You should read this privacy notice if you are a member of a pension scheme insured under a policy, and the trustees of your scheme have purchased an insurance policy from Rothesay Life Plc (or, if the trustees purchased an insurance policy from another insurer and that policy has transferred to us) under which we have an obligation to pay specified benefits to the trustees in respect of you.
Understanding the terms of this privacy notice
The meaning of words which appear in bold underlined text are explained in the glossary. You can click on each term to see the definition. Alternatively, you can open the full glossary in another tab by clicking the link below.
Throughout this notice any reference to “we” or “us” refers to Rothesay Life Plc.
To read this privacy notice, please click on each section below.
- About us and our relationship with you
‘Rothesay’ is the trading name for Rothesay Life Plc, an insurance company established in the UK with company registration number 06127279 and ICO registration Z1003678. We are authorised in the UK by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our registered office address is The Post Building, 100 Museum Street, London WC1A 1PB.
If the trustees of your scheme have informed you that they have purchased a policy from Rothesay Life Plc (or that they have purchased a policy from another insurer and that policy has transferred to us) under which we have an obligation to pay specified benefits to the trustees in respect of you, this privacy notice applies to our processing of your personal data. This privacy notice also applies when the trustees of your scheme have shared personal data to obtain a policy quote.
We are a controller under data protection laws. This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you.
- About this privacy notice
This privacy notice contains information about:
- The personal data that we process as a controller
- Where the personal data has been obtained
- The reasons why we process your personal data and the lawful basis we use to do so
- The security measures that we have in place to keep your personal data secure
- The length of time we store your personal data for
- The organisations, or categories of organisation, with whom we might share your personal data
- International transfers of your personal data
- The rights you have under data protection laws in relation to our processing of your personal data
Please note that we may change this privacy notice from time to time.
To request a printed copy of this privacy notice please contact us using the contact details contained in the part of this privacy notice headed Contact details.
- The personal data we process
The categories of personal data we process include the following:
1. Scheme member personal information: Personal data relating to each individual insured under a policy, which may include:
- Name
- Address (email and postal)
- Date of birth
- Gender
- National Insurance number
- Policy number and other reference numbers
- Marital status, dependants and next of kin
- Retirement age
- Retirement date
2. Scheme member financial information: Financial information relating to each individual insured under a policy which may include:
- Details about payments to and from your accounts
- Financial position, status and history
- Bank details
- National Insurance number
- Tax code
3. Scheme member employment information: Personal data relating to the employment that is relevant to the benefits payable to each individual insured under a policy, which may include:
- Employer (or former employer) name
- Job title, job codes, job location, and length of service
- Pension benefits
4. Sensitive personal data: This includes health information, to the extent necessary to determine eligibility for any ill-health benefits.
Additional personal data concerning you may be received from the trustees of your scheme in cases where they believe it is necessary to enable us to service your needs.
- Where the personal data has been obtained
Personal data will usually be collected from the trustees of your scheme. It may also be acquired from any other insurers who have engaged us to provide a policy or provide a policy quote.
There will be instances where we collect personal data from other sources. The sources include:
1. Tracing agencies and mortality screening companies
We engage tracing agencies to check whether we hold the correct address for an individual insured under a policy.
We engage mortality screening companies to check whether an individual insured under a policy is alive.
2 . Financial sanctions screening companies
We engage financial sanctions screening companies to ensure that we do not break laws and regulations by making a payment under a policy in respect of an individual who:
- appears on a list of financial sanctions targets: or
- is subject to a sanctions programme as determined by any government or law enforcement agency
- The reasons why and lawful bases relied on to process your personal data
-
The table below provides details of the purpose and the lawful bases upon which we process personal data.
Type of personal data
Why we need it
Lawful bases for processing
Administering policies and fulfilling our obligations
We process personal data in order to fulfil our contractual or legal obligations under our policies and ensure that we are paying the right amounts under those policies.
Legitimate interests pursued by us or by a third party
It is in our interest to ensure that we fulfil our contractual obligations and ensure that we are paying the right amounts under each of our policies.
We process sensitive personal data under a substantial public interest such as meeting insurance requirements.
Managing our risks
We process personal data to manage the risks to our business that are associated with the policies we have issued.
Legitimate interests pursued by us or by a third party
It is in our interest to manage the risks to our business associated with our policies. We need to manage our risks to operate our business.
Meeting legal and regulatory expectations
Fulfilling our legal and regulatory obligations in relation to administering our policies, managing our customers, and operating our business. This will include a range of activities involving the processing of personal data such as producing and issuing required regulatory documentation, conducting KYC, AML and sanctions checks. We also process personal data identify and support customers with vulnerable characteristics as Managing our business This will include a range of activities involving the processing of personal data such as producing and issuing required regulatory documentation, conducting KYC, AML and sanctions checks. We also process personal data to identify and support customers with vulnerable characteristics as required by the FCA to meet our obligations under the Consumer Duty.
Compliance with a legal obligation to which we are subject
We need to ensure that we operate in accordance with relevant laws and regulations. This includes but is not limited to meeting our legal obligations in relation to customers with vulnerable characteristics and the FCA’s Consumer Duty more broadly.
We process sensitive personal data where we have a substantial public interest to do so such as preventing or detecting unlawful acts.
Operating our business
We may process personal data by providing it to third parties who collate such data from a wide variety of sources and publish reports on how long people in the UK live and other demographic trends. We use this information in connection with the performance of our business.
