Privacy policy

Your privacy rights in relation to Nest Insight

The UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘Data Protection legislation’) regulate how we process your personal information. The purpose of this policy is to explain how Nest Insight collects and uses your personal information and how we comply with Data Protection legislation. It is important that you read this information.

Nest Insight is part of the National Employment Savings Trust Corporation (Nest) which is the Trustee and provider of the Nest pension scheme (the scheme). Nest looks after all aspects of the scheme, including research related to pensions and savings, in line with the Nest Order and Rules and the law. Where Nest determines the reasons for which we use your personal information and the means of processing your personal information, it is the controller. Nest Insight is a public-benefit research and innovation hub. Nest Insight was set up by Nest Corporation to understand and address the challenges facing Nest members and other defined contribution savers. For privacy information on Nest’s management of the scheme please visit nestpensions.org.uk.

In this policy, we explain some things about the personal information Nest Insight holds (whether we collect this from you or it is provided to us), and your rights regarding this information. Please read it carefully, together with any other privacy notices and information that we provide you, from time to time.

Outline of policy:

  1. Your privacy rights in relation to Nest Insight
  2. Processing your data for research purposes
  3. Processing your data for marketing and other non-research purposes
  4. Security and your data rights

We may collect and receive different types of personal information about you. Personal information we hold about you includes any information that identifies you (e.g. name, address, phone number etc.). It can also include personal information which relates to specific topics which are thought to be more privacy sensitive and called special categories of information (e.g. information about your health, your ethnicity, religion etc.). When we use special categories of data, we will ask for your explicit consent.

Processing your data for research purposes

Our lawful basis for processing your personal information and where we obtain it

We use the personal information Nest already holds on you

As part of the legal requirements when looking after the scheme, Nest has to be able to develop a scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, Nest needs to conduct research to better understand how individuals manage money and their pensions. For some of our research, we may access your personal information that Nest collects and receives in order to administer your Nest Account. You can find out about the information Nest holds about you in the Nest Privacy policy.

Third-parties share personal information with us

Third-parties may share your personal information with us based on their lawful basis for processing which can include consent (please see below), legal obligation, public task, your vital interests, contractual requirement or legitimate interests. The legitimate interests can be their interests or the interests of another party. They will do this if they consider the processing of your personal information is necessary for legitimate purposes but they will need to balance this against your interests.

Consent

When we rely on your consent as the legal basis for processing your personal information, you can easily withdraw your consent at any time. We explain how you can do so each time we ask for your consent.

We may receive personal information about you from third-parties where you have provided your consent. These could include:

  • your employer
  • your savings provider
  • a research recruitment agency.

How we’ll use your personal information

Research activities

If you provide your consent to participate in our research, Nest Insight will use your personal information (as applicable):

  • to administer surveys, prize draws (our prize draws are also subject to our terms and conditions, which will be communicated to you at the time) and incentives
  • to invite you to our interviews and/or focus groups.

How we use Nest Insight research

Nest and Nest Insight abide by the Market Research Society’s Code of Conduct.

Nest Insight will minimise our use of personal data by only collecting the data we need for the research. Depending on the requirements of the project we will seek to anonymise your personal information as soon as possible and once your personal information is anonymised it will no longer be subject to Data Protection legislation. In addition, the research findings will be fully anonymised before being published. We may use the anonymised results of research to inform Nest, the finance industry, academics, policymakers and the public about pensions and saving behaviour.

The research teams are committed to sharing research for the benefit of society and the economy. The anonymised research findings will be written up as articles, case studies, research reports and presentations, whether by Nest Insight, its funders (if any), or its collaborators. Anonymised research results will also be openly accessible on the Nest Insight website and shared on social media.

What personal information we use and how long we keep it

Data we may use for research

This includes surname, forenames, previous names, job title, employment status, organisation you work for, industry you work in, date of birth, gender, marital status, details of dependants, telephone number, audio and video recordings and transcripts of your interaction with us, correspondence address, emails, information about your opinion on pensions and savings and details of your pensions and savings. Any other data processed will be notified to you at the time of processing.

