Legal Privacy policy

This Privacy Policy covers the data processing performed by NOW:Pensions Ltd and NOW:Pension Trustee Ltd.

A cut-out of a white woman smiling looking directly at the camera

This Privacy Policy covers the data processing performed by NOW:Pensions Ltd and NOW:Pension Trustee Ltd.

NOW:Pensions Ltd (‘now:pensions’, ‘we’, ‘us’ or ‘our’) provide the Scheme to employers and help them comply with their duties under ‘automatic enrolment rules’ which are about enrolling their employees into a workplace pension scheme. Essentially, we are responsible for the day to day running of the authorised master trust known as the NOW: Pensions Trust (referred to as the “Scheme”).  We also do other things like offer members, employers and other business contacts the chance to know about our new initiatives and (where this is compliant under data protection laws) send them marketing and link them up with other companies in the same group as us so that they can send their own marketing about their own products and services too (but always subject to preferences).  Everything we use your personal data for is explained in more detail below.

NOW:Pension Trustee Ltd (“Trustee”) is an independent corporate trustee body. The Trustee is responsible for ensuring that the Scheme is run in the best interests of its members, and in line with the Scheme rules and the law.

This privacy policy applies to all members (both active and deferred), former members, beneficiaries, potential beneficiaries, and dependents of the Scheme.  These are people who either do or might have, or who did have, an entitlement to a benefit from the Scheme.

You are  a “member” of the Scheme because your employer uses (or used) the Scheme as their workplace pension provider and either they or somebody else gave us some information about you to auto-enrol you in the Scheme (in other words, to put you in the Scheme).

This privacy policy is also relevant to you if you are our contact at an employer, financial adviser, adviser representative, or at any other third party who has enrolled employees into the Scheme, or if you are any other adviser, or another person who looks after the employer’s account with us.

This privacy policy also applies to visitors to our website and other individuals who contact us or interact with us through our website, competitions, surveys and in all other ways.  It also applies to contacts at the Trustee’s and our own advisors, payroll bureau and to job applicants.

It also applies to persons who have a power of attorney for members, other persons helping members with their affairs, professionals who are relevant to what the Scheme does such as solicitors, doctors, accountants, auditors, and to all other persons potentially relevant to or dependent on the deceased member in the context of discretionary decision making about pension entitlements under the Scheme.

In other words, this privacy policy applies to everybody who interacts with us and/or the Trustee, except for our own employees and other staff.

You will find information in this privacy policy about how we collect and process personal data (which also includes special category data and criminal convictions and offences data) for those things set out above.

It is important that you read this privacy policy together with any other privacy policy or fair processing notice  that we may provide from time-to-time so that you are fully aware of how and why we are using your data, and how to exercise your rights.  For example, if we ask you to fill out a data collection form and provide you with a supplementary privacy policy, it will apply as well as this one.  If there’s any overlap or conflict, unless we say otherwise, it’s the supplementary privacy policy that will apply first.

This Privacy Policy describes how we process your personal data  in our capacity as a “controller”. “Controller” and “processor” are legal terms defined in data protection laws, which for our purposes means the UK General Data Protection Regulation and the Data Protection Act 2018. Where we act as a controller, this means we are responsible for the processing of personal data. We act as a controller for example when providing any specialist services to the employer or the Trustee (using our own skill and judgment) and to the extent necessary for us to comply with our statutory role as scheme administrator.

In some other cases we will be a processor acting on behalf of the employer and / or the Trustee. This means we are acting on their instructions to process the personal data.

Sometimes (though rarely) we are joint controllers with the Trustee and that means we both make joint decisions about how and why your personal data is used and processed.  For employers, further details are set out in our Participation Agreement.  That’s what will govern what we each need to do to look after your personal data in compliance with data protection laws.  For this, we have agreed with the Trustee that personal data will not be retained longer than is necessary for the purposes for which they were collected, that appropriate security measures will be implemented, and that we are the point of contact for all queries and requests regarding the processing of your personal data in the scheme and the exercise of your rights under data protection laws.

There are other third parties who we share data with who are also controllers, meaning they make their own decisions about the way they use your personal data to provide their services, perform their functions, or comply with their regulatory requirements. In such a case, they have responsibilities as controllers in their own right.  One example would be our legal advisors and auditors and those of the Trustee.  This means that they are subject to the same legal obligations as us in relation to your information, and the rights you have in relation to your information apply to them, too.  If you want any more information from those other organisations who receive your personal information from us, or to exercise any rights in relation to the information they hold, please contact us and we will put you in touch with them.

Where you are a member, an employer or a contact acting on behalf of an employer or relevant third-party, the relevant sections of this privacy policy will set out further detail about who controls your information and other relevant matters (and if you are an employer, the contract we enter into with you will also include detail on this).

