data, via an appointment by our client to provide investment consulting services.

Your data will only be used in accordance with our Terms of Engagement with our client and only if it is necessary for us to undertake these services.

What information do we need and why?

Your information will be used to advise the pension scheme trustees and/or sponsoring employer on the pension scheme’s assets strategy, including the possible purchase of annuities.

Who do we share your information with?

We only share your information with third parties if it is necessary for us to provide our services. This means that your information may be shared with:

• the pension scheme trustees and/or sponsoring employer;
• the pension scheme administrator and the various advisers appointed by the pension scheme trustees;
• one or more of our Group companies, but only for the purposes of providing investment consulting services to our client; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Your data is not shared with any other party and will not be transferred to anyone outside the UK and European Economic Area.

The XPS SIPP, SimplySIPP and XPS SSAS

When providing the XPS SIPP and the SimplySIPP, we are a Data Controller. This means that we’re legally responsible for complying with data protection laws.

When providing the XPS SSAS, we are a Data Controller in our own right rather than a joint controller. This means that we and the pension scheme trustees are each legally responsible for our own compliance with data protection laws in relation to each of our respective processing activities.

Where do we get your data from? 

We take this from your completed application form together with any other data provided by you or your appointed financial adviser or other personal representative.

How is your data used?

When you sign an XPS SIPP application, you enter into a contract with us to set up and administer the SIPP. It is therefore necessary for us to process your data in order to do this.

For the XPS SSAS, we have what’s called a “legitimate interest” to process your data, via an appointment by the Trustees to provide administration services to the scheme. We process your data under this service agreement in order to administer the scheme.  

For SIPP and SSAS, we also process your data in order to comply with our legal obligations as Trustee and/or Scheme Administrator (as defined by HMRC) of the scheme. 

“Administering” your pension plan means:

• managing contributions made to the SIPP or SSAS;
• arranging investments as instructed by you (SIPP member or SSAS trustees), your financial adviser or other personal representative;
• issuing you with information about your benefits under the SIPP or SSAS (including quotations);
• paying claims from the scheme;
• providing annual valuations and, for the SIPP, illustrations of your prospective benefits as required by law;
• notifying you of any changes to our terms and conditions as required; and
• notifying you of any regulatory changes that may affect the contributions allowable into, and benefits out of, your SIPP or SSAS.

“Legal processing” may include:

• disclosing details to HMRC for tax purposes;
• disclosure to law enforcement agencies and courts; and
• various regulatory returns to the Financial Conduct Authority and/or the Pensions Regulator.

Your data will only be used by us for these purposes.

What information do we need and why?

We only ask you for information about you that is necessary to set up and administer your SIPP or SSAS; without this information, we may not be able to provide these services. The information we need about you in order to provide these services includes:

• personal information, including full name, approximate salary, National Insurance number, date of birth and planned retirement age;
• eligibility criteria including your nationality, residency, employment status and if you are a member of your employer’s pension scheme;
• if you are subject to a bankruptcy order;
• your contact details (postal address, email and phone number);
• contribution information;
• beneficiary information (where appropriate);
• your bank details (when you wish to start taking benefits);
• other pension schemes of which you are a member (should you wish to transfer benefits into or out of your SIPP or SSAS); and
• health information, including medical reports. We will only ask for this information if you wish to claim benefits on health grounds and we will need your specific consent in this instance.

Who do we share your data with?

We’ll only share your data with third parties if it’s necessary to administer your SIPP or SSAS. This means that your information may be shared with:

• any party appointed by you, including your investment managers, legal and financial advisers, or personal representatives;
• investment providers holding your SIPP or SSAS’s underlying assets;
• the SIPP or SSAS client bank provider;
• law enforcement agencies (subject to any requests being legally made);
• fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws;
• regulators as required (including HMRC, the Pensions Regulator, the Financial Conduct Authority and the Information Commissioners Office);
• one of our Group companies for the provision of payroll services;
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, suppliers of administration systems, hosting of various computer systems, information technology services and electronic and paper documentation management; and
• other pension schemes of which you are a member (should you wish to transfer benefits into or out of your SIPP).

