Privacy notice

Here at Universities Superannuation Scheme, we are committed to protecting your privacy. The USS Group comprises Universities Superannuation Scheme Limited and USS Investment Management Limited both of which are Controllers of personal data as defined under the General Data Protection Regulation (GDPR). This privacy notice is issued on behalf of the USS Group so when we mention “USS”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the USS Group responsible for processing your data. Universities Superannuation Scheme Limited is the controller and responsible for this website.

We take our obligations very seriously and have appropriate procedures in place to ensure your information and rights are protected. This privacy notice tells you what to expect when USS collects your personal data.

This privacy notice is provided in a layered format so you can click through to the specific areas set out below. Where we think it will assist you in understanding the meaning of some of the terms used in this privacy notice, we have provided an explanation of the terms we use.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

Who this notice applies to

This notice applies to information we collect about the following persons:

  • Members of the Universities Superannuation Scheme (the Scheme), including those who are actively paying contributions into the Scheme (Active), have paid contributions into the scheme but no longer do so and have yet to reach retirement age (Deferred or Withdrawn), have retired on normal or ill health grounds and receive a pension from the scheme (Pensioner), are potential or actual beneficiaries of a Scheme member (Beneficiaries), or those who have been automatically enrolled and have subsequently opted out of the Scheme (Opted-out). This notice also applies to spouses, dependents and lawful representatives of Scheme member’s;
  • Visitors to our websites, including My USS (the portal where Scheme members can access their online account to view details about their pension benefits);
  • Persons contacting our offices using the contact details provided on our website or specific business contact details provided directly to them;
  • Certain persons involved in investment transactions.

How we use your information

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Depending on which category of person you fall in to will determine what types of personal data we may collect, use, store or transfer.

Members of the Scheme

As a member of the Scheme and in the course of administering your pension and calculating benefits due to you, we may collect and process personal information about you, your family or spouse which has been provided to us by you, your current or previous employer(s), third party information and tracing specialists, other pension schemes or your medical advisers.

The identifiable personal information we may collect and process is as follows:

  • Personal identifiers e.g. Name, Date of Birth, National Insurance Number;
  • Personal Contact Data e.g. Address (current or previous), Telephone Numbers (home and mobile), Email Address;
  • Personal Banking Details e.g. Sort Code, Account Number;

We may also collect and process health and medical information about an individual should it be necessary in relation to your pension e.g. to assess an application for ill health retirement. We will obtain your clear written consent to collect and process your sensitive (special category) personal data where required under law.

We collect and process this information for the following purposes:

  • for the purpose of administering the Scheme, estimating or calculating benefits due to you or your beneficiaries;
  • performing our duties as a pension scheme, including calculating future liabilities of the Scheme;
  • to communicate with you;
  • to understand and improve our websites;
  • to provide you online access to your pension information;
  • to ensure complaints and enquiries are handled correctly and are resolved;
  • to ensure telephone calls are recorded should we need them for training and monitoring purposes, crime prevention or other regulatory obligations we are subject to.

For these purposes we may disclose your personal information to any of your employers (including former employers) who participate in the Scheme and our third party suppliers who we have engaged with to assist us. These may include professional advisers, legal and medical professionals, external administrators, companies within the USS Group, our actuaries and, if appropriate, our Additional Voluntary Contribution (AVC) provider. We take great care to ensure that the information we collect and process about you is held securely and safeguarded and therefore require this of any third party we transfer your information to.

Visitors to our websites

When someone visits our websites, we use a third party service, Google Analytics and Hotjar to collect certain information such as standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone, unless you provide your email address so we can respond to any feedback you provide us. For more information about how we use Hotjar and Google Analytics click here to navigate to that section of this notice.

Communication Recording

We may monitor, record, store and use any telephone, email or other communication with you in order to maintain a record of any instructions given to us, for training purposes, for crime prevention, for regulatory purposes, and to improve the quality of our customer service.

Investment transactions

In the course of making investments, we may collect personal information from certain individuals related to that investment.

The identifiable personal information we may collect and process is as follows:

  • Personal identifiers e.g. Name, Date of Birth, Passport Number;
  • Personal Contact Data e.g. Address (current or previous).