Yes.  Take a look at the “How to Contact us” section below if you’d like to contact them.

Yes.  Take a look at the “Your Rights” section below if you’d like to do that.

Who is the controller varies depending on the purposes of the processing.  What you need to know is we and/or the Trustee will be responsible for what we do with your personal data when we are running the Scheme and when the Trustee is doing what they need to do at law.  But sometimes what we do for your employer might mean we are their processor in relation to some specific tasks – take a look at the paragraphs directly below for more detail about that.

Where we are providing the Employer Services (and these are defined in our contract with employers called the ‘Participation Agreement’), the employer (our client) is the controller, and we are the processor. Where we are acting as a processor, we may engage sub-processors to help us provide the services. A list of the sub-processors that we use is available to employers upon request.

Where the Trustee is providing DC Pension Services, the Trustee is the controller (and we are the processor), except where we are acting in our statutory role as Scheme Administrator under the Finance Act 2004, where we would be the controller.

Where we are processing personal data for our own business purposes; for example, for the processing of client data, we are  the controller.

For the avoidance of doubt, neither us nor the Trustee are in a joint controller relationship with employers, as there is no situation or type of processing where that relationship arises.

Data is gathered from different sources and used in different ways depending on who you are and how you interact with us. We collect a range of personal data, either:

  • directly from you when you enter information via the website, member portal or the now:u app (and this may be combined with other information collected when you complete a form on our website, or in now:u, or a paper form);
  • directly from you when you provide information through the pensions dashboards ecosystem (for more information see “Pensions Dashboards” below, or please refer to the Pensions Dashboard website here, and their privacy notice here);
  • indirectly through the pensions dashboards ecosystem (including the identity service, the pension finder service, the consent and authorisation service). Where we obtain personal data from the dashboards ecosystem, or during the process of matching members with their scheme benefits for dashboards purposes, we may retain that data to help demonstrate how and why we concluded that the person is a member entitled to receive information about their benefits on dashboards and to help us administer the scheme.
  • from information that you post online when you contact us on social media;
  • from your employer or former employer(s);
  • from third-parties, such as payroll bureaus used by your employer or your IFA (which means (if you have one) your independent financial advisor) or the person to whom you’ve given a power of attorney over your affairs, or tracing agencies who are companies helping us to find “gone away” members who might have moved from their address without notifying us, or
  • other sources such as another scheme if you have transferred benefits from that scheme, government departments such as HMRC and DWP and publicly accessible sources (e.g. the electoral roll or tracking and tracing services) if we have lost touch with you and we are trying to find you.

This information will relate to you being a member of the Scheme and is used in order to manage your membership, allow us to pay benefits to you and meet other legal requirements in relation to the running of the Scheme. Whilst you are an active member of the Scheme we receive information about you regularly from or on behalf of your employer to enable us to provide the relevant pensions services. When you are a deferred member, it is likely that information will no longer be continually provided to us as you are no longer an active member of the Scheme, unless you have provided information to find and discover any lost pots that we have through the pensions dashboards ecosystem. However, for as long as your pension remains with us we will process your information for the purposes of managing your pension Scheme.

Additionally, you may provide further information to us in respect of your pension. As you near retirement, it is likely more personal data will be provided including special category data. For example, you may provide us with details of your beneficiaries; or information relating to your health.  Data about beneficiaries and your health may be relevant at other times too (not only when you near retirement).

Please refer to the appropriate sub-heading below to find out more.

Visitors to our website, portal or now:u app
When you visit our website www.nowpensions.com, log-in to our member portal which is available from our website, or use the now:u app, we may collect information about your computer or other device including your IP address, operating system and browser type, for the purposes of system administration and making product /services improvements. This is statistical data about our users’ browsing actions and patterns and we do not use it to identify any individual. We may also collect details of your visits to our site, portal or now:u app including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access. We use this to ensure  content is presented in the most effective manner for you.

We also collect information through the contact forms on our website and in the now:u app, and also information that you post online when you contact us on social media. Information may also be collected from cookies, please refer to the cookies section below for further information.

People who call our helpline
When you telephone us or receive a telephone call from us, we may record the calls for training and quality purposes. You will usually be notified of this on the call. The legal basis for processing your information in this manner is legitimate interest. Certain telephone calls are received by our third-party administrator on our behalf. We may also use Calling Line Identification information and where we do, this information will be used to provide our services and offer assistance in order to improve our efficiency.