We’ll need your consent (or that of your personal representative) to share your data with anybody else.

Your data will not be transferred to anyone outside the UK and European Economic Area.

XPS SIPP and XPS SSAS property tenants

When providing the XPS SIPP and XPS SSAS, we deal with pension scheme property (including commercial land) investments for our clients, including the underlying property tenants. 

Where personal data is obtained, we are a Data Controller. This means that we’re legally responsible for complying with data protection laws in relation to our processing activities.

Where do we get your data from?

We take this from our property lease questionnaire and the executed lease, together with any other data provided by you or your appointed solicitor. We may receive these directly from you, the SIPP member(s) or SSAS trustees.

How is your data used?

We provide services to our SIPP and SSAS clients in order to administer their pensions. In working alongside our clients, their advisers, or directly with you, we may process your personal information.

We administer our clients’ pensions under our contractual documentation and so have a “legitimate interest” to process your data in order to provide our services. This is a necessary requirement otherwise we will not be able to provide our services. 

Processing your data may include administrative back up on:

• property insurance;
• rent payments, rent reviews and lease renewals; and
• VAT returns when applicable.

Your data will only be used by us for these purposes.

What information do we need and why?

We only ask you for information about you that is necessary to provide our services to our clients (SIPP member(s) or SSAS trustees). The information we need about you in order to provide these services includes:

• formal tenant(s) details; and
• your contact details (postal address, email and phone number).

Although not deemed personal data, we also need details on rent being, or to be, paid, together with the lease rent review dates and expiry date.

Who do we share your data with?

We’ll only share your data with third parties if it’s necessary to provide our services to our clients. This means that your information may be shared with our clients including any of their personal representatives, together with:

• lenders (to the pension scheme), the various appointed legal, financial and environmental advisers and other property parties such as surveyor or valuer, insurer, manager, head tenant, developers and, if applicable, third party owner(s);
• a prospective purchaser if and when the property is to be sold;
• law enforcement agencies (subject to any requests being legally made) and fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, information technology services and electronic and paper documentation management.

We’ll need your consent (or that of your personal representative) to share your data with anybody else.

Your data will not be transferred to anyone outside the UK and European Economic Area.

Administration services to your pension schemes

Our role is to provide your pension scheme with administration services. As these services are provided to the pension scheme trustees or your employer, we do not seek to process your personal information for our own purposes.

We are a Data Processor for the pension scheme trustees or your employer. The pension scheme trustees or your employer are the Data Controller.

The pension scheme trustees or your employer will give you a full privacy notice explaining how they use your information. The information set out below is to help you understand what we do with your information when we provide our services.

Where you have subsequently left your employer, references to “employer” in this notice also mean your former employer.

Where do we get your data from?

The pension scheme trustees or your employer give us details of all members of the pension scheme. You may have provided some of this information in an application form that you completed to join the scheme.

We have a contract (known as Terms of Engagement) with the pension scheme trustees or your employer to administer the scheme on their behalf.

How is your data used?

Your data will only be used in accordance with our Terms of Engagement with the pension scheme trustees or your employer and only if it is necessary for us to undertake these services.

Administering your pension scheme means:

• managing contributions made to the scheme;
• arranging investments as instructed by you or the trustees;
• issuing you with information about your benefits under the scheme (including quotations);
• paying claims from the scheme;
• providing valuations; and
• dealing with queries from pension scheme members.

Subject to Client agreement your data may also be used as part of a wider population of member data in order to conduct data analysis, such as demographic studies and mortality studies, in order to predict longevity.

Your data will only be used by us for these purposes.

What information do we need and why?

Your information is provided to us by the pension scheme trustees or your employer (or you, if you completed an application form). We may ask you for information on behalf of the pension scheme trustees, but this will only be for the purposes of administering your pension scheme, such as when you decide to take benefits from the scheme.

Who do we share your information with?

Your data may be shared with certain approved suppliers used by us. These include suppliers of printing and mailing services, offsite storage, suppliers of administration systems, hosting of various computer systems, information technology services and electronic and paper documentation management.