We may collect and process this information for the following purposes:

  • For the prevention and detection of fraud and crime;
  • To assess the financial stability of a corporate entity to which an individual is connected with;
  • To register certain individuals with Companies House and to be able to keep sufficient reports and accounts.

For these purposes we may disclose your personal data to our third party suppliers who we have engaged with to assist us including professional advisers, legal counsel external administrators, and to government bodies such as Companies House. We take great care to ensure that the information we collect and process about you is held securely and safeguarded and therefore require this of any third party we transfer your information to.

Lawful basis of collection and processing

We will never collect or process your personal information unless it is lawful to do so. The different types of lawful basis used by us to collect and process your personal information for the purposes set out above, the following section explains what these are.

  • Legitimate Interest – means the interest of USS in conducting and managing our business to enable us to give you the best service, to meet our obligations as a trustee of a pension scheme and to give you the best and most secure experience. Where we hold a strong legitimate interest and it is necessary to process and collect your personal data. We will make certain that this processing does not prejudice your rights and freedoms as an individual. For example, we collect certain information from your employer to enroll you in the Scheme. This allows us to then send you details on joining the Scheme and your options.
  • Legal obligation – means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that USS is subject to. We may process your personal data where we have a legal obligation to do so. For example, we collect certain information from your employer to meet our obligations set out by the Pensions Regulator (tPR) to automatically enroll you in the Scheme.
  • Consent – we will obtain your clear written consent to collect and process your personal or sensitive (special category) personal data where required under law. For example, should you retire on ill-health grounds we may need to request a medical report and health information, and we will ask your permission to do so. Where we have a necessary legitimate interest or legal obligation to collect and process your personal data we will not be required to obtain your consent, however we will inform you of our processing. We will do this either by contacting you directly or by updating this privacy notice from time to time. The way in which we notify you will be in accordance with our obligations under the law.

International transfers

Wherever possible we will ensure your data is processed within the European Economic Area (EEA). However should it be necessary to transfer your personal data outside the European Economic Area (EEA), we will ensure appropriate safeguards and levels of protection including contractual provisions are in place and your consent sought where necessary in accordance with the law.

Data Retention

We will store your personal data for no longer than is necessary and in accordance with our records retention policy which takes into account timeframes set out by law and good practice industry guidelines. For example, as a Scheme member we will retain your information throughout the relationship with you to administer the Scheme. Upon end of relationship, including any beneficiary’s entitlement, we will retain this data for a minimum of six years, in line with the statute of limitations. We will securely destroy personal information not required for the administration of the Scheme after that.

Your Rights

We fully support the enhanced rights for individuals as set out in the General Data Protection Regulation (GDPR). You have the right to be informed about what we do with your personal data, to access your personal data held by us, for it to be accurate and kept up to date, and for it to be deleted, transmitted or its processing by us restricted, if permissible. We do not use your personal data to make any automated decisions or profile individuals.

The following sections provide you with more detail on how you can access a copy of your personal data, how you can ask for that to be transmitted to another service provider or deleted by us, if permissible. It also gives you information on withdrawing consent and your right to make a complaint to the supervisory authority.

Subject Access Request

You have the right to know what personal data we hold about you, the purpose for which we hold it and who we share it with. You are entitled to receive a copy of your personal data and you can exercise these rights verbally or in writing. We have a short form you can download from our website here called ‘Request for Personal Data’ that you can complete, sign and return to us however this is not mandatory. We will not charge you a fee to make a subject access request but you must provide us with suitable identification so we can verify that it is you making the request. However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

For identification purposes, please provide a copy of official photo ID such as a passport or driving license and a copy of a recent utility bill with your home address on it. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Data Portability

You have the right to obtain and reuse the personal data we hold about you for your own purposes across different services. You are entitled to receive a copy in a readable format and you can exercise these rights verbally or in writing. We will provide you or the third party to which you consent for us to transmit your personal data to, in a structured, commonly used and machine readable format. We will use secure methods as determined by us to transmit this personal data to you.