People or organisations who contact us
When you contact us or obtain services from us, we may save your details in order that we might provide you with information you have requested from us and that will be for our legitimate interests.  We may also do this in order to provide you with information which we feel may interest you, where it is in our legitimate interest (and where data protection laws allow us to provide marketing to you on the basis of legitimate interests) or where you have consented to be contacted for such purposes. We will let you know when we need your consent.  In all cases, whether we ask for a consent or not, you can stop our marketing, i.e. opt-out of hearing from us at any time by changing your preferences in the ‘personal details’ section of now:u or by contacting us at DPO@nowpensions.com.

 

Competitions
From time-to-time we may run a competition, in which case we will be named as the promoter of the competition. Please refer to the competition terms and conditions for specific information on how we will use your personal data in relation to the specific competition you enter. Any personal information provided by you in the competition entry may be held and used by us or our agents and suppliers in order to administer the competition in accordance with the competition terms.

Surveys and focus groups
If we have previously had contact with you, we may get in touch from time to time to ask you to complete a survey which we will use for research purposes. Where we send surveys to you, you do not have to respond to them. You can also let us know if you would not like to be contacted in this way at our address above or whenever you communicate with us in the usual course. Surveys may be hosted by third-party service providers, please refer to any privacy information contained on the survey invite. Any personal information provided by you in the survey entry may be held and used by us or our relevant agents and suppliers in order to manage the survey. Where we state the survey you enter is anonymous, no identifiable personal data will be processed and where applicable, we will use data only in an anonymised and aggregate format.

We may, with the help of our marketing team, run focus groups about various topics (such as the marketing we do, or other proposed campaigns, or financial wellness or other initiatives). These focus groups may be relevant to employers and/or members. We rely on your consent to process your personal data if you sign up to be a part of one of our focus groups. We engage a third party supplier, called Signify, who help us run these focus groups. They are our processor (which means they process your data on our behalf).  Signify use their own sub-processor, currently they are called Hook, to help them do this.  It’s Hook rather than Signify who use your data for us.  When you consent to the use of your personal data as part of signing up the focus group, this includes consent to share data with our processor Signify Group Limited and their sub-processor Hook Research Limited (or any replacement provider from time to time).

 

now:pensions’ services
The information required in order to run the Scheme and provide our pensions services, may be provided as appropriate through contact with our help centre, on our website www.nowpensions.com, via the employer or member portal or the now:u app. The information includes:

  • Core details about you, including your name, previous or alternate names, date of birth, national insurance number (“NINO”) and/or partial or “dummy” NINO, gender and bank account information (where benefits are in payment),
  • Contact details (including your address, former address, phone number and email address),
  • Family details (including whether you are married or in a civil partnership), lifestyle and social circumstances,
  • Employment details, financial details, business activities, health details and other personal details relevant to the provision of pensions services,
  • Details of benefits under the Scheme, including contributions paid, service dates and projected benefits,
  • Details of any benefits earned in a previous pension arrangement, if you have transferred these into the Scheme,
  • If your benefits from the Scheme derive from your employment, details of your employer when you were building up benefits in the Scheme, how long you worked for them and your salary from time to time,
  • If your benefits from the Scheme form part of a divorce settlement, details of that settlement,
  • Personal details of any relatives or individuals you may have named as potential beneficiaries in the event of your death,
  • Correspondence received about you from HMRC, relating to periods of service when you may have been contracted out of the upper tier of the state scheme,
  • Correspondence that we may have received about you from your appointed independent financial adviser, and
  • Electronic “pension identifiers” for pensions dashboards (explained below).

We, and the Trustee, together with our group companies, third-party administrators and services providers, process this information in order to provide our pensions services and to facilitate your access, provide resources to you, contact you about your pension Scheme and to notify you about changes to our services.

We also have a legal obligation to carry out due diligence checks in the event of a pension transfer request, which may mean that we are obliged to ask you for additional information.

For instance:

  • If you wish to transfer out of the Scheme into another occupational pension scheme, we have to request evidence that demonstrates an “employment link”. This could include a letter from your employer confirming your employment, a schedule of contributions, payslips and bank statements (the bank account detail on your payslip might be different from the bank details we hold for you).
  • If you request a transfer out of the Scheme into an overseas pension scheme, we are legally obliged to check that you are resident in the same country as that scheme. This evidence might include utility bills, TV subscriptions, insurance documents relating to your overseas home, address, bank account and credit card statements, evidence of local tax being paid and registration of address with local doctors.

Pensions Dashboards

The government has created a framework for pensions dashboards, designed to help people access information about their pensions online in one place. As part of this, we are required by law to match certain members (who search on dashboards) with their pensions under the Scheme. We must also provide certain pensions information to the dashboards ecosystem (including the identity service, the pension finder service, the consent and authorisation service) so that it can be displayed when certain members ask to see it on a dashboard.