We may also be obliged to share your data with:

• law enforcement agencies (subject to any requests being legally made);
• fraud prevention agencies so that the scheme may comply with money laundering and financial crime prevention laws;
• regulators as required (including the Pensions Regulator); and
• other parties as disclosed in the pension scheme trustee’s full privacy notice.

We’ll need your consent (or that of your personal representative) to share your data with anybody else and your data won’t be transferred to anyone outside the UK and European Economic Area.

Group Risk consulting services

Our role is to provide scheme trustees and employers with Group Risk consulting services. These services can include the design, implementation and administration of income protection, life assurance and/or critical illness benefits. In this notice we refer to “scheme trustees and employers” as ”our client”’. As these services are aimed at our client, we do not seek to process your personal information for our own purposes.

We act as a Data Controller in our own right rather than a joint controller. This means that we and our client are each legally responsible for our own compliance with data protection laws in relation to each of our respective processing activities.

Where do we get your data from?

Your employer, scheme trustees or the pension scheme administrators give us details of the employees or pension scheme members who are or will be members of the Group Risk scheme. We may also, where necessary, obtain details of potential beneficiaries from your next of kin, following your death.

How is your data used?

We have what’s called a “legitimate interest” to process your data, via an appointment by our client to provide Group Risk consulting services.

Your data will only be used in accordance with our Terms of Engagement with the scheme trustees or your employer and only if it is necessary for us to undertake these services.

We use your information to liaise with the insurer, which will set up and administer the Group Risk scheme for the scheme trustees or your employer. It is therefore necessary for XPS Pensions to process your data in order to do this. “Setting up” and “administering” the Group Risk scheme means:

• working with the insurer and the scheme trustees or your employer, to obtain the best cover and rates for the Scheme; and
• dealing with queries that may arise about the scheme (including any claims).

Your data will only be used by us for these purposes.

What information do we need and why?

The only information needed is that required by the scheme’s insurer when you become a member or when you make a claim. This will be requested by an application form or claim form. You can always send this directly to the insurer.

For a life assurance benefit claim, we will, on occasion and on behalf of the scheme trustees or your employer, need to obtain details of potential beneficiaries from your next of kin, following your death.

Who do we share your information with?

Your information will be shared with the insurer providing the Group Risk scheme. Your data may also be shared with certain approved suppliers used by us. These include suppliers of printing and mailing services, offsite storage, suppliers of administration systems, hosting of various computer systems, information technology services and electronic and paper documentation management.

We may also be obliged to share your data with:

• law enforcement agencies (subject to any requests being legally made);
• fraud prevention agencies so that the scheme may comply with money laundering and financial crime prevention laws;
• regulators as required (including the Financial Conduct Authority); and
• other parties as disclosed in the scheme trustee’s full privacy notice.

We’ll need your consent (or that of your personal representative) to share your data with anybody else and your data won’t be transferred to anyone outside the UK and European Economic Area.

Transfer value analysis to financial advisers

Our role is to provide financial advisers with calculations that allow them to provide advice on transferring pensions from defined benefit schemes. As these services are aimed at the financial adviser, we do not normally seek to process your personal information. 

However, we are very aware that in dealing with your adviser, we may process your personal information. 

We are a Data Processor for the financial adviser.

Where do we get your information from?

Your financial adviser gives us your details as you have appointed them because you are considering transferring from your employer’s defined benefit scheme. The financial adviser must carry out a financial comparison between the defined benefit scheme and an arrangement you might be transferring to. Our role is to provide that financial comparison. Where you have subsequently left your employer, references to “employer” in this notice also mean your former employer.

How is your data used?

We process your data via an appointment by the financial adviser to provide pension transfer comparison services.

Your data will only be used in accordance with our Terms of Engagement with the financial adviser and only if it is necessary for us to undertake these services.

Providing a pension transfer comparison service means:

• obtaining information about the pension scheme of which you are a member or deferred member;
• calculating your entitlement under that scheme; and
• providing a comparison between your employer’s pension scheme and an alternative scheme.

Your data will only be used by us for these purposes.

What information do we need and why?

We do not ask you for any information directly. Your information is provided to us by your financial adviser.

Who do we share your information with?

