Data Protection Notice – Pension Scheme Members


This section of this data protection notice is aimed at providing specific privacy information to individuals who are scheme members, either an active member or a deferred member.

Active Members

You are an active scheme member where you are currently contributing into a pension scheme with us. You will be enrolled into your pension scheme through your current employer. Personal information has been provided about you by or on behalf of your employer to us, and will continue to be shared with us whilst you continue your employment with your employer and contribute to your pension scheme with us to enable us to provide the relevant pensions services.

Deferred Members

You are a deferred scheme member where you were previously contributing into a pension scheme with us through your employment, and no longer contribute into the pension. You may no longer contribute to the pension because your circumstances have changed, because you have opted out of the pension or because you are no longer employed with the employer with whom you had a pension scheme with us. Personal information has been provided about you by or on behalf of your employer. Once your deferred status has been processed, and unless you become an active member of the scheme again, it is unlikely any further information about you will be provided by your employer (or former employer) to us.

Identity of the data controllers/responsible entities

Your employer or former employer (as relevant) and the Trustee will process your personal data and sensitive personal data as data controllers; and we will process your personal data and sensitive personal data as data controller if we are required to undertake such processing for our own independent purposes, including for the purposes of providing any specialist services to your employer or the Trustee and to the extent necessary for us to comply with our statutory role as scheme administrator, and in all other cases we will be a data processor acting on behalf of your employer (or former employer) and/or the Trustee.

Where we are acting as joint data controllers with your employer (or former employer) and/or the Trustee, each employer and the Trustee have entered into agreements with us to determine our respective obligations for compliance with data protection law with regard to the scheme. They have agreed that personal data will not be retained longer than is necessary for the purposes for which they were collected, that the employer and Trustee will implement appropriate security measures, and that we are the point of contact for all queries and requests regarding the processing of your personal data in the scheme (although you can also contact your employer/former employer with questions).

What information is collected?

We collect a range of personal data, either:

      • directly from you when you enter information via the member portal (and this may be combined with other information collected when you complete a form on our website, or a paper form)
      • from information that you post online when you contact us on social media
      • from your employer or former employer(s), or
      • from third parties, such as payroll bureaux used by your employer or your IFA or your power of attorney or providers of investigation services in relation to “gone away” members (if relevant).

This information will relate to you being a member of the scheme and is used in order to manage your membership. Whilst you are an active member of the scheme we receive information about you regularly from or on behalf of your employer to enable us to provide the relevant pensions services. When you are a deferred member, it is likely that information will no longer be continually provided to us as you are no longer an active member of the scheme. However, for as long as your pension remains with us we will process your information for the purposes of managing your pension scheme.

Additionally, you may provide further information to us in respect of your pension. As you near retirement, it is likely more personal data will be provided including sensitive personal data. For example, you may provide us with details of your beneficiaries; or information relating to your health.

We process (e.g. collect, use, disclose, store) the following information for the purposes explained below:

Data Purpose(s)

(see “Why do we use your information?”)

Your contact details including name, address, telephone and e-mail address (A), (B), (D) and (E)
Your identification details, including national insurance number, a copy of your ID (i.e. birth certificates and marriage certificates – usually when members want to take their benefits), sex / gender and date of birth (A), (B), (D) and (E)
Your family details, including those relating to spouses, dependents and beneficiaries (which may in some cases reveal sensitive personal data relating to sex life or sexual orientation, although no processing activities are focused on this), proof of relationship such as marriage certificates and birth certificates of dependents, or divorce certificates (where a beneficiary is being removed due to divorce) or death certificates (A), (B), (D) and (E)
Your lifestyle and social circumstances relevant to your pension (C) and (D)
Your employment details, including payroll number and eligibility information (A), (B), (D) and (E)
Your financial details, including salary information, as your pension is likely to be calculated based upon your pay and your business activities, and bank account details for payment of benefits (A), (B), (D) and (E)
Information relating to your health, including medical reports, for example if you retire early due to ill health Either we request your explicit consent (or you have made this information public), or (A) applies
Information about your use of our information systems (including the member portal and the NOW: Pensions website) (C)
Criminal records / offences information, where it is necessary to take a lien against a fraudulent member’s benefits (A)

Why do we use your information?

The main reasons that we, together with our third party administrators and service providers, process your personal data and sensitive personal data are for the purposes of: 

(A) Legal and regulatory compliance This includes where we are required or authorised to process your information based on a legal obligation, including applicable laws relating to employment, pensions, tax, establishing, exercising or defending legal claims and reporting to regulators such as The Pensions Regulator.
(B) Contract performance and management This includes where processing of your information is necessary to perform the agreement(s) to provide pensions services to the Trustee and / or your employer, which you will directly benefit from, including to facilitate your access, provide resources to you, contact you about your pension scheme and to notify you about changes to our services.
(C) Improving our products / services This includes where the processing is necessary to enable us to gain insight into your use of our services and information systems (including the member portal and the NOW: Pensions website) in order to make improvements to these, so that we can enhance your experience of using our services.
(D) Managing operations This includes the normal business practices related to our day-to-day business activities, including internal administration within our corporate group, corporate governance, effective systems and process management, planning and budgeting, financial management (including for the benefit of members), resource management, mergers and acquisitions, including due diligence and audits, internal auditing, supplier management and complaints management.
(E) Managing security and preventing fraud or unlawful activities This includes for securing our IT network and systems (including the member portal) and company information, preventing fraud or other unlawful activities such as money laundering, verification and credit risk reduction, processing carried out in accordance with regulatory guidance and reporting possible criminal acts.
(F) Marketing This includes where processing of your information is necessary to provide you with carefully selected marketing about our products and services (in accordance with legal requirements and your preferences).