These activities may involve sharing member data with entities within the dashboards ecosystem, non-commercial dashboards and commercial dashboards and with the provider(s)/the integrated service provider(s)/administrator we appoint to help us in connecting to dashboards, matching people with their pensions and complying with our other dashboards duties.

As part of these dashboards duties, we may also need to report information (which could potentially include personal data) to other bodies including the Money and Pensions Service, the Pensions Regulator and the Financial Conduct Authority.

 

Further information for members
If you are an employee whose employer has signed up to the Scheme, please refer to this section for more information on data protection. Your personal data or special category data may be provided by you or your employer to us and the Trustee. Your employer and the Trustee process your personal data and special category data as independent data controllers, we may process your personal data and special category data as controller or in certain circumstances as processor (as explained above).

You are an active Scheme member where you are currently contributing into the Scheme.  You will be enrolled into your pension scheme through your current employer. Personal information has been provided about you by or on behalf of your employer to us, and will continue to be shared with us whilst you continue your employment with your employer and contribute to the Scheme to enable us to provide the relevant pensions services.

You are a deferred Scheme member where you were previously contributing into the Scheme  through your employment, and no longer do that. You may no longer contribute to the Scheme because your circumstances have changed, because you have opted out of the Scheme, or because you are no longer employed by the employer who put you into the Scheme. Personal information has been provided about you by or on behalf of your employer. Once your deferred status has been processed, and unless you become an active member of the Scheme again, it is unlikely any further information about you will be provided by your employer (or former employer) to us.

Information for beneficiaries and dependents

If you are a beneficiary (or potential beneficiary) nominated by a member under the Scheme, or a dependent of a member of the Scheme, or someone potentially relevant to, or dependent on, a  member of the Scheme. your personal data will have been provided to us by the member or by you if you have contacted us. Most of the time, we only hold basic contact details for you such as your name, address, data of birth and your relationship status. We may also receive health data about you the member has provided us with information (or you have told us this) which is relevant to your dependency or in the context of our discretionary decision making about pension entitlements. Then, when it becomes relevant, we may request additional information from you or the member such as bank account details or source other important information to enable us to pay the entitlement to you or assess your eligibility.

You can contact Member Support through now:u, at saver-support@nowpensions.com or by visiting our website www.nowpensions.com for additional information.

Information for other relevant parties connected to members

We have information about you if you are connected to a member in the Scheme, for example if you are someone acting on behalf of the member under a Power of Attorney, are an executor or a friend providing support or assistance with the affairs of the member. You may have corresponded with us directly in which case we will have your name and contact details, or the member may have provided information about you to us.

We may also have information about you if you have supported the member in a professional capacity, for example if you are a doctor, solicitor or financial adviser.

If you have questions about the data we hold about you, please get in touch with us.  Lots of the information in this privacy policy will be relevant to you (such as how you can exercise your rights and contact our DPO).

Information for employers

If you are an employer who has signed up to the Scheme, please refer to your Participation Agreement with us and this section for more information on data protection. As an employer you will provide us with your personal data or personal data relating to individuals in the Scheme on their behalf; and you will also provide personal data and may provide special category data relating to your employees and workers to us and the Trustee. You and the Trustee will process personal data and special category data as independent controllers, we may process personal data and special category data as controller or in certain circumstances as processor acting on behalf of the employer and/or the Trustee.

We collect a range of personal data, either:

  • directly from you when you enter information via the employer portal (and this may be combined with other information collected when you complete a form on our website, or a paper form);
  • from third- parties acting on behalf of the employer such as payroll bureaus;
  • from information that you post online when you contact us on social media; or
  • from third-parties from time to time

The information provided by you will include personal data and may include special category data relating to:

  • you (where you are an individual employer, such as where you are a sole trader, or the representative or contact point for an employer or other relevant third party); or
  • your employees and workers, or those of the organisation that you represent and / or in relation to which you are providing personal data to us.

Information will be provided by you to us regularly whilst the employer’s pension scheme remains with us, and whilst the relevant employees or workers remain in employment with the employer and remains an active member of our pension Scheme. Additionally, you / your employer will provide us with your personal data in order for us to manage the pension Scheme on behalf of the employer. For example, we may have your personal and contact details as representative(s) of an employer under the Participation Agreement.

You may also provide us with the contact details of other individuals who may be managing the administrative aspects of the pension Scheme on your behalf. Where you are providing personal data relating to someone else, you / the employer is responsible for obtaining and maintaining the necessary consent of such individuals or satisfy an alternative legal basis to enable us to process their personal data on the employer’s behalf.

For more information about what data we process and why, please refer to the table in the “What information is processed?” section below.

What information is processed (e.g., collected, used, disclosed, stored)?