Your data may be shared with certain approved suppliers used by us. These include suppliers of printing and mailing services, offsite storage, suppliers of administration systems, hosting of various computer systems, information technology services and electronic and paper documentation management.

We may also be obliged to share your data with:

• law enforcement agencies (subject to any requests being legally made);
• fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws; and
• regulators as required (including the Financial Conduct Authority).

We’ll need your consent (or that of your personal representative) to share your data with anybody else and your data won’t be transferred to anyone outside the UK and European Economic Area.

How long do we keep data for?

When providing Transfer Value Analysis to your financial advisers, for a period of 6 years following the end of their advice exercise in relation to your pension scheme, 6 years following the termination of the financial adviser’s appointment to your pension scheme, or 6 years following the termination of the financial adviser’s appointment with us, whichever is the earliest. Your financial adviser may, however, ask us to retain information for longer for legal or regulatory reasons.

Marketing communications

We may from time to time contact you to inform you about products and services we offer.

We are Data Controllers and this means that we are legally responsible for compliance with data protection and ePrivacy laws when we use your data.

Where do we get your information from?

We will collect information relating to you that you provide when you:

• register on our website xpsgroup.com ;
• fill in a contact form on our websites;
• become a client with us for any service;
• log in to www.xpsselfinvestedpensions.com ;
• respond to a survey;
• request to download guides or other resources on our websites;
• attend a seminar/event and agree in principle to our marketing communications; or
• otherwise opt in to receive communications from us.
• In respect of IP address only, when you land on our website, XPSgroup.com

We do occasionally purchase lists of contact details and will only do so from reputable brokers. We will undertake thorough due diligence to ensure we only provide communications as “business to business” and that we believe will be relevant to you.

Note our websites:

• use cookies to distinguish you from other users. Details of the cookies we use are set out in our separate Cookies Policy;
• include social media features, such as the “Share This” button. We collect information from social media activity. Depending on the network this will include basic account information such as name, email address, company and job title and any other details you choose to share according to your particular social media account settings. Your interactions with these features are governed by the privacy statement of the companies that provide them; and
• include external links to third party websites. We have no control over and are not responsible for these websites or the use of your information by third parties. You should check the privacy notices on any third party websites to ensure that you are satisfied regarding their privacy practices, prior to sharing any personal information.

How will we use your data?

We’d like to keep you up to date with information about our events, products and services by providing you with company news, product and technical information and updates, survey participation, and access to our complimentary learning platform, XPSArena (our marketing communications).

For the purposes of this privacy notice, your data will only be used to provide our marketing communications. 

We use the information we collect from any social media activity to help us improve our understanding of our users and what they want. We may use it to assist us in arranging more personalised commercial opportunities. We also use this information to ensure we provide the best possible content, tailoring where we can to our users’ interests. We never disclose your personal details.

Although we hope you find our communications informative, you can decide to stop them by clicking on the unsubscribe link which will be provided at the bottom of all marketing communications. Alternatively you can contact us, the details of which are provided at the end of this notice. 

We have recorded you under ePrivacy Regulations as: 

• a “business to business” subscriber (e.g. a company or a limited liability partnership) and so we have a “legitimate interest” to process your data for the purposes of providing company news, product and technical information and updates, and survey participation (our marketing communications); or
• an “individual” subscriber and so have obtained your explicit agreement to us providing our marketing communications.

What information do we need?

The information we ask about you is as follows:

• full name;
• company name and address;
• phone number; and
• email address.
• IP address in certain circumstances

Who do we share your information with?

We may share your data between our Group companies, but only where relevant to.

Your data may be shared with certain approved suppliers used by us. These include suppliers of printing and mailing services, offsite storage, suppliers of administration systems, hosting of various computer systems, information technology services and electronic and paper documentation management.

Your data is not shared with, or sold to, any other party.

Expert Witness services

We are a Data Controller when providing Expert Witness services. We only process personal information on the instruction of an instructing solicitor. We are also legally responsible for complying with data protection laws.

Where do we get your information from?

Our instructing solicitor gives us details of your data. If you have provided a letter of authority, additional information may have been received from your employer and/or its pension scheme.

How is your data used?