Legitimate interests pursued by us or by a third party
It is in our interest to estimate how long people in the UK are likely to live as accurately as possible and to understand other demographic trends. This helps us to understand our liabilities in respect of our current and future obligations under the policies we have issued.
Preparing to issue individual policies
In preparation for issuing individual policies the trustees of your scheme will provide us with all of the relevant information that they hold about you, which will include personal data.
Legitimate interests pursued by us or by a third party
It is in our interest, as well as yours and the trustees of your scheme, to ensure that we can issue you with an individual policy that accurately reflects the benefits purchased by the trustees of your scheme.
Establishment, exercise or defence of legal claims
We store personal data in case we need it to exercise our legal rights, and to defend ourselves against potential legal claims that might be brought against us under the terms of any of our policies, and/or laws and regulations.
Legitimate interests pursued by us or by a third party
It is in our interest to ensure that we are able to exercise our legal rights and defend ourselves against potential legal claims.
We may also process personal data including sensitive personal data to comply with other laws, regulations or criminal reporting requirements that we are subject to. This includes compliance with law enforcement agency procedures in connection with various investigations and compliance with any requirement to prevent or detect unlawful acts.
- How we keep your personal data secure
Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.
Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe.
We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.
- How long we store your personal data for
The period for which we store personal data concerning individuals insured under a policy will depend upon how that policy terminates.
A policy normally terminates as a result of the trustees who purchased it asking us to issue an individual pension annuity policy to each of the individuals insured under the policy. Following termination of a policy in these circumstances, we will keep all personal data relating to individuals insured under the policy and will process it in accordance with our individual pension annuity policyholder privacy notice. Both this privacy notice and the one applicable to individual policyholders can be accessed on the Data Protection page of our website by clicking the link below.
www.rothesay.com/data-protectionThere are only limited circumstances in which a policy could terminate other than those set out above. However, if a policy does terminate in circumstances other than those set out above, we will keep personal data relating to individuals insured under the policy for so long as it is required to operate our business or fulfil our legal and regulatory obligations.
- Who has access to your personal data
We share personal data with a variety of other companies to operate our business. However, we only share the personal data that those companies need to provide their services to us.
We have detailed the types of companies with whom we currently share personal data below. The companies fall into two categories:
Processors with whom we share personal data
For these companies, we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. Processors with whom we share personal data:
1. Third Party Administrators
We use specialist third party pension administration companies to help us administer the benefits insured under our policies. This enables us to meet our obligations in accordance with the terms of those policies. To enable them to do this, we need to provide them with all personal data that is relevant for this purpose.
Currently, we engage as administrators, companies trading as:- Capita Employee Benefits Limited
- Aptia UK Limited
- Towers Watson Limited
2. Tracing agencies, mortality screening companies and financial sanctions screening companies
We use these companies in order to check one or both of the following:- Whether an individual insured under a policy is alive and that the individual’s address remains current
Whether an individual appears on a list of financial sanctions targets or is subject to a sanction programme
3. IT service providers
Our main IT infrastructure and core software is provided by Goldman Sachs Group, Inc.. This means that personal data we process is stored on Goldman Sachs’ IT systems.
4. Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.Controllers with whom we share personal data
For these companies, we do not determine the purposes for which the personal data we pass to them is processed once it is shared. To understand how the other controllers process your personal data , you should refer to their privacy notices. Controllers with whom we share personal data:
1. Reinsurers
We provide information about the liabilities insured under our policies to reinsurers with whom we reinsure some of the risks to which we are exposed under those policies. The main such risk is that individuals whose benefits we insure live longer than we anticipated. You can request a list of reinsurers to whom we have disclosed your personal data using the details contained in the part of this privacy notice headed Contact details.2. Trend analysis providers
We provide information to, and use services provided by, third parties to analyse how long people in the UK live and other demographic trends. We use information provided to us by these third parties in connection with the performance of our business. For example, we use it to help us to estimate how long individuals insured under our policies are likely to live in order to understand our liabilities in respect of individuals insured under our policies.
3. Professional advisers
We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.
4. Regulators, law enforcement and auditors
We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply obligations imposed on us by laws and regulations.
- International transfers
Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.
If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.
- Your rights
Under certain circumstances, you have the following rights under data protection laws:
- The right of access to personal data relating to you (known as Subject Access Requests)
- The right to correct any mistakes in your personal data
- The right to require us to delete your personal data
- The right to restrict our processing of your personal data
- The right to object to us processing your personal data, including for marketing purposes
- The right to have your personal data provided to another controller
How to exercise your rights
If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.
- Contact details
How to contact us regarding this privacy notice
You may want to contact us to:
- Ask any questions you have in relation to the information contained in this privacy notice
- Exercise any of your rights under the data protection laws
- Request a printed copy of this privacy notice printed in large print or braille
- Request an audio version of this privacy notice
- Make a complaint (see below)
To contact us you can email our Data Protection Officer (DPO) at dpo@rothesay.com or write to:
Data Protection Team, Rothesay Life Plc, The Post Building, 100 Museum Street, London WC1A 1PB
If you live within the European Union, you can also contact our European representative. Their details are as follows:
Address: Bird & Bird GDPR Representative Services SRL, Avenue Louise 235, 1050 Bruxelles, Belgium.
Or email: EUrepresentative.Rothesay@twobirds.com
How to make a complaint
If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.
We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office. The process for making a complaint to the Information Commissioner’s Office is available here:
www.ico.org.uk/make-a-complaint
Their contact details are as follows:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Or phone: 0303 123 1113