NOW: Pensions relies on the following legal basis to process your information:

      • to comply with our legal obligations, including those listed in (A) above
      • for the purposes of our and the Trustee’s respective legitimate interests in ensuring effective operational management and internal administration, network and information security, prevention of fraud and other unlawful activities, reporting of criminal acts, verification and credit risk reduction, compliance with regulatory guidance, establishment, exercise or defence of legal claims and/ or website, product or service improvement.

*You can object to processing based on legitimate interests at any time by contacting us at Please refer to the “Your Rights” section of the Privacy Policy for more information about how this works and the exceptions to this.

We process your sensitive personal data where we have asked for your explicit consent or otherwise:

      • where this is necessary for carrying out obligations under employment, social security or social protection law, insofar as authorised by EU or members state law or a collective agreement
      • where this is necessary for the establishment, exercise or defence of legal claims, or
      • from time to time, where you have obviously made such sensitive personal data public (e.g. on social media or on a public register).

In certain circumstances, we ask for your consent to process personal data or your explicit consent to process sensitive personal data in specific ways. Where this is the case, we will ask you to indicate that you agree by ticking a box, making a statement or taking other affirmative action. You can always withdraw your consent if you change your mind later.


Do we disclose personal and sensitive data outside the European Economic Area?

The data that we collect from you will be stored and processed within the United Kingdom and Europe. The data that we collect from you may also be transferred to, stored and processed at a destination outside the European Economic Area (EEA) by us, the Trustee or our third party administrators or service providers (see below). All information you provide to us or the Trustee is stored on our secure servers or stored on the secure servers of our third party administrator or third party service providers. We and the Trustee will take all steps reasonably necessary to ensure that your data is adequately protected and processed in accordance with data protection laws, this data protection notice and our Privacy Policy.

We ensure that adequate safeguards are in place for all transfers of personal data outside the EEA that do not have an “adequacy decision” from the European Commission in the form of approved EU model clauses and / or EU-US Privacy Shield, as relevant.

Do we disclose personal and sensitive data to others within or outside of our group companies?

We, the Trustee, our third party administrators and service providers have access to your personal and sensitive personal data for the purposes stated above. We share information within our corporate group, as necessary for the effective provision of pension services, and for internal administration, corporate governance and legal and regulatory compliance purposes. For further information about our corporate structure, see:

The recipients of your personal data outside our group companies may include (as relevant to the services being provided) the following:

      • Our third party pensions administrator;
      • IT providers (including suppliers of systems, software, maintenance, rectification and hosting services);
      • marketing services and solutions providers;
      • third party solutions that support our customer relationship management systems and complaints processes;
      • from time to time, specialist consultants (but usually on an anonymised and aggregated basis) and providers of investigation services in relation to “gone away” members; and/ or
      • providers of data cleanse services to improve the quality and accuracy of the data held.

Recipients of your personal data outside our group companies may also include credit reference agencies to carry out address verification or address forwarding checks. The checks are carried out in order to verify your current address or email address. Address verification is carried out electronically and will not be visible to lenders and will not affect your credit rating. For further information, please refer to the following Credit Reference Agency Information Notice:

Where we have appropriate consent from you, we may use your data (or permit selected third parties to use your data), to provide you with information about goods and services which may be of interest to you and we (or the third party) may contact you about these by post, telephone or by e-mail. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please unsubscribe to the relevant marketing. You can also exercise the right at any time by contacting us at

Additionally, we or the Trustee may disclose your personal information:

      • if we, the Trustee or our group companies, sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
      • in order to enforce other agreements you may have with us;
      • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect our rights, property or our safety or the safety of our customers or others. This includes exchanging information with other companies and organisations for the purposes of verification, fraud protection and credit risk reduction.

How long do we retain your data?

We and the Trustee retain your personal data only for as long as necessary for the purpose for which this is being processed. As the purpose for our processing your personal data is directly linked to your pension, or the provision of a pension to your employees, we may retain personal data until and following your retirement or the retirement of your employees, to the extent this is required in order to manage our and the Trustees obligations in respect of your pension. Otherwise, we retain personal data in accordance with statutory retention periods, or for so long as necessary for the establishment, exercise or defence of legal claims.

How do we protect personal and sensitive data?

We take appropriate steps to protect the data provided to us both online and off-line. We use up to date storage and security techniques to protect your personal and sensitive personal data from unauthorised access, improper use or disclosure, unauthorised modification or destruction or accidental loss. All our employees and any third parties we engage to process data are obliged to respect the confidentiality such data provided to us and as required under applicable data protection or other legislation.

For further information please refer to our Privacy Policy. Questions, comments and requests regarding this data protection notice are welcomed and should be addressed to For customer service queries please go to

We have appointed a data protection officer who can be contacted at if you want to make a request to exercise any of your rights above or you have any concerns about the way in which we have handled your personal data.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Last Updated: October 2019

NOW: Pensions has a good technical infrastructure combined with a pension product suitable for our team. We couldn’t be happier with NOW: Pensions.
Martin Woods,