Your privacy is important to us. Our privacy notice is designed to be as concise and transparent as possible and explains:
How to contact us
The Pensions Regulator (TPR) is a data controller. You can email TPR in its capacity as data controller at:
You can email TPR’s Data Protection Officer (DPO) directly at:
Alternatively, you can write to the DPO using the below address:
Data Protection Officer
The Pensions Regulator
Telecom House
125-135 Preston Road
Brighton
BN1 6AF
Our legal basis to process personal data
Unless otherwise stated, we will process personal data where necessary in the performance of a task carried out in the public interest or in the exercise of our official authority.
Our statutory functions and objectives derive from the power conferred on us under the Pensions Schemes Act 1993, Pensions Act 1995, Pensions Act 2004, Pensions Act 2008, Pensions Schemes Act 2017 and other pensions legislation and underlying regulations.
In some limited circumstances we will process your personal data on the basis of your consent or where necessary to perform a contract. We will also process personal data where necessary for compliance with a legal obligation, where it is in your vital interests or where it is in our legitimate interests.
We may from time to time process personal data that is considered ‘special category data’ that is data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic or biometric data
- data concerning health
- data concerning a person’s sex life or sexual orientation
Where we process special category data, we will only do so where a condition set out in either Article 9 of the UK General Data Protection Regulation (UK GDPR) and schedule 1 of the Data Protection Act 2018 (DPA 2018) applies. This may include:
- where we have your explicit consent
- where processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and protection
- where processing is necessary for the establishment, exercise or defence of legal claims
- where processing is necessary for reasons of substantial public interest
TPR will also process personal data for law enforcement purposes under Part 3 of the DPA 2018. These purposes include the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties. We will do this to protect members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct related to the administration of workplace pensions.
TPR will often process personal data for law enforcement purposes without the knowledge of those we investigate. We will only do this where to do otherwise would prejudice our investigations.
How we gather your personal data
Personal data obtained directly from you
The majority of personal data we gather is provided to us by you for a variety of different reasons, including:
Where you are legally required to provide us information
TPR will process personal data where you are legally required to provide it. The following sets out a non-exhaustive number of reasons why you may be required by law to provide us information which may include your personal data:
- If you are a trustee or a manager of an occupational pension scheme, you will be required to provide TPR with information pertaining to your pension scheme in the form of a scheme return. We use the scheme return to gather information about pension schemes. The data gathered helps us maintain our register of schemes and to identify schemes where there’s a risk or potential risk to members’ benefits. We also use this information to calculate annual levy charges.
- If you are an employer, you are required by law to complete the declaration of compliance. Failure to do so may lead to enforcement action being taken against you.
- Where you are applying for master trust authorisation, we will process personal data (including disclosure to persons outside of TPR) in order to determine whether those persons involved in the master trust scheme are ‘fit and proper’ according to the Pensions Schemes Act 2017 and underlying regulations, and for the purpose of the overall assessment and decisions in relation to authorisation applications. We will also process your personal data in relation to any of the authorisation criteria for ongoing supervision and monitoring purposes.
- Under section 72 of the Pensions Act 2004, TPR may require you to produce any document, or provide any other information which is relevant to the exercise of our functions.
We will use your contact information, provided for any of the purposes above, to send you information pertinent to your role as an employer, trustee or representative. We utilise various channels to communicate this information including email, post or, for general information about Automatic Enrolment duties, social media.
We periodically conduct surveys among our regulated community with the purpose of better understanding the pensions landscape. By default, except for the Customer Support customer satisfaction survey mentioned below in the next section, all of our surveys are anonymous. In some cases, you will have the option to waive your anonymity should you wish.
Where you make an enquiry
If you’ve made an enquiry with us we’ll hold your personal data for the purpose of dealing with your enquiry. We don’t need to collect a lot of information but we do need to know who you are, what you’ve asked us and how we can reply to you.
You can make an enquiry in a number of different ways, including by:
- calling our Customer Support team
- submitting your enquiry via our enquiry web form
- writing to us
When you contact TPR we collect your information to enable us to respond to your query. We record all calls made to us for training and compliance purposes, to improve our response to you and to verify information provided to us.
After making an enquiry, we may ask you to complete a customer satisfaction survey. This survey is optional and there is no requirement for you to take part.
If you choose to complete the customer satisfaction survey your feedback will be linked to your enquiry and, therefore, you as an individual.
Your survey responses will be used to improve the information services we provide to our regulated community.
