General Privacy Notice
Who we are
BRAL Trustees (IOM) Limited is the trustee (“the Trustee”) of the British Regional Airlines Group Pension Scheme (“the Scheme”).
Why we are telling you about data privacy
As the Trustee of the Scheme (referred to as “we” or “us” in this notice), we hold certain personal information (known as “personal data”) about scheme members and, where applicable, their dependants and beneficiaries . Most of the information held about you and processed by the Trustee in running the Scheme will be personal data (in other words, because we hold information from which you as an individual can be identified, any information we hold in respect of you will be subject to certain protections).
We take your privacy very seriously and this privacy notice explains how we’ll use the personal data we hold in respect of you or that we receive from other sources, such as your employer.
For legal purposes, the Trustee is known as the “data controller”, as we decide the purposes for and the means by which the personal data we hold is processed. However, we may also share your personal data with certain third parties involved in running the Scheme, including (but not limited to) the Scheme’s administrator, actuary, auditor and legal advisers who all process your data to provide their services to the Scheme. In some circumstances, responsibility of your personal data is shared with the Scheme’s actuary, auditor and legal advisers who process your data to comply with their professional duties as advisers, and are joint data controllers. We have listed some of the main counterparties in the Annex to this notice.
We have measures and controls in place to help keep your personal data secure and to protect it form unlawful use, accidental loss, destruction or damage. This is in order to comply with our obligations under data protection laws including the General Data Protection Regulation (the “GDPR”) from 25 May 2018. Please note, we may change this privacy notice from time to time. However, if material changes are made, we’ll take steps to let you know.
What information we collect about you
As data controller, and depending on the circumstances and the stage of your membership, we may hold some or all of the following information about you:
- details to identify and contact you such as your name, address, email address, phone number, date of birth, gender, marital status, and national insurance number
- salary, contributions, service dates, retirement benefits and details of your bank account (to pay benefits)
- details about your dependants and/or beneficiaries
- medical and other details about your health
- and other information used to determine the benefits payable to you such as your other pension arrangements, tax residency status, your tax coding and other tax allowances.
Finally, it is possible that we may receive personal data form other parties including: the sponsoring employer’s payroll and HR providers, other schemes you have been a member of, data analytics companies (e.g. for member tracing, identify and existence checking) and regulatory authorities and government departments.
How we use that information
The Trustee has a legitimate interest in holding and processing the above information about you as it is needed for us to properly administer the Scheme, determine if you qualify for benefits, and to calculate and pay such benefits. We also keep the above information in order to allow us, amongst other things:
- to comply with our obligations towards members under the Scheme governing documents, as well as under relevant legislation
- to provide communications relevant to your stage of membership (including outlining your choices and options)
- to consider and respond to a concern or dispute you have raised through the Scheme’s internal dispute resolution procedure (IDRP) or to otherwise address complaints or litigation
- and to comply with our legal obligations (including helping to prevent fraud, money laundering, terrorism and other crimes by verifying what we know about you).
We will not collect any personal data from you that we do not need.
Personal data relating to the Scheme is held on paper and on computer systems. As the “data controller”, the Trustee must process this information fairly and lawfully.
As part of running the Scheme, we may also need to hold and process particularly sensitive information about you and/or your dependants and beneficiaries (known as “special category personal data” under GDPR). Under the legislation, details relating to health, racial or ethnic origin, religious or other similar beliefs, sexual orientation and political affiliations are regarded as “special category personal data”. We will in most circumstances process this data as necessary for the establishment, exercise or defence of legal claims to benefits or in the performance of our legal obligations in connection with employment, social security and social protection (as allowed by legislation). If there are any occasions where we seek your explicit consent to process sensitive data then you can withdraw it at any time.
Who we share it with
We will not share your data with any other party unless you have given your consent, or this is necessary:
- either to comply with a legal or contractual obligation or for other specifically identified purposes, or
- to meet the legitimate interests of the trustees or another party, or
- where there is a substantial public interest in processing special category personal data under national law, or
- you have made the special category personal data manifestly public.
In order to operate the Scheme effectively, we may need to share your data with third parties involved in the running of the Scheme. The third parties we may share your data with include the following:
- Flybe Limited (principal employer) and their professional advisers. Potentially, this could include companies which are based outside the EEA. However, where data is sent outside the EEA, appropriate safeguards are put in place in accordance with applicable data protection laws and regulations to ensure that your data is kept secure, and you can obtain further details about such safe guards by contacting us using the contact details set out at the end of this policy
- the Scheme’s professional advisers, including the Scheme actuary, auditor, medical advisers, investment managers, investment adviser and lawyers
- the third parties who are responsible for the day-to-day administration of the Scheme on behalf of the Trustee
- HM Revenue & Customs and/or the Isle of Man Assessor of Income Tax and other statutory bodies (such as the Financial Services Authority, Isle of Man Treasury, the UK and IOM Pensions Ombudsmen and the UK Pensions Regulator) – the Trustee can be fined and subject to other action if it fails to provide certain information to these authorities
- third parties to whom we may need to disclose personal data in order to comply with a statutory obligation (for example, in response to a court order or a law enforcement agency’s request)
- persons we engage to conduct medical assessments
- the advisers and printers who help us prepare various communications we send to you, such as newsletters and benefit statements
- our appointed insurance company or companies for the purposes of life insurance and additional voluntary contributions
- during (or in anticipation of) any winding-up of the Scheme, insurance companies and/or third party pension providers for the purposes of tendering, pricing and ultimately securing relevant member liabilities by way of annuity purchase or transfer
- depending upon how we pay pensions, the personal data we have to supply in order to effect an electronic bank transfer (e.g. a BACS or CHAPS automated transfer)
- there may also be other bodies such as beneficiary or mortality tracing agencies
- finally, any third party where you’ve given your consent and, after your death, your dependants, beneficiaries and legal personal representatives.