We may collect special categories of data such as ethnicity, sexual orientation and health data for the purposes of research only. We will obtain your explicit consent before we do so.

We will always seek to pseudonymise or anonymise this data before using it for research. Pseudonymisation may involve replacing names or other identifiers which are easily attributed to you with, for example, a reference number. Pseudonymisation reduces risk to your personal information.

Nest member data

The member data we use will depend on the requirements of a project but may include name, date of birth and postcode. We will also seek to anonymise and pseudonymise your personal information where possible before using it for research.

How long we may keep it for the purpose of research

The personal information processed for the purpose of research will only be stored for as long as is necessary to complete the research analysis and publish the findings. For most projects we will keep your personal information for no longer than 6 months after the completion of the research project but on some projects we may need to keep this for longer for the purpose of review but this will be no longer than 10 years. After this, any personal data except Nest member data will be deleted or anonymised.

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving purposes, or in the event of ongoing disputes, claims or complaints. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Third-parties

From time to time, we may need to pass your personal information on to trusted third-parties.

Third-party websites

Our website or the information we provide you with may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Third-party service providers

We may use third-parties to support our research and the administration of our surveys and interviews, and we will obtain your consent before we do this. We seek to ensure that we have the necessary safeguards and security measures in place when we do so. When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them. When we share data with third-parties, they may be a processor acting on instructions from us or another processor or a controller in their own right. These third-parties may include transcription services or market research agencies such as online survey providers. If there are any additional privacy policies or terms and conditions which apply to you from the use of third-parties, we will communicate this to you.

Third-party research (including with Nest member data)

We may need to share your personal data with other government bodies or departments, as well as with third-party research partners (such as universities, think tanks, etc.). We will generally be required to do this because of a legal obligation. The member data we use will depend on the requirements of a project but may include name, date of birth and postcode. Wherever possible, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.

Transfers outside the United Kingdom (UK)

Some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the UK, we will only make that transfer if:

  • the country to which the personal information is to be transferred ensures an adequate level of protection for personal information
  • we can put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Standard Contractual Clauses issued by the European Commission and/or any replacements applicable in the UK) with the recipient organisation; and
  • the transfer is necessary for one of the reasons specified in data protection law.

In some situations, we may request your consent to the transfer to ensure this is lawful.

If we use any third-party service providers who are not based in the UK, Nest Insight carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and Nest Insight seeks to ensure that the necessary safeguards are written into the contract.

Processing your data for marketing and other purposes

Consent

We may receive personal information about you if you:

  • attend Nest Insight events, meetings or conferences, you may exchange business contact information and/or business card contact details with Nest Insight
  • submit your information via the mailing list sign-up box on the Nest Insight website or contact Nest Insight directly via insight@nestcorporation.org.uk.

We may also receive information about you from third-parties or through our social media sites where you have provided your consent.

How we’ll use your personal information

We will generally rely on your consent as the legal basis for processing your personal information. You can easily withdraw your consent at any time. We explain how you can do so each time we ask for your consent.

Nest Insight may send you (via email):

  • communications about, or invitations to participate in, events, research topics, ideas and programmes
  • communications to inform you about published results of Nest Insight programmes and research.

Nest Insight may send you requests to provide your opinion on the events you have been involved in. We may share anonymised feedback on events you have attended within Nest Insight to improve our services.

What personal information we use and how long we keep it

Data we may use for marketing communication and keeping you informed

This may include data such as your surname, forename(s), job title, organisation you work for, telephone number, correspondence address and email(s).

How long we keep it for the purpose of marketing communication and keeping you informed

We’ll keep this information for however long you continue to wish to receive communications from Nest Insight. You can choose to unsubscribe via the link at the bottom of the emails we send you, or you can let us know via insight@nestcorporation.org.uk that you no longer wish to receive communications from Nest Insight. We will remove your contact details from our mailing list within 1 month of receiving your request to ensure you do not receive further communications from Nest Insight in the future. We may also send you emails from time to time to confirm if you wish to still receive communications from us.