We have what’s called a “legitimate interest” to process your data, via an appointment by our instructing solicitor to provide Expert Witness services. Your data will only be used in accordance with this appointment and only if it is necessary for us to undertake these services.

We may be provided with “Special category personal data”, for example whether a pension in payment resulted from ill health retirement. In this circumstance, we don’t process data about your state of health, only that you are in receipt of such a pension, or eligible for one, and this data will only be used if passed to us by our instructing solicitor, or is included in legal productions for court.

We use your information to assess loss of pension rights or loss of earnings.

Your data will only be used by us for these purposes.

What information do we need and why?

We do not ask you for any information directly. The only information we process is that provided by our instructing solicitor. Typically this will include:

• dates of birth and retirement;
• date of marriage and separation (divorce cases);
• date of incident (pension loss cases);
• service dates and dates of incidents;
• salary history;
• accrued and prospective pension rights including special terms and conditions; and
• eligibility for ill health benefits.

Who do we share your information with?

Your information will only be shared with offsite storage firms as approved suppliers used by us.

We may also be obliged to share your data with:

• law enforcement agencies (subject to any requests being legally made); and
• fraud prevention agencies so that we may comply with money laundering and financial crime prevention laws.

We will need your consent (or that of your personal representative) to share your data with anybody else.

Your data will not be transferred to anyone outside the UK and European Economic Area.

XPS Pensions Group plc shareholders

When you buy shares in XPS Pensions Group plc it is a legal requirement that your name, address and the number of shares you hold are made available on a Register of Members. XPS Pensions Group plc’s share registrar is Equiniti Group plc and it administers shareholder information on our behalf.

XPS Pensions Group plc acts as a Data Controller when holding shareholder information. We have appointed Equiniti Group plc to carry out share registration services and in providing this service Equiniti acts as a Data Processor. You can find detailed information about how Equiniti processes shareholder information on its website (https://equiniti.com/uk/privacy-policy/) and we have also included key information about how we both process your information in this section.

Where does XPS Pensions Group plc get your information from?

Your data is collected when you apply to trade in XPS Pensions Group plc shares. Information may also be collected if you contact either XPS Pensions Group plc or Equiniti Group plc via email, phone, live chat, social media channels, etc. 

When administering the Share Register, Equiniti Group plc may also obtain information from third parties when carrying out identity and financial crime checks, includingd information from credit reference agencies, fraud detection agencies and registration/stockbroking industry exchanges.

How is your data used?

XPS Pensions plc Group has a legal requirement to process your data in order to comply with the laws for listed companies (including rules for trading on a stock exchange). This includes keeping a register of shareholders as well as communicating required information such as details of General Meetings, dividend information and other important shareholder news.

Once you cease to hold shares, XPS Pensions Group plc has a legitimate interest in retaining your information for legal and regulatory purposes.

What information do we need and why?

The information we need about you in order to meet our responsibilities includes:

• name;
• address;
• phone number and other contact information such as email address; and
• identification numbers (such as an account number).

XPS Pensions Group plc will only use your data for these purposes.

Who do we share your information with?

We only share your information with third parties if it is necessary or a legal requirement. This means that your information may be shared with:

• Equiniti Group plc for the purposes of providing shareholder services;
• service suppliers to facilitate website, email, IT and administration services;
• professional advisers, such as lawyers, when we require advice from them;
• your agent or other advisers with your consent;
• credit reference agencies and fraud detection agencies as part of identification procedures;
• fraud prevention agencies which will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services;
• your Official Receiver or appointed insolvency practitioner if we receive notice of your insolvency, bankruptcy or insolvency proceedings/arrangement;
• certain approved suppliers used by XPS Pensions Group plc. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management; and
• regulators, supervisory and law enforcement authorities, and other agencies where we may be subject to a legal obligation to share information.

When providing shareholder services, Equiniti Group plc carries out some overseas processing. This is explained in more detail on their website and is subject to the use of appropriate model clauses. It includes sharing data with:

• members of the Equiniti Group based in India; and
• email service providers based in the United States of America.

Suppliers, referrers, journalists and other business partner contact data

We correspond with various suppliers and business partners in relation to:

• the provision of services to scheme trustees, pension scheme trustees and sponsoring employers; and
• for our own business purposes such as marketing and the promotion of our company news, product and technical information and updates.

