Data Protection and Privacy Policy

The Scheme trustee, M.R.C. Pension Trust Limited, ("Trustee", "we" or "us") is committed to keeping your personal information secure.

In order to manage the Scheme effectively and pay the correct benefits, some personal data is required. The use of this data has been regulated under the Data Protection Act 1998, which places certain responsibilities on those who exercise control over the personal data, known as data controllers.

On 25 May 2018, a new European legal framework for data protection called the General Data Protection Regulations (GDPR) will come into force in the UK. In addition, there will be a replacement of the Data Protection Act 1998 this year, with a Data Protection Act 2018 expected shortly, to reflect the terms of GDPR.

We set out below further details of our data protection and privacy policy.

Privacy policy

1. Where we obtain your information

In the course of administering your pension, we may hold information about you which is provided by you, your employer or former employer, other pension schemes or medical advisers or HMRC, DWP or publically accessible records.

The information we collect and hold about you includes:

• your personal details such as your name, gender, date of birth, home address, telephone numbers, email addresses, marital status, national insurance number, bank account details (in some cases), and country of residence;
• information relating to your benefits, including your member identifying number (which is assigned to you by the Scheme), the date you joined or left the Scheme, your earnings, the category and value of contributions and benefits that you receive, and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments; and
• in some cases, special categories of personal data such as information concerning your health (e.g. in the case of ill-health early retirement and ill-health reviews, and where incapacity or similar reasons determine the benefits paid to you).

Where applicable, we also collect information about your nominated beneficiaries, dependents or next of kin. Before providing us with any such information, you should provide a copy of the information in this notice to those individuals.

In some cases, the above information may also be collected from other sources:

• your employer;
• Mercer Employee Benefits, who administers the Scheme on our behalf;
• other schemes (if you have transferred benefits from them);
• Government departments such as HMRC and DWP;
• publicly accessible sources (e.g. the electoral roll) if, for example, we have lost touch with you and we are trying to find you.

If we ask you for other information in the future (for example, about your health), we will explain whether you have a choice about providing it and the consequences for you if you do not do so.

2. Why we use your information

The law requires that the Trustee only uses your personal data for defined lawful purposes. We will only use your data where:

• it is necessary to comply with our legal obligations as Trustee, e.g. to pay your benefits as they fall due;
• it is necessary to protect your interests, e.g. if we need to let you know about benefit options; or
• it is in the legitimate interests of the Trustee to use your data in that way, and in doing so we are not breaching your rights, e.g. any of the uses referred to above.

We will only process sensitive data, such as health information, with your consent. You have the right to withdraw that consent at any time but please note that failure to provide consent, or withdrawal of the consent, could affect our ability to assess your entitlement to certain benefits, e.g. without access to your medical information, the Trustee could not process a claim for ill-health early retirement.

3. How we use your information

Your information will be used to administer your pension benefits and for related activities including meeting certain employer and member requirements. In particular, we will use the information to:

• Calculate and pay your benefits, including online calculations that you request;
• identify what benefits are, or might be, payable to you or, in the event of your death, any beneficiaries;
• communicate with you by electronic means, including online, by post or by other means to keep you updated on matters related to the Scheme;
• provide you with information about your benefits and options available to you; and
• deal with any queries or disputes you may have about your benefits.

We may add new features, or change some features, of the website. We will notify you of any changes as they go live.

4. Sharing your information

We may share your information with:

• any of your employers or former employers who participate in the Scheme;
• our professional advisers (including legal advisers, medical advisers and auditors);
• Mercer Administration Benefits, as administrator appointed by the Trustee to provide day to day administration services and United Kingdom Research and Innovation who also provide supplementary administration services;
• the Scheme actuary;
• other persons to whom you have authorised data to be disclosed (for example, the pension scheme receiving a transfer value, or an independent financial adviser); and
• other organisations providing services to the Trustee, including pensions governance and communications providers, healthcare practitioners, insurers and pensions tracing services, but in each case only in relation to matters connected to the administration of the Scheme and your benefits under it.

