Your privacy rights in relation to Real Accounts and Nest Insight
The UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘Data Protection legislation’) regulate how we process your personal information. The purpose of this policy is to explain how we collect and use your personal information and how we comply with Data Protection legislation. It is important that you read this information.
The Real Accounts project is led by Nest Insight in collaboration with the Centre for Personal Financial Wellbeing at Aston University and the Yunus Centre for Social Business and Health at Glasgow Caledonian University (‘Collaborators’). Nest Insight is part of the National Employment Savings Trust Corporation (Nest) which is the Trustee and provider of the Nest pension scheme (the scheme). Nest Insight is a public-benefit research and innovation centre. Nest Insight was set up by Nest Corporation to find ways to support low and moderate-income workers to be financially secure both today and into retirement. For privacy information on Nest’s management of the scheme please visit nestpensions.org.uk
In this policy, we explain some things about the personal information Nest Insight and the Collaborators hold (whether we collect this from you or it is provided to us), and your rights regarding this information. Please read it carefully, together with any other privacy notices and information that we provide you, from time to time.
Outline of policy:
- Your privacy rights in relation to the Real Accounts project
- Processing your data for research purposes
- Processing your data for marketing and other non-research purposes
- Security and your data rights
Your privacy rights in relation to the Real Accounts project
The Real Accounts project is a primary research project that will follow the financial lives of low- to moderate-income UK households. We will collect personal data during the duration of the project together with our Collaborators and we will each act as Joint Controllers. This means that we jointly decide the purpose for which your personal data is used and we are jointly responsible for protecting your personal data and ensuring that it is processed in accordance with the requirements of the Data Protection legislation.
We may collect and receive different types of personal information about you. Personal information we hold about you includes any information that identifies you (e.g. name, address, phone number etc.). It can also include personal information which relates to specific topics which are thought to be more privacy sensitive and called special categories of information (e.g. information about your health, your ethnicity, religion etc.). When we use special categories of data, we will ask for your explicit consent.
Processing your data for research purposes
Processing your data for marketing and other purposes
We may receive personal information about you if you:
- attend Nest Insight events, meetings or conferences, you may exchange business contact information and/or business card contact details with Nest Insight
- submit your information via the mailing list sign-up box on the Real Accounts website or contact Nest Insight directly via firstname.lastname@example.org.
We may also receive information about you from third-parties or through our social media sites where you have provided your consent.
How we’ll use your personal information
We will rely on your consent as the legal basis for processing your personal information. You can easily withdraw your consent at any time. We explain how you can do so each time we ask for your consent.
Nest Insight may send you (via email):
- communications about, or invitations to participate in, events, research topics, ideas and programmes
- communications to inform you about published results of Nest Insight programmes and research.
Nest Insight may send you requests to provide your opinion on the events you have been involved in. We may share anonymised feedback on events you have attended within Nest Insight to improve our services.
What personal information we use and how long we keep it
Data we may use for marketing communication and keeping you informed
This may include data such as your surname, forename(s), job title, organisation you work for, telephone number, correspondence address and email(s).
How long we keep it for the purpose of marketing communication and keeping you informed
We’ll keep this information for however long you continue to wish to receive communications from the Real Accounts project via Nest Insight. You can choose to unsubscribe via the link at the bottom of the emails we send you, or you can let us know via email@example.com that you no longer wish to receive communications from the Real Accounts project via Nest Insight. We will remove your contact details from the Real Accounts mailing list within 1 month of receiving your request to ensure you do not receive further communications from the Real Accounts project via Nest Insight in the future. We may also send you emails from time to time to confirm if you wish to still receive communications from us.
If you have subscribed to the Nest Insight mailing list and no longer wish to hear about Nest Insight’s wider research, events, or partnership opportunities, you can let us know by contacting Nest Insight: firstname.lastname@example.org.
Other data we may use for other purposes
If we use your personal information for any other purpose we will notify you (through fair processing notices we issue to you at the time of collecting the data), of how this will be processed and how long we will keep this data for.
In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims or complaints. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.
From time to time, we may need to pass your personal information on to trusted third-parties.
Third-party processors and websites
When we share data with third-parties, they may be a processor acting on instructions from us or a controller in their own right. We seek to ensure that we have the necessary safeguards and security measures in place when we use third-party processors. When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them.
The Real Accounts website or the information we provide you with may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
For compliance purposes
Nest Insight may need to pass your personal information as requested and required to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal obligations for compliance purposes.
In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third-parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.
Security and your data rights
We want to ensure that we process accurate information about you and need your help to make sure that we do this. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.
Security and safe storage of your personal information
The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your data.
The Real Accounts website is hosted by Nest Insight and the information security management systems operated by Nest Corporation and our IT managed services provider are both independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust and helps protect your data.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How can you access and correct your personal information?
How can you correct your personal data?
You can correct the information Nest Insight and Collaborators hold about you in relation to the Real Accounts project by emailing email@example.com
How can you access your personal information or data and exercise your rights?
Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a ‘data subject access request’.
If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.
In addition to your right to access or rectification of your personal information that we hold about you, as set out above you have the right to, or to make a request (under certain circumstances) to:
- restrict or object to the processing of the personal information we hold about you (see Note 1)
- erase your personal information (see Note 1)
- receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability’) (see Note 2)
- withdraw your consent for us to process your personal information, where based on consent (see Note 3)
- object to automated decision-making including profiling.
We must be able to verify your identity. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Note 1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Note 2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest Insight processes your personal information in order to comply with its legal obligations, the right to data portability will not apply.
Note 3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know. Please note if your personal information is anonymised, Data Protection legislation including the rights set out above will no longer apply. If you withdraw your consent, please note that data that has been processed before the date of withdrawal will still have been legally processed and will be unaffected by the withdrawal.
If you withdraw yourself from our research, your data in relation to the research will be deleted, as soon as reasonably practical, usually within one week. Please note this may affect your eligibility for any prize draws or any incentives offered to take part in the research.
To make a request under these rights you can email us at: firstname.lastname@example.org
Third-party processors for website analytics purposes
We may also share your personal information with any other third-party where you have given your consent.
Changes to this policy
Queries and further information
For queries about how your personal information is used or to make a complaint:
If you want to contact us, you can contact us by emailing:
- For marketing and general queries: email@example.com
- If you have queries about how your data is being used in the Real Accounts project, please contact Dr Olga Biosca at firstname.lastname@example.org or the Glasgow Caledonian University data protection team at email@example.com.
- If you remain unhappy or wish to make a formal complaint: please contact Will Sandbrook, the Managing Director of Nest Insight at firstname.lastname@example.org.
Raise a complaint with the Information Commissioner’s Office
If you have concerns about the way we handle your personal data and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office (ICO) or raise a complaint:
- by phone on +44 303 123 1113
- by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- via their website at: ico.org.uk/concerns