Privacy policy, FOI and data protection

Privacy policy, data protection and your rights

This privacy policy has been prepared for the Lothian Pension Fund (the Fund) (acting through its administering authority the City of Edinburgh Council (the Council)) and its group companies LPFI Limited and LPFE Limited (together the LPF Group). 
The Fund is a Local Government Pension Scheme which administers pensions on behalf the Fund’s c.84 employers and c.84,000 members. 

To provide pension services to our members and scheme employers, we collect, store, use, share, and dispose of personal data.  This is known as data processing.  Because the Fund decides how and why the processing is carried out for the proper handling of all matters relating to the Fund, including its administration and management, it is also a data controller. The LPF Group processes your data (and personal data relating to your beneficiaries) which it needs to contact you, to calculate, secure and pay your benefits, for statistical and financial modelling and for reference purposes (for example, when we assess how much money is needed to provide members' benefits and how that money should be invested), and to manage liabilities and administer the Fund generally.

The LPF Group carries out its data processing activities in compliance with the EU General Data Protection Regulation and the UK Data Protection Act 2018 (together “data protection law”).  Under data protection law, Data Controllers must be open and accountable to individuals about how their data is stored, controlled, and processed.  The LPF Group is committed to protecting the privacy of all the Fund’s members and we have prepared this privacy policy to comply with our obligations under the law.

This privacy policy sets out:
  • the types of data the LPF Group collects and holds
  • why we process your data
  • how we process your data
  • who we share it with
  • your rights under data protection law.
The Fund falls under the Council’s registration with the Information Commissioner’s Office. This policy has been prepared in accordance with data protection law. Any changes to this policy in the future will be posted on this page and, where appropriate, notified to you by post or email. Please check back frequently to see any updates or changes to this privacy policy. Regularly reviewing this page will ensure you are always aware of what we are doing with your personal data. We will nevertheless communicate material changes in policy to you.

Who is a data subject?

We have identified the following categories of people as “data subjects”. Data subjects are defined by data protection law as individuals whose data we hold:
- active members of the Fund
- potential beneficiaries
- pensioners
- former members of the Fund
- deferred members of the Fund
- ex-spouses of members of the Fund.

What information does the LPF Group collect about me?

We may collect and process the following data about you:
• information that you provide to us, such as by filling in forms on our site or, and includes information provided at the time of registering to use, subscribing to receive e-newsletters or other service, posting material or requesting further services.
• we will keep records of correspondence you send to us as appropriate
• we may ask you to take part in customer feedback to improve our services
• details of any services you request or amendments you make during visits to for audit purposes.
• details of your visits to our online services, including your IP address
  • any of the above information may include:
  • your name, address, email address, phone number;
  • date of birth;
  • sex;
  • information about your family, dependants or personal circumstances, for example, marital status and information relevant to the distribution and allocation of benefits payable on death.;
  • financial information: bank account details, payroll records, tax information, salary, pension contributions, benefits;
  • employment information: start dates, retirement dates, name and location of your employer, job titles, work history, NI number; and
  • limited health information: whether you are eligible for ill-health early retirement (we would not normally require information on the underlying medical assessment to determine whether you are eligible) or where your health is relevant to a claim for benefits following the death of a member of the Fund.
  • information about a criminal conviction if this has resulted in you owing money to your employer or the Fund and the employer or Fund may be reimbursed from your benefits.

We obtain some of this personal data directly from you.  We may also obtain data (for example, salary information) from your current or past employer(s) or companies that succeeded them in business, from a member of the Fund (where you are or could be a beneficiary of the Fund as a consequence of that person's membership of the Fund) and from a variety of other sources including public databases (such as the Register of Births, Deaths and Marriages), our advisers and government or regulatory bodies, including those in the list of organisations that we may share your personal data with set out below.

Data from Third Parties

In addition to the information you provide us, we may also receive personal data about you from other sources, such as:

  • your employer
  • occupational health providers (note that they will not provide us with your medical records)
  • Standard Life / Prudential AVC providers
  • registrars
  • solicitors
  • your previous pension scheme
  • HMRC.

Why can LPF process my personal data?