We and the Trustee are committed to protecting and respecting your privacy. This privacy policy (together with the terms of use on our website and in our now:u app) sets out the basis on which we and the Trustee process your personal data  which you have provided to us in those ways, or in other communications with us. It provides you with certain information that we are obliged to make you aware of under data protection laws.

If you are an employer, or a service provider, or another business, meaning you have a contract with us and/or the Trustee, please refer to the contract you have with us for more information on data protection and how we and the Trustee use your personal data.

In all cases, please read the following carefully to understand what personal data may be used and for what purposes:

Data Purpose(s) (Please refer to “Why do we use your information?”) below to understand the references given)

(see “Why do we use your information?”)

 Applicable Category of Data Subject

If you are not specifically mentioned below, please search for the data you or somebody else gave to us to see what purposes it’s used for.
Your contact details including, but not limited to, name, previous or alternate names, personal address or former address (for members), business address (for employers), telephone and e-mail address (A), (B), (C), (D), (E), (F)  (G) and (H) Member, Employer, Job Applicants
Your identification details, including a copy of your ID (where relevant), for employers, and the following for members: national insurance number (“NINO”) and/or partial or “dummy” NINO, birth certificates and marriage certificates – usually when members want to take their benefits, sex / gender and date of birth (A), (B), (D), (E) and (G), (H) Member, Employer, Job Applicants
Your family details, including those relating to spouses and whether you are married or in a civil partnership, dependents and beneficiaries (which may in some cases reveal special category data relating to sex life or sexual orientation, although no processing activities are focused on this), proof of relationship such as marriage certificates and birth certificates of dependents, or divorce certificates (where a beneficiary is being removed due to divorce) or death certificates (A), (D), (E) and (G) Member
Job title / role details (A), (B), (D), (G) and (H) Employer, Job Applicants
Your lifestyle and social circumstances relevant to your pension (A), (C), (D) and (G) Member
Your employment details, including payroll number, eligibility information, details of your employer, how long you worked for them and your salary from time to time (A), (B), (D), (E) and (G) Member
Your financial details, including salary information, as your pension is likely to be calculated based upon your pay and your business activities, and bank account details for payment of benefits (A), (B), (D), (E) and (G) Member
Bank Account Details (B), (D) and (E) Employer
Information relating to your health, including medical reports, for example if you retire early due to ill health Either we request your explicit consent (or you have made this information public), or (A) applies Member
Correspondence received about you from HMRC, relating to periods of service when you may have been contracted out of the upper tier of the state scheme (A), (D) and (E) Member
Correspondence that we may have received about you from your appointed independent financial adviser (A), (D) and (E) Member
Electronic “pension identifiers” for pensions dashboards (A) and (C) Member
Information about your use of our information systems (including the member or employer portal, the now:pensions website or the now:u app) and how you interact with the Scheme in other ways (this can be relevant to conducting surveys, research and having focus groups)  

(C), (F) and (G)

 Member, Employer
Criminal records / offences information, where it is necessary to take a lien against a fraudulent member’s benefits (A) Member
Your CV data, education results, work experience, significant achievements, etc or any other information provided by you during the recruitment process (including any tests undertaken) (A), (C) and (H) Job applicants

The main reasons that we and the Trustee, together with our third-party administrators and service providers, process your information are for the purposes of:

(A) Legal and regulatory compliance This includes where we are required, permitted or authorised to process your information based on a legal obligation, including applicable laws relating to employment, pensions, tax, establishing, exercising or defending legal claims, compliance with Pensions Dashboard requirements, and reporting to or responding to requests from regulators such as The Pensions Regulator.
(B) Contract performance and management (this is not relevant to members) This includes where processing of your information is necessary under the Participation Agreement to provide pensions services to the employer and for the benefit of its employees (including potential beneficiaries), including to facilitate your access, provide resources to you, contact you about the pension scheme and to notify you about changes to our services.
(C) Improving our products / services This includes the use of your data for the testing of our information systems (including the employer and member portal, connecting to the Pensions Dashboard ecosystem, the now:pensions website and the now:u app) and where the processing is necessary to enable us to gain insight into your use of our services and information systems  in order to make improvements to these, so that we can enhance your experience of using our services.
(D) Managing operations This includes the normal business practices related to our day-to-day business activities, including internal administration within our corporate group, corporate governance, effective systems and process management, planning and budgeting, financial management (including for the benefit of members), resource management, mergers and acquisitions, including due diligence and audits, internal auditing, supplier management and complaints management.
(E) Managing security and preventing fraud or unlawful activities This includes securing our IT network and systems (including the member or employer portal, the now:pensions website and the now:u app) and company information, preventing fraud or other unlawful activities such as money laundering, verification and credit risk reduction, processing carried out in accordance with regulatory guidance and reporting possible criminal acts.
(F) Marketing* This includes where we process your information  to provide you with carefully selected marketing about our products and services and/or those of our affiliates (including Mercer Limited and/or other members of the Marsh McLennan group) or other third parties that we think you might be interested in (in accordance with legal requirements and your consent where applicable).  Those other companies might contact you directly for this purpose (again, in accordance with legal requirements and with your consent where applicable).
(G) Research, surveys, focus groups This includes the requirements placed on us and the Trustee to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, we and the Trustee may from time-to-time conduct research and/or surveys which may require the use of your personal information. These activities may also include us sharing your personal data with government bodies or departments, as well as with third-party research partners (such as universities, think tanks, market research agencies, survey providers etc.).
(H) Progressing your job application During the recruitment process we may ask you to provide information so we can assess you for the role you have applied for and conduct interviews. We may produce our own data by creating interview notes or other assessment notes.