For details of the identity of those third parties with whom we share your personal data please see the Annex to this policy.
Keeping your personal data secure
Once we have received your data, we use appropriate procedures and security features to prevent unauthorised access. These include technical, administrative, and physical security measures such as password protection, encryption and pseudonymisation.
We also require any third-party service provider who processes your personal data in line with our instructions (data processors) to do so as well. If they process your personal data in other countries, including outside the European Economic Area, we require them to apply appropriate safeguards in compliance with data protection laws. However, please be aware that providing data to us or our service providers via email or the internet is not completely secure and we cannot guarantee the security of data you send in this way. This is done at your own risk.
For details of the identity of those data processors with whom we share your personal data lease see the Annex to this policy.
How long we keep personal data for
We must keep all personal data safe and only hold it for as long as necessary. To meet the requirements of both UK/IOM tax and pensions law, we must keep certain personal data (for example, details about the date a member joins the Scheme, their name and address, and details of benefits paid) for a minimum of 6 years. But, given the nature of pension schemes, the Trustee may be required to keep some of your personal information for the rest of your life. In particular, we will store and process your personal data for as long as necessary to comply with our legal obligations, pay benefits in line with the Scheme’s terms, and deal with queries about your benefits or those of your beneficiaries after your death.
However, we review the personal data held in relation to the Scheme on a regular basis in accordance with our data retention schedule. If we conclude that certain personal data is no longer needed, that personal data will generally be destroyed.
By the same token, our service providers and advisers will retain your personal data for a reasonable period after our agreement ends with them. This is to enable them to deal with queries into the future, protect themselves against legal claims, and may be necessary to satisfy their insurer’s requirements.
- Right to be informed – you have the right to be provided with a clear and easily understandable explanation of how we use your personal data and your rights in relation to it. This is why we’re providing you with the information in this notice.
- Right of access – you have the right to see the personal data that is held about you and certain other information (similar to that provided in this notice). This is so you are aware of the data that we hold about you, and can check that we are using it in accordance with applicable data protection law.
- Right to portability – you also have a right to obtain a copy of the personal data that we hold on you in a machine readable (namely, digital) format. You may reuse this data for your own purposes.
- Right to rectification – if at any point you believe that the personal data we hold about you is inaccurate or incomplete, you can ask to have it corrected.
- Right to restrict processing – you can require the Trustee to limit the processing of your personal data in certain circumstances, for example, whilst a complaint about its accuracy is being resolved. When our processing of your data is blocked in this way, we can still store information that we have, but may not use it further. We will keep a list of people who have restricted processing of their data so that the restriction is respected in the future.
- Right to object to processing – as we are relying on legitimate interests as a reason for processing, you can object to your personal data being processed, although the Trustee can override this objection in certain circumstances.
- Withdrawing consent – where you have given us your consent to processing your personal data, you can withdraw that consent at any time by notifying us (see “Who to contact” below). However, withdrawing your consent will not affect the processing of any personal data which took place beforehand and it may be possible for the Trustee to continue processing your personal data where this is justified.
- Right to be forgotten – you can request that your personal data is deleted altogether where there is no compelling reason for us to keep it. This is not absolute right as we may have a right or obligation to retain information in certain circumstances (for example, if we are under a legal obligation to keep it, or have another valid legal reason to retain it).
You should be aware that taking any of the above steps could impact on the payment of your benefits, your participation in the Scheme, and/or our ability to answer questions relating to your benefits.
Information will generally be provided to you free of charge, although the Trustee can charge a reasonable fee in certain circumstances.
Please also be aware that the right to erasure of your personal data does not apply where your information is processed for certain specified reasons, including to establish, exercise or defend legal claims.
We may need to notify third parties with whom we have shared your personal data that you have made a data subject request. We will take reasonable steps to do this, but if it is not possible or costly we may not be able to do so.
Who to contact about your personal data
If you wish to:
- see your personal data or to exercise any of the rights mentioned above
- request a hard copy of the notice
- make a complaint about how we have handled your personal data
Please contact Boal & Co (Pensions) Limited, the contact details for which can be found on the Scheme’s website at www.boal.co.uk/bral or we can be contacted on 01624 606 606.
Making a complaint to the Information Commissioner’s Office
If you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way which is inconsistent with the law, you can complain to the Information Commissioner’s Office whose helpline number is as follows:
- for UK members / beneficiaries:
- telephone: 0303 123 1113
- website: https://ico.org.uk/
- for Isle of Man members / beneficiaries
- telephone:– 01624 693 260
- website: https://www.inforights.im/
Updates to this notice
This notice is the latest version as at 10th December 2018. This notice will be updated from time to time and you can see the current version at any time on the Trustee’s website at www.boal.co.uk/bral . Alternatively, if you would prefer to receive a hard copy of the notice, please let us know (see “Who to contact” above).
BRAL Trustees (IOM) Limited as trustee of the British Regional Airlines Group Pension Scheme
Annex – third parties with whom your personal details may be shared
For the purposes of administering the Scheme and paying benefits under it, the Trustee may need to share your personal information with certain parties who may process your data to comply with their professional duties as service providers to the Trustee. This section lists the key third party service providers with whom we share your personal data.
Data Controller *
Andrew Pugh, Mercer Limited
Boal & Co (Pension) Limited
CMS and Cains Advocates Limited
Grant Thornton Limited
*Where parties act as data controllers, this statement meets their duty to tell you how they collect and use your data.