Where you submit a whistleblowing report
If you submit a whistleblowing report we will ask you for information related to your concerns. This will include details about your employer and your pension.
You may choose to remain anonymous so that no one, including TPR, will know your identity. However, if TPR choose to investigate your report your identity may become apparent at a later date – for example if you are a sole employee and you decide to report your employer anonymously, it may become apparent that you are the source of the whistleblowing report.
If you decide to disclose your identity to TPR we will do our best to protect it and keep it confidential but we cannot give any categorical assurances as circumstances may mean that disclosure of your identity becomes unavoidable – for example if we are ordered by a court to disclose your identity.
Where you visit our website
When someone visits thepensionsregulator.gov.uk we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
When you visit our website a cookie identifies and tracks your visit while collecting statistical information. Cookies tell us the pages that have been visited and collect information about how many times certain pages have been visited.
The cookie has no way of identifying you, it doesn’t hold any of your personal data nor can it be used retrospectively to track you.
Cookies help us to assess the effectiveness of our website and can provide useful information following publications. Find more information about the cookies that we use.
If you’ve signed up to receive any of TPR’s news services we’ll only hold the information that we need to deliver the service. Emails you’ll receive will give you the option to unsubscribe and where you do so we will remove your contact information from our mailing lists.
If you’ve completed or are completing learning on the education portals, then we’ll hold some of your personal data. If you forget your login details or it's necessary to verify your status we’ll need to match the query to the right person.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Where you visit our office
If you visit our office we ask that all visitors sign in and out of reception. You may also be required to provide proof of identification but this information is not recorded.
Any CCTV in operation in and around the building complex in which we have our offices is not controlled or managed by TPR.
The information we collect where you visit our office will be processed for security and safety reasons which is in our legitimate interests to do.
Where you visit an event organised by TPR
TPR occasionally hosts and organises events that aim to promote our role as a regulator among our regulated community.
If you are a key industry stakeholder, we may invite you to attend or speak at our events. Where this is the case, we will process your contact information and may ask if you have any specific dietary requirements. We may also ask if you have a disability so that we can make arrangements to accommodate your attendance.
The information we collect where you visit an event organised by TPR will be processed on the basis of your consent.
Where you apply for a job vacancy
All of the information you provide when applying for a vacancy with TPR will be used for the purpose of progressing your application and assessing your suitability for employment with us.
Our recruitment privacy policy outlines how we hold and process personal information.
Where you make an information request
As a public body, you have the right to ask us for information that we hold under the Freedom of Information Act 2000 and the Environmental Information Regulation 2004. If we process your personal data, you also have the right to make a subject rights request under the UK GDPR and the DPA 2018.
If you make an information request we will process your data in order to respond to your request. At a minimum we will need your contact details so that we can identify you. We may ask you for further personal information depending on the type of request you make.
The information we collect when you make an information request will be processed in order to comply with our legal obligations.
Where you have made a complaint
If you make a complaint to TPR we will ask for all the information necessary to investigate your concerns. This will include your personal information and that of others who are involved.
If you make a complaint against a member of TPR staff, we usually disclose your complaint and identity to the member of staff concerned to allow them to explain the events that have given rise to the complaint. If you would prefer that we do not share your identity with the person you’re complaining about, we will endeavour to keep your identity confidential, but this cannot be guaranteed.
Where you make a media enquiry
TPR aims to deliver effective and targeted press releases, blog posts and speeches. Where you make a media enquiry to our press team via our Media Hub we will process your personal data in order to respond to your request.
Data obtained from other sources
In some circumstances we also process personal data that has been obtained indirectly from the following sources, including:
Where you are nominated as a contact
If you are a nominated contact, we have received your contact information from an individual with the necessary consent or authority to provide us with your personal data. In most situations this will be your employer or your client. You may opt out of receiving these communications and update who should be the nominated contact by visiting our nominate a contact page.
Other government and public bodies
We regularly obtain personal data from other government and public bodies including our sponsoring body the Department for Work and Pensions and His Majesty’s Revenue and Customs for use in connection with any of our statutory functions.
Publicly available sources or commercial databases
In some circumstances we collect personal data from publicly available sources or acquire personal data from commercial databases. This data may be used in a number of different ways to support our statutory functions. Examples include for intelligence purposes and for us to send communications to key industry stakeholders.
As part of a procurement exercise
TPR regularly collects and processes personal data where liaising with suppliers for the performance of contracts offered on publicly available digital marketplaces including on the Crown Commercial Service website.