 

Generally, we do not rely on consent as a legal basis for processing your personal data , except in certain circumstances when we (or another part of our group) need consent to send you direct marketing or where we need explicit consent to process special category data for example about your health (see more on this below). We will only use your personal data when the law allows us to. Most commonly, we will process your personal data:

  • to comply with our legal obligations,
  • for the performance of a contract with you (where you are an individual employer) or for your benefit or to take steps at your request prior to entering into this contract, or
  • for the purposes of our and the Trustee’s respective legitimate interests in ensuring effective operational management and internal administration, network and information security, prevention of fraud and other unlawful activities, research, reporting of criminal acts, verification and credit risk reduction, compliance with regulatory guidance, establishment, exercise or defence of legal claims, website, product / service testing and improvement, and for direct marketing.

*In certain circumstances, you can object to processing based on legitimate interests at any time by contacting us at DPO@nowpensions.com. Please refer to the “Your Rights” section of this privacy policy for more information about how this works and the exceptions to this.

We process your special category data where we have asked for your explicit consent or otherwise:

  • where this is necessary for carrying out obligations under employment, social security or social protection law, insofar as authorised by domestic law (that means where applicable laws here mean we are able to use your data) or a collective agreement (this is unlikely to be relevant but it’s mentioned here for completeness);
  • where this is necessary for reasons of substantial public interest;
  • where this is necessary for the establishment, exercise or defence of legal claims; or
  • from time-to-time, where you have obviously made such special category data public (e.g., on social media or on a public register).

Where we need your explicit consent to process your special category data, we will ask you to indicate that you agree by ticking a box, making a statement or taking other affirmative action. You can always withdraw your consent if you change your mind later but please keep in mind that might limit what we can do for you (for example, if you want to apply to retire early on ill health and give us that consent then withdraw it, we won’t be able to consider your application).

The now:u app may send you reminders or “nudges” that relate to your pension pot or retirement goals.  We may send you these “nudges” by email including (but not only) if you use our website portal instead of the now:u app.  So this means even if you use the now:u app you might still get nudges by email (just like website portal users may do).  Under data protection laws we either rely on our legitimate interests to justify using your personal data to send these nudges to help you with your financial goals and make good decisions towards your retirement, or we rely on our legal or regulatory obligations.

This is relevant if you’re an employer or member.  We may carry out data matching to verify that the information we hold on you is accurate and up to date. We usually do this each year.  Data matching involves comparing sets of data, such as information contained in different records against other records held either by us or by another body to see how far they match. The data sets usually include personal information. This can involve sharing your data with third parties (such as credit reference agencies) to verify the details we hold about you remain accurate, or if not, to allow us to correct our systems. Please note when we do share data with credit reference agencies for this purpose your data will not be used for credit scoring purposes. We and the Trustee have a legal obligation to ensure that the information we hold is accurate and will, therefore, process your data in this manner only to comply with our legal obligations.  For example, employers may send us data each month about people who are not eligible for auto-enrolment and then we’d carry out a data cleanse to delete the data we don’t need.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so (unless notifying you of this would obstruct the purpose of the processing).

Our website uses cookies when you access our website and now:u app, which allow the website to recognise your device and store some information about your preferences or past actions. This helps us to provide you with a good user experience when you browse our website or now:u app and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

We and the Trustee will take all steps reasonably necessary to ensure that your data is adequately protected and processed in accordance with data protection laws and this privacy policy. The data that we collect from you will primarily be stored and processed within the United Kingdom. The data that we collect from you may, however, also be transferred to, stored and processed at a destination outside the United Kingdom by us, the Trustee, our group companies, or service providers (see below).