Data protection law says that Data Controllers may only process personal data if they have a lawful basis to do so.  Depending on the exact nature of the personal data and the reasons for processing it, the lawful basis may change.  However, under the applicable law and regulations governing the Group’s activities, we have a duty to provide and administer pensions for our members and to invest and safeguard the assets of the Fund.  So, usually, the reason we process your personal data is so that we can carry out our legal duties. 
Other reasons we might need to process your personal data are:
   - we need to meet a contractual obligation to you (for example, under an agreement that you will pay additional voluntary contributions to the Fund), or to take steps, at your request, before entering into a contract
   - we need to provide your data to government organisations such as HMRC or the DWP to assist them in safeguarding public funds
   - the detection and prevention of fraud.

Does the LPF Group need my consent to process my personal data?

No - because of our legal obligation under the applicable Local Government Pension Scheme Regulations in Scotland, we do not require the express consent of our members in order to process their personal data for this purpose.  If the Fund could not process this personal data, we would not be able to carry out our legal duties. This equally applies to any data identified under Article 9 of the GDPR as being “special category personal data”. 

Where we obtain information concerning certain "special categories" of particularly sensitive data, such as health information, extra protections apply under the data protection legislation. We will only process your personal data falling within one of the special categories with your consent, unless we can lawfully process this data for another reason permitted by that legislation.

Where you have provided us with personal data about other individuals, such as family members, dependants or potential beneficiaries under the Fund, please ensure that those individuals are aware of the information contained within this notice.

How does the LPF Group process my personal data?

We use information held about you to administer your pension benefits which includes, but is not limited to, the following:
  • to carry out routine day-to-day pensions administration tasks in relation to your benefits, such as benefit calculation and eligibility assessment. 
  • to perform statistical and financial analysis to inform our investment decisions and actuarial analysis.
  • to comply with our legal and regulatory obligations as administering authority of the Fund.
  • to address queries from members and resolve disputes concerning the Fund.
  • to manage the Fund’s liabilities and insurance.
  • to provide annual statements and other information regarding your benefits.
  • to allow alternative ways of delivering your benefits, for example, through the use of insurance products and transfers to or mergers with other pension arrangements.
  • to notify you about changes to our service.
  • to ensure that content from our websites is presented in the most effective manner for you and for your computer.
  • to provide you with other information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes by email.
  • we may also use your data to provide you with information about goods and services from us or our partner organisations which may be of interest to you, and we may contact you about these by post or telephone.
  • to prevent fraud in relation to your pension benefits.

Storage & Retention

Your data will not be kept for any longer than it is needed by the Fund to carry out our processing activities.  Paper and electronic records will be disposed of in a secure way.  The exact length of time we keep your data will depend on the purpose for which it is collected.  The Fund has a Records Retention Schedule which governs how long your records will be kept. In practice, this means that your personal data will be retained for such period as you (or any beneficiary who receives benefits after your death) are entitled to benefits from the Fund and for a suitable period after those benefits stop being paid. For the same reason, your personal data may also need to be retained where you have received a transfer, or refund, from the Fund in respect of your benefit entitlement.

Your data will be stored securely by the Fund’s pensions administration software provider, Heywood Limited.  Their registered address is Aquila House, 35 London Road, Redhill, Surrey RH1 1NJ.  Your data may also be hosted on the Council's corporate network, in accordance with the LPF Group’s Records Management Policy.

What are my rights?

You have the right to request access to any data which we may keep on you. If any information kept about you turns out to be inaccurate or incomplete, you have the right to request that the information be corrected.

If you have left the Fund and feel there is no reason for us to continue to process your data, or if you believe your data is being processed unlawfully, you have the right to request that we delete any information held about you.

In certain circumstances, you have the right to restrict processing of your data, meaning the LPF Group will keep your information on file, but will be unable to do anything with it until the restriction is lifted. Processing will be restricted while the Fund corrects information which is inaccurate, while we process a request to have your data deleted and where the Fund no longer has a reason to process your data but you require it to establish, exercise or defend a legal claim.

As explained above, one of the reasons we collect and hold your personal data is to administer your benefits. If you do not provide the information we request, or ask that the personal data we already hold is deleted or that the processing of the personal data be restricted, this may affect our ability to administer your benefits, including the payment of benefits from the Fund. In some cases, it could mean we are unable to put your pension into payment or has to stop your pension (if already in payment).