Other data we may use for other purposes

If we use your personal information for any other purpose we will notify you (through fair processing notices we issue to you at the time of collecting the data), of how this will be processed and how long we will keep this data for.

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims or complaints. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Third-parties

From time to time, we may need to pass your personal information on to trusted third-parties.

Third-party processors and websites

When we share data with third-parties, they may be a processor acting on instructions from us or a controller in their own right. We seek to ensure that we have the necessary safeguards and security measures in place when we use third-party processors. When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them.

Our website or the information we provide you with may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

For compliance purposes

We may need to pass your personal information as requested and required to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal obligations for compliance purposes.

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third-parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.

Security and your data rights

We want to ensure that we process accurate information about you and need your help to make sure that we do this. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your data.

The information security management systems operated by Nest Corporation and our IT managed services provider are both independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust and helps protect your data.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How can you access and correct your personal information?

How can you correct your personal data?

You can correct the information Nest Insight holds about you by emailing insight@nestcorporation.org.uk

How can you access your personal information or data and exercise your rights?

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a ‘data subject access request’.

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your right to access or rectification of your personal information that we hold about you, as set out above you have the right to, or to make a request (under certain circumstances) to:

  • restrict or object to the processing of the personal information we hold about you (see Note 1)
  • erase your personal information (see Note 1)
  • receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability’) (see Note 2)
  • withdraw your consent for us to process your personal information, where based on consent (see Note 3)
  • object to automated decision-making including profiling.

We must be able to verify your identity. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Note 1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note 2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest Insight processes your personal information in order to comply with its legal obligations, the right to data portability will not apply.

Note 3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know. Please note if your personal information is anonymised, Data Protection legislation including the rights set out above will no longer apply. If you withdraw your consent, please note that data that has been processed before the date of withdrawal will still have been legally processed and will be unaffected by the withdrawal.

If you withdraw yourself from our research, your data in relation to the research will be deleted, as soon as reasonably practical, usually within one week. Please note this may affect your eligibility for any prize draws or any incentives offered to take part in the research.

To make a request under these rights you can email us at: insight@nestcorporation.org.uk

Use of cookies and website analytics purposes

Cookies

If you want more information about cookies we use, or if you’d like to change your cookie settings, please go to our Cookie policy page.

Third-party processors for website analytics purposes

Nest Insight uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. We also share information about your use of our site with those web analytics providers. You’ll find more information in our Cookie policy. From this page, you will also be able to manage your preferences and be able to opt-in or out from cookies that are not essential to the operation of the website.

We may also share your personal information with any other third-party where you have given your consent.

Changes to this policy

We may change our privacy policy from time to time. If, or when any material changes are made, we will let you know about them on our website. We encourage you to check our website for updates on a regular basis. This version was last updated on 4 February 2022.

Queries and further information

For queries about how your personal information is used or to make a complaint: contact our data protection officer at dpo@nestcorporation.org.uk

Further information

  • The information provided in this privacy policy is in addition to any other privacy information we may give you on our website or via other channels (including paper communication, secure message, e-mail, telephone etc.).
  • If you want more information about the use of cookies on the Nest Insight website, please view the Nest Insight Cookie policy.

Contact us

If you want to contact us, you can contact us by emailing:

  • For marketing and general queries: insight@nestcorporation.org.uk
  • If you have a question about any aspect of our research or prize draws that you’ve been invited to take part in: insightresearch@nestcorporation.org.uk. They will do their best to answer your query and should acknowledge your concern within 10 working days and give you an indication of how they intend to deal with it.
  • If you remain unhappy or wish to make a formal complaint: please contact Will Sandbrook, the Managing Director of Nest Insight at will.sandbrook@nestcorporation.org.uk.

Raise a complaint with the Information Commissioner’s Office

If you have concerns about the way we handle your personal data and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office (ICO) or raise a complaint:

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at: ico.org.uk/concerns