In doing so, we will obtain contact details in order to correspond with these parties.

We are a Data Controller and are legally responsible for compliance with data protection laws in relation to the use of this Data.

Where do we get your data from?

For our suppliers, data is obtained both informally when undertaking due diligence on a prospective supplier and formally on conclusion of a contract.

For other third party contacts, data is obtained before and during the agreed relationship with that business contact.

How is your data used?

Contact Data will only be used by us to correspond with our suppliers and business partners. 

We have what’s called a “legitimate interest” to process supplier contact data via the supplier contract, and business partner contact data via the mutual relationship with the business contact.

What information is needed and why?

The contact data is used to manage our supplier engagements and day-to-day relationships with our business partners.

The information we may need includes:

• name; and
• contact details including phone number and email address.

Who is your information shared with?

Your contact data might be shared with:

• one or more of our group companies, but only for the purposes of our day-to-day dealings with you  ; and
• certain approved suppliers used by us. These may include suppliers of printing and mailing services, offsite storage, hosting of administration systems, computer systems databases, information technology services and electronic and paper documentation management.

Websites data

This privacy statement is applicable to each and all of the websites we operate. When we refer to “websites” in this section we mean sites using the following addresses: 

• www.natpen.co.uk
• www.trivialcommutation.co.uk
• www.xafinityconsulting.com
• www.xafinity.com
• www.psal.co.uk
• www.mypension.com
• www.pstransactions.co.uk
• www.pstransactions.com
• www.psadmin.com
• www.puntersouthall.com
• https://extranet.psgshare.com
• www.xpsradar.com
• XPSArena, provided by On24.com

We are a Data Controller(s) for the purposes of this section and this means that we are legally responsible for compliance with data protection laws when we use your data.

Where do we get your information from?

When you access our websites, we may collect information from you as follows:

• If you fill in a form on the websites. For example when you register to use a website, subscribe to a service, post material, request further services or report a problem with the websites. If you use XPSArena, registration information may include your name, email address, role, and areas of interest.
• If you contact us, we may keep a record of that correspondence.
• We may ask users to complete surveys for research purposes, although users do not have to respond to them.
• We keep records of transactions that users carry out through a website, including details of visits to the websites and the resources that users access.
• We may create or gather data using analytics tools, including technical and usage data (like your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of use).
• We may set cookies which are associated with you as an identifiable individual (so for example we use a cookie to “remember” you if you have registered for XPSArena, so you don’t have to log in manually).

How will we use your data?

We may use data about you as follows:

• to ask you about our websites and/or personal data collected;
• to understand how our websites are used by carrying out statistical analysis;
• to ensure that the content of our websites is presented in the most effective manner for you and for your computer, and enable you to use features of our websites which require the use of cookies;
• to give you information, products or services that you request from us or which we feel may interest you, where you have consented for us to do so or we have a legitimate interest in doing so. You will always be given the opportunity to ask us to stop providing this information; and
• to carry out our obligations arising from any contracts entered into between you and us.

Who do we share your information with?

We may share your data between our companies, but only where relevant to you, and not with any other parties.
We may disclose your personal data to our suppliers or contractors in connection with the uses described above. We will share data only for our purposes and will not sell your data on to any third party.

XPS Pensions Group applicant and leaver privacy notices

• Applicant privacy notice 
• Leaver privacy notice 

 

General usage

What are your rights?

Data protection laws provide you with a number of rights, some of which do not apply to the data we process as a Data Controller. You may have the right to: 

• be informed about the collection and use of your personal data; this will be done via the provision of privacy information (a privacy policy or notice);
• request copies of the personal data we hold about you and we will provide that within one calendar month. If you wish to do so you should contact us at the address below;
• correct any information that is incorrect, inaccurate or incomplete;
• have your personal data erased (extremely unlikely to apply to pension schemes);
• restrict what we do with your information until we correct it or if you believe we are using your data unlawfully;
• move data from one provider of services to another (does not apply to pension schemes);
• object to automated decisions and profiling (we do not undertake this activity in relation to pensions);
• object to the processing of your data in certain circumstances, including a right to object to our processing if our basis of processing is “legitimate interest” and you have grounds to object based on your particular situation, and an absolute right to object to the use of your data for direct marketing purposes; and
• withdraw your consent to us processing your health information (which will only be the case if you have sent us that information). Any processing we undertake shall remain lawful until such time as you withdraw your consent.