Any transfer of your personal data to a so called ‘third country’ or international organisation outside of the United Kingdom will only ever take place where (i) the country to which your data is transferred is deemed to have  an appropriate level of security to protect your personal data (equivalent to that of the UK), as determined by the ICO (this is known as an “adequacy decision”) or (ii) we have an “appropriate safeguard” in place, which may include ICO-approved model clauses between us and any joint controller or independent controller or processor or “binding corporate rules” (you can contact us for more information about the safeguards we use to ensure that your personal information is adequately protected in these circumstances, including how to obtain copies of this information – there is more information about binding corporate rules below),   or (iii) with your consent (e.g. if you ask us to pay your pension to an overseas bank account because you a resident there).

Our administrator, TCS, stores personal data in the United Kingdom but they also view data on-screens from India via a secure VPN. We have in place ICO-approved model clauses with TCS to govern this on-screen access from outside the United Kingdom.

We may also transfer data to the U.S where we use service providers who are located there. For example, security logs are transferred to the U.S and our emails are backed up by U.S servers. We also share data with our affiliate, Mercer Limited, which means a transfer of data to the U.S. This transfer is protected by binding corporate rules which are held by Marsh McLennan (which Mercer Limited is a part of). Please see below for more detail on the binding corporate rules.

Binding Corporate Rules

Marsh McLennan holds UK Binding Corporate Rules (BCRs) for the transfer of personal data from the UK. BCRs are privacy standards approved by a supervisory authority for transfers of personal data within a corporate group. Marsh McLennan’s UK BCRs are approved by the UK Information Commissioner’s Office. Marsh McLennan holds UK BCRs in Controller and Processor forms.

When making transfers of personal data to group companies outside the UK, we usually rely on Marsh McLennan’s BCRs.

The summaries below set of the principles established by the EU and UK Controller and Processor BCR standards (you can click on these links below):

The Marsh McLennan entities that have signed the UK BCRs agreement are detailed in the lists below:

We take appropriate steps to protect the data provided to us both online and off-line. We use up to date storage and security techniques to protect your personal and special category data from risks that are presented by personal data processing during storage, transmission or otherwise, such as unauthorised access, improper use or disclosure, unauthorised modification or destruction or accidental loss. All our employees and any third-parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.

However, where you have a password which enables you to access certain parts of our site, portal or the now:u app, you are responsible for keeping this password confidential and it is essential that you do not share your password with anyone.

We, the Trustee, our third-party administrators and service providers have access to your personal data for the purposes stated above. We share information within our corporate group, as necessary for the effective provision of pension services, and for internal administration, corporate governance and legal and regulatory compliance purposes. For further information about our corporate structure, see our trustee and our board on our website.

The recipients of your personal data outside our group companies may include (as relevant to the services being provided) the following:

  • our third-party pensions administrator;
  • IT providers (including suppliers of systems, software, maintenance, rectification, hosting services, printing services, and tracking and tracing services);
  • marketing services and solutions providers;
  • third-party solutions that support our customer relationship management systems, complaints processes and similar;
  • government bodies or departments, as well as with third-party research partners (such as universities, think tanks, market research agencies, survey providers etc.);
  • from time-to-time, specialist consultants (but usually on an anonymised and aggregated basis) and providers of investigation services in relation to “gone away” members;
  • our professional advisers, auditors and insurers;
  • independent financial advisers;
  • HMRC, DWP, the Pensions Ombudsman, the Pensions Regulator and the Information Commissioner;
  • administrators of another scheme if your benefits are transferred;
  • providers of data cleanse services to improve the quality and accuracy of the data held; and
  • providers of additional pension finder and consolidation services that members may opt to avail of, as well as our Integrated Service Provider to connect to the Pensions Dashboard ecosystem.

Recipients of personal data outside our group companies may also include credit reference agencies, identity verification and forwarding providers or similar, to carry out address, bank account, and/or company details verification or address forwarding checks. The checks are carried out in order to verify current address or email address information. Address verification is carried out electronically and will not be visible to lenders and will not affect your credit rating.

Additionally, we or the Trustee may disclose your personal information:

  • if we, the Trustee or our group companies sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • in order to enforce or apply our terms of use and any other agreements you may have with us; or
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect our rights, property, or safety or that of our customers or others. This includes exchanging information with other companies and organisations for the purposes of verification, fraud protection and credit risk reduction.

We convert personal data into anonymised data to share with the Pensions Policy Institute (“PPI”) for the purpose of the Pensions Data Project (“Project”), which relates to a research initiative among master trusts with a goal to achieving positive outcomes for individuals in retirement. We rely on our legitimate interests to convert personal data into anonymous data for this purpose.

We may also anonymise personal data to analyse trends, perform statistical analysis or for testing purposes.  This is in order to help the Scheme learn from our membership and employer base, and to help the wider pensions industry and pensions related initiatives.