Sharing personal data
Where we are allowed to do so by law, we may share your personal data with other public or professional bodies, as well as government organisations to support them in their purposes and functions. Where we regularly share data with these other bodies we have protocols or agreements in place to govern the sharing of information and to ensure compliance with the law. For more information see memorandum of understanding.
We often publish reports on regulatory action we have taken in particular cases which may include personal data. For further information see our essential guide to how we publish information about cases.
We may share your personal data with private organisations to provide services to us in relation to our statutory functions, for example, to produce a skilled persons report, to provide legal services or to communicate educational materials to individuals with pension responsibilities. We require and ensure full adherence with data protection laws via our instructions and contracts with such entities ensure that your personal data is only processed for the purpose in which it was shared.
For more information related to the arrangements we put in place with those we share personal data with, see doing business with us.
Where considered appropriate to do so we may provide a credit reference agency with your personal data in order to conduct a credit reference check against you. This will be done for debt collection purposes.
We will never share your personal data for commercial or marketing purposes.
Transferring personal data outside the UK to the EU
TPR regularly transfers personal data to our data processors or controllers located in countries within the European Union (EU). This is for storage or when conducting litigation as part of a civil or criminal investigation. Where we do so, we rely on the adequacy regulations under the UK GDPR and DPA 2018.
Transferring personal data outside the UK to a country outside the EU
TPR doesn’t ordinarily transfer personal data outside the EU. However, there may be occasions where we transfer data to countries outside the EU when conducting litigation as part of a civil or criminal investigation or proceedings. Where we do so, we rely on the provisions in relation to the conduct of litigation in the UK GDPR and the DPA 2018, and only to the extent required.
We may also transfer data including personal data to our data processors who store data outside the EU. To ensure that your personal data receives an adequate level of protection we make sure that adequacy regulations have been made by the Secretary of State and / or we put in place standard contractual clauses in accordance with our obligations under the UK GDPR.
Retention periods
TPR will hold your data for as long as is necessary for our statutory functions and objectives and for a set period of time after. For more information related to the length of time we store personal data see our retention schedule (PDF, 800kb, 9 pages).
Your rights
If we hold your personal data, you have certain rights in relation to what we do with it.
Access
You have the right to access your personal data. Where you request access to your personal data we will confirm whether or not we hold information related to you, and if we do hold your data we will provide you a copy of your personal data free of charge. We may not provide information to you where to do so would prejudice the exercise of our statutory functions or where other exemptions apply.
Rectification, erasure, restriction and data portability
In certain circumstances, you have the right to have inaccurate personal data corrected and incomplete personal data completed and to be notified when that has been done. You may also have the right to have your personal data erased, its use restricted or to ask for your personal data to be transmitted in a commonly used and machine-readable format to you or to another organisation.
Objection
You have right to object to the processing of your personal data where we process that data for the performance of a task carried out in the public interest. However, the right is not absolute and may be rejected if it would prejudice the exercise of our statutory functions to stop the processing. This is a case by case assessment that will be carried out whenever the right is exercised.
Right to withdraw consent
Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing before you withdrew your consent. If you do so we may no longer be able to send you communications you have signed up for or other guidance information. Please note that this does not include notices or notifications we are required by law to send to you.
If you wish to make a request exercising any of the rights set out above, please write to us:
The Pensions Regulator
Telecom House
125-135 Preston Road
Brighton
BN1 6AF
Alternatively, you can email us at dpa@tpr.gov.uk.
Data security
Keeping your personal data safe is a top priority. We’ve put security measures in place to protect your personal data and to maintain confidence in your interactions with us. TPR holds ISO 27001 certification and complies with our responsibilities to maintain high levels of security under the UK GDPR and the DPA 2018.
Complaints process
TPR will endeavour to meet the highest standards when collecting and using your personal information. For this reason, we take any complaint we receive about the way in which we handle your personal data very seriously. We encourage you to bring your concerns to our attention. For more information about how to make a complaint see our complaints process.
You can also raise your concerns to our DPO by email at dpo@tpr.gov.uk.
If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office.
Privacy notice review
This privacy notice was drafted to be as concise and transparent as possible. For this reason, this notice does not provide an exhaustive outline of all the ways in which we process your personal data. If you think we’ve got something wrong, missed something out or you would like more information about the way in which we process your personal data, please let us know via the contact information provided above.