We are a Data Processor when providing administration services to pension schemes and as such, the pension scheme trustees will provide you with full information about your rights.

How long do we keep data for?

Where we as a company act as a Data Processor 

We will retain copies of data for as long as instructed by our client as Data Controller.

At the end of any contract for services, one copy of the data will be retained by us as a Data Controller for legal and compliance purposes, including:

• to demonstrate compliance with regulatory rules (e.g. Financial Conduct Authority);
• to demonstrate that we have met our contractual and legal obligations; and
• to establish, exercise or defend legal claims.

This means that we keep all of your information whilst we provide a service and until any possible legal responsibilities or liabilities have ended. This means that we will normally hold your information for:

• when providing transfer value analysis to your financial advisers, a period of six years following the end of our services to your financial adviser. Your financial adviser may, however, ask us to retain information for longer for legal or regulatory reasons; and
• otherwise 12 years.

At the end of this period we will securely destroy your information unless we are instructed to retain it by the client.

Where we as a company act as a Data Controller

We may retain your information for a number of reasons, including to demonstrate:

• that the pension scheme has complied with its rules;
• our compliance with regulatory rules (e.g. HMRC, the Financial Conduct Authority, the Pensions Regulator, the UK Listing Authority);
• our compliance with the Companies Act;
• our compliance with actuarial practice; and
• that we meet our contractual and/or legal obligations and to establish, exercise or defend legal claims whilst we provide, and post expiry of, services.

This means that we keep personal data whilst we provide our services, even if you cease to be a member, and following the termination of our services to the pension scheme trustees and/or sponsoring employer, until any possible legal responsibilities or liabilities have ended. This means that:

• we will normally hold personal data for 12 years following our ceasing to provide services. However, in a small number of cases, the Financial Conduct Authority requires records to be retained indefinitely (relating to pension transfers into personal pensions from defined benefit schemes);
• when providing Expert Witness services, we will normally hold your personal data only until the case has completed, and thereafter only hold the letter of instruction, oura calculations and our report. These will be held for a period of seven years once our appointment has terminated. Any other information will be destroyed upon termination of the action;
• our share registrar shall retain shareholders’ personal data for the duration of your entry on the (shareholders’) register of members and for a period of up to 12 years following your last entry on the register or completion of services, e.g. payment of unclaimed dividends;
• we shall keep your information so long as required to provide you with our marketing communications. If you decide to opt out of our communications, we shall retain limited information on a suppression list in order to ensure we do not add you back onto our mailing list and to demonstrate compliance with this legal obligation; and
• if you are an XPS SIPP or XPS SSAS property tenant, we shall keep your information whilst we provide services to our clients, even if you cease to be a property tenant, and following the termination of our services to our clients until any possible legal responsibilities or liabilities have ended. This means that we normally hold personal data for 12 years following our ceasing to provide services. We do not use your data to provide you with marketing communications.

How secure is your data?

We have formal documented Information Security and Data Protection policies that set out the security measures currently implemented and maintained. These core policies are supported by additional policies covering the use of data encryption, the physical security of offices and data centres and acceptable usage of email, internet facilities and telephone. Copies of these policies are available on request.

Changes to this privacy notice

We reserve the right to make changes to this privacy statement at any time by amending this page.

How to complain

If you’re not happy with how we process your data you will have the right to complain to the Information Commissioner and we can provide details about how to do that. We can be contacted at the addresses below:

Contacting us

• [Pension scheme name] XPS Pensions Group, Phoenix House, 1 Station Road, Reading RG1 1NB
• XPS Expert Witness, XPS Pensions Group, Phoenix House, 1 Station Road, Reading RG1 1NB
• [SIPP or SSAS name] XPS SIPP Services Limited, Scotia House, Castle Business Park, Stirling FK9 4TZ