Where it is in our legitimate interest or where we have appropriate consent from you (as relevant), we may use your data (or permit our affiliates or third-parties to use your data), to provide you with information about goods and services which may be of interest to you and we (or the affiliate or third-party) may contact you about these by post, telephone or by email.  It’s possible we may also do this in now:u too or in the portal accessible from our website.

We may also share your data with our affiliates, including Mercer Limited and/or other members of the Marsh McLennan group, or third-parties in respect of marketing, and may market services offered by our affiliates or third-parties.

If later on you do not want us to use your data in this way, or to pass your details on to our affiliates or third-parties for marketing purposes anymore, please unsubscribe from the relevant marketing (for example in email marketing we will include an unsubscribe link). You can also exercise the right to opt out at any time by changing your preferences in the ‘personal details’ section of now:u or by contacting us at DPO@nowpensions.com.

Mercer Limited or other members of the Marsh McLennan group may market their own services to you directly where permitted by law to do so and subject to your preferences. You can refer to their privacy notice(s) for further information and these are available on their own websites.  You can get in touch with our DPO and we’ll help you find those other notices.

We and the Trustee retain your personal data only for as long as necessary for the purpose for which this is being processed. Where the purpose for our processing your personal data is directly linked to your pension, or the provision of a pension to your employees, we retain personal data for a period of 15 years from the date that your or your employees’ pension benefits have been extinguished (i.e. fully withdrawn or transferred out), to the extent this is required in order to manage our and the Trustees obligations in respect of your pension. Otherwise, we retain personal data no longer than necessary in accordance with statutory retention periods, in line with industry best practice, or for so long as necessary for the establishment, exercise or defence of legal claims.

Data from the pensions dashboards ecosystem is generally kept in encrypted form for our legitimate interests, if there isn’t any match resulting from that find request, or if a partial match cannot be resolved.  This is in case of follow up queries from the person who made that find request.  It’s kept after this for a reasonable period in case the same find request is made by the same person during that time.  This is so that we can quickly and easily explain that we’ve already searched for a pension, at their previous find request, and found no match, or found a partial match that cannot be resolved (unless they want to provide more information to us).  It’s in our legitimate interests to keep this data for this period to avoid duplication of effort and to avoid redoing searches month to month which we know won’t result in a match.

If you have applied for a job with us but were unsuccessful, we will delete your CV from our systems (to the extent practicable).

The following section explains your rights. The various rights are not absolute and each is subject to certain exceptions or qualifications.

We will grant your request only to the extent that it follows from our assessment of your request that we are allowed and required to do so under data protection laws. Nothing in this privacy policy is intended to provide you with rights beyond or in addition to your rights as a data subject under data protection laws

Rights What does this mean?
1. Right to be informed You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this privacy policy.
2. Right of access You have the right to obtain a copy of your information (if we are processing it), and certain other information (similar to that provided in this privacy policy) about how it is used. This is so you are aware and can check that we are using your information in accordance with data protection laws. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
3. Right to rectification You can ask us to take reasonable measures to correct your information if it is inaccurate or incomplete. E.g., if we have the wrong date of birth or name for you.
4. Right to erasure This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g., where we need to use the information in defence of a legal claim or where the processing is required or necessary due to a legal obligation.
5. Right to restrict processing You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. Right to data portability You have rights to obtain and reuse certain personal data for your own purposes across different organisations. E.g., if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.
7. Right to object You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third-party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override your interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims. The consequences will depend on the nature and scope of your objection and how and why we are using the information. In some circumstances, this may mean that we may need to modify our processing activities or how we interact with you in a way that overcomes the objection, or change the way in which we provide services to your employer or for your benefit, or stop providing part or all of the pensions services. In others, we may be entitled to keep processing the personal data despite your objection or at least do so in a limited way, such as where we are obliged to retain information for audit purposes. (We will always need to stop direct marketing within a reasonable time if you object to this .) When we respond to your request, we will write to you and tell you where this is the case.
8. Right to withdraw consent We may ask for your consent to the processing of personal data. You have the right to withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third-parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

We may update or amend this Privacy Policy from time to time to comply with law or to meet changing business requirements. Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any update or changes to our privacy policy. This Privacy Policy was last updated in April 2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.  You can do this yourself via now:u or by contacting us through our webchat function.

We have appointed a data protection officer who can be contacted at DPO@nowpensions.com if you want to make a request to exercise any of your rights above or you have any concerns about the way in which we have handled your personal data, or if you have any questions, comments and requests regarding this privacy policy. For member or employer service queries please go to www.nowpensions.com for details on how to contact our Member Support or Client Support teams.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.