We may also share your information with government agencies and other authorities (including HMRC and the Pensions Regulator) where necessary for the proper administration of your benefits, the prevention of crime or to meet legal and regulatory requirements.

Parties that process data that is shared with them will generally be "data processors". Parties that decide how your data is to be processed are "data controllers".

5. Processing your information outside the European Economic Area (EEA)

All countries within the EEA, including the UK, have similar standards for the protection of personal data. Where any of your information is transferred outside the EEA (e.g. because any of our advisers or service providers have IT systems located in other jurisdictions) we ensure that there are appropriate safeguards in place to ensure the security of personal data. Please see the "Contact us" section below if you would like further information about these safeguards.

6. Security of your information

The Trustee is committed to ensuring that your personal information is secure. We have in place appropriate technical and contractual measures to ensure that information is only shared for the reasons, and by the means, set out in this notice.

The Trustee takes great care to ensure that your information is kept secure when we need to share this with a third party as outlined above.

7. How long do we keep your information?

Pension schemes are long-term. We will of course keep your personal information for as long as you are a member of the Scheme. We will also retain some information for a period after you leave the Scheme for any reason, e.g. following a transfer out, to enable us to deal with any queries that may arise after you have left. We will keep information after you have left the Scheme for as long as we believe necessary in order efficiently to administer the Scheme.

8. Monitoring and recording

We may monitor, record, store and use any telephone, email or other communication with you in order to maintain a record of any instructions given to us, for training purposes, for crime prevention and to improve the quality of service to Scheme members.

9. Your rights

You have rights under data protection law to know what personal information we hold about you, the purpose for which we hold it and the identity of any person to whom it has been disclosed. You can also ask us to correct any errors in your data, and can ask for unnecessary or outdated data to be deleted. In some circumstances, you have the right to require certain of your information to be transferred to you or a third party.

NOTE: You also have rights under data protection law to object to the processing of your information on grounds which we have said are necessary for our legitimate interests (see above). However, if we do not hold all the data we need to administer your benefits, we may not be able to pay out the benefits you are entitled to.

If you have any questions or wish to exercise any of the above rights, you can contact us as detailed below.

You also have the right to withdraw your consent to the use of your information, to the extent such use is based on your consent. Please note, however, that this could affect our ability to assess your entitlement to certain benefits, e.g. ill-health early retirement. If you do withdraw consent, then that will not affect the lawful basis on which the data was processed prior to consent being withdrawn.

You can also lodge a complaint about our processing of your personal information with the office of the Information Commissioner (www.ico.org.uk).

10. Contact us

The Trustee's board of directors is a "data controller", i.e. we determine the purposes for which your personal data are processed, and how they are processed.

If you would like any further information about the Trustee's approach to data protection and privacy, or to request details about the information we hold, please contact Jim Clerkin at MRC, 14th Floor, One Kemble Street, London WC2B 4AN

11. The Information Commissioner

The Information Commissioner is the UK's independent authority set up to uphold information rights and data privacy for individuals. You have the right to lodge a complaint with the Information Commissioner if you are dissatisfied with any aspect of the way that we collect and use your personal information.

The Information Commissioner's website can be found at www.ico.org.uk or you can call their helpline on 0303 123 1113.

12. Updates and changes

We will keep this privacy policy under review and may update it from time to time without prior notice. Any revised policy will appear on the Scheme website www.mrcps.co.uk using access code 672785. Please check every now and then for any updates.

13. Other data controllers

Other parties, such as the Trustee's legal advisers and the Scheme actuary, may be data controllers in relation to your data, although the Trustee will be your point of contact. Those parties are required to have their own separate privacy notice, which you can access through the following links:

DLA Piper (Trustee's legal advisers) www.dlapiper.com/en/uk/privacy-policy

GAD (Scheme actuary) www.gov.uk/government/publications/government-actuarys-department-gad-privacy-notice