You will not normally have to pay a fee to exercise any of these rights, however we may charge you for our administrative costs in certain cases if the request is particularly excessive of if you request further copies of your data.
The right to lodge a complaint with the Information Commissioner’s Office (ICO) if you feel your data is not being handled properly. More information on how to do to make a complaint can be found here:  More general information and advice on Data Protection is also available on the ICO’s website

Type of Service Name of 3rd Party/Parties Reasons for sharing the personal data

From time to time we will share your personal data with advisers and service providers so that they can help us carry out our duties, rights and discretions in relation to the Fund.  Some of those organisations will simply process your personal data on our behalf and in accordance with our instructions. Other organisations will be responsible to you directly for their use of personal data that we share with them.  In each case we will only do this to the extent that we consider the information is reasonably required for these purposes.

Who we share data with and why

  • Club Vita LLP provides longevity (life expectancy) analytics and related information for the purpose of helping us to manage the Fund’s liabilities.
  • Hymans Robertson provides Scheme Actuary services for the purpose of calculating the Fund’s assets and liabilities and setting employer contribution rates.
  • Hymans Robertson LLP and Club Vita LLP may appoint service providers or sub-processors to help in the provision of their services. For details, please visit:
  • PAM provides occupational health service in connection with matters such as ill-health retiral applications for deferred members.
  • Prudential and Standard Life provide scheme AVCs and create individual member AVC accounts.
  • Scott Moncrieff provides audit services for LPF and the LPF Group companies’ annual reports and accounts and also audit their internal controls.
  • South Yorkshire Pensions Authority provides the LGPS National Insurance Database for the purpose of identifying if Fund members have benefits in other LGPS schemes.
  • Department for Work and Pensions (DWP) provides the Tell Us Once Service for the purpose of notifying the Fund of the death of scheme members.
  • The Pensions Regulator, Government Actuary Department, The Scheme Advisory Board and National Fraud Initiative are some of the regulators, government or law enforcement bodies with whom we may share data to comply with the Fund’s statutory obligations.
  • The Joint Investment Strategy Panel (JISP) consists of a representative of Falkirk Council Pension Fund, Fife Council Pension Fund and 2 independent investment advisors. The JISP assists the Fund in determining investment strategy based on its liabilities as determined by its membership and employer profile.
  • Aquila Heywood provides the Fund’s pensions administration software, giving the Fund with technical and management support for its electronic pensions administration systems.
  • Western Union facilitates overseas payments by the Fund, to administer benefit payments to scheme members with non-UK accounts.
  • Administering authorities of other LGPS funds (or their agents, such as third-party administrators), depending on circumstances, where a member has been a member of another LGPS fund and the information is needed to determine the benefits to which the member or their dependants are entitled.
From time to time we may provide some of your data to your employer and their relevant subsidiaries (and potential purchasers of their businesses) and advisers for the purposes of enabling your employer to understand its liabilities to the Scheme. Your employer would generally be a controller of the personal data shared with it in those circumstances. For example, where your employment is engaged in providing services subject to an outsourcing arrangement, the Administering Authority may provide information about your pension benefits to your employer and to potential bidders for that contract when it ends or is renewed.

Where requested or if we consider that it is reasonably required, we may also provide your data to government bodies and dispute resolution and law enforcement organisations, including those listed above, the Pensions Regulator, the Pensions Ombudsman and Her Majesty's Revenue and Customs (HMRC).  They may then use the data to carry out their legal functions.

Some of these third parties may store personal data outside the European Economic Area (EEA).  Where personal data is transferred outside the EEA, such transfers will be in full compliance with data protection legislation.
We do not use your personal data for marketing purposes and will not share this data with anyone for the purpose of marketing to you or any beneficiary.

Data Protection Officer & Complaints

The Fund must appoint a Data Protection Officer to make sure we are complying with data protection law. The Fund’s Data Protection Officer is currently Kevin Wilbraham, the Council’s Information Governance and Strategic Complaints Manager, Information Governance Unit, the City of Edinburgh Council, Waverley Court - 2.1, 4 East Market Street, Edinburgh, EH8 8BG Email: | Tel: 0131 469 6200
Should you have any complaints or comments about our processing and use of your personal data, or if you wish to report an incident, please contact Struan Fairbairn, Chief Risk Officer and Data Protection Officer of the Lothian Pension Fund, Atria One, 144 Morrison Street, Edinburgh, EH3 8EX Email: | Tel: 0131 529 4638.
If you still have concerns about the processing and use of your personal data, you can contact UK Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 08456 30 60 60
This Privacy Policy was last updated on 1 November 2019