Right to Erasure (commonly known as the right to be forgotten)

You have the right to request personal data we hold about you to be deleted. You can exercise these rights verbally or in writing. The right is not absolute and only applies in certain circumstances, as for example, we will need to retain your personal and financial data as a Scheme member so that we can carry out our duties as the trustee of a pension scheme and pay benefits that are due. However we are committed to giving full consideration to each request and acting on it in accordance with the law. We have procedures in place to inform any onward recipients such as our third party data processors, if we erase any of your data we have shared with them as part of the course of our business.

Right to Rectification

If the information we hold about you is inaccurate you have the right to ask us to rectify it, including completing incomplete information. You can exercise these rights verbally or in writing. If you are an active member of the Scheme you can ask for us to amend your information via your pensions contact at your institution. Or alternatively, the ways in which you can contact us directly can be found on the contact us page on our website www.uss.co.uk/public/contact-us.

Right to Restrict Processing

You have the right to ask us to restrict how we process your personal data. This means we are permitted to store your data but not to continue to process it. The right is not absolute and only applies in certain circumstances, as for example, we will need to retain your personal and financial data as a Scheme member so that we can carry out our duties as the trustee of a pension scheme and pay benefits that are due. However we are committed to giving full consideration to each request and acting on it in accordance with the law.

Right to Object

You have the right to object to the processing of your personal data, even if this is based on our legitimate interests. The right applies in certain circumstances however we are committed to giving full consideration to each request and acting on it in accordance with the law.

Withdrawing consent

There may be certain times were we ask for your clear written consent to process your personal data. Where we do this, you have the right to withdraw this consent at any time.

Time Limit to respond to your requests

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaints to the supervisory authority

You also have the right to complain to the supervisory authority if you believe we are not processing your information in accordance with the law. The supervisory authority for the United Kingdom is the Information Commissioner’s Office (ICO) and their contact details are available on their website www.ico.org.uk. Please be assured that we take all complaints seriously and if you would like to discuss these in the first instance with our data protection officer, then you can call (0151) 227 4711.

Security

We take the security of your personal data very seriously. We have put in place appropriate technical and contractual measures to prevent the unauthorised disclosure or use of your personal data. We have implemented organisational measures to keep your personal data secure against the threat of human intervention. These measures include training all of our employees, and providing them with regular reminders of their individual obligations and responsibilities. We are accredited to the international standard of information security, ISO27001:2013. This ensures we internally monitor our compliance with a series of technical and non-technical security controls, and we are periodically audited by an external body who check we are maintaining compliance to the international standard.

Spouse data

USS does not always hold sufficient data on retired members’ spouses to enable us to accurately calculate and manage the liabilities of the Scheme. The information we look to collect via a third party tracing service is as follows: (i) relationship of spouse and member; (ii) spouse month and year of birth; (iii) spouse gender; and (iv) confirmation that the surname of the spouse matches that of the member. This enables us to better understand and manage the Scheme’s liabilities and to ensure that we have adequate funds to meet these. This is clearly in the best interests of both members of the Scheme and their spouses and we feel it to be necessary for the Trustee to appropriately discharge its duties. Should your spouse object to our intended collection and use of their data for the limited purposes outlined above they can contact write to us at our offices.

National Fraud Initiative

We participate in the National Fraud Initiative (NFI), which is a data matching exercise carried out by the Cabinet Office. Our participation in NFI is voluntary and we share personal data lawfully with the Cabinet Office under our legitimate interest to do, together with our regulatory obligations to prevent and detect fraud against Universities Superannuation Scheme Limited as the Trustee of the Scheme, and to protect the interests and pensions of our members. We provide the Cabinet Office with particular sets of personal and financial data about our scheme members to conduct this matching exercise. The categories of personal data for private sector companies that may be shared to carry out the NFI exercise are detailed here.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the General Data Protection Regulation (GDPR).

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. Computerised data matching allows fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

View further information on the Cabinet Office's legal powers and the reasons why it matches particular information here.

Contact our Data Protection Officer

To discuss any part of this privacy policy or if you have a query, you can contact our Data Protection Officer by telephone on (0151) 227 4711 or 0845 068 1110 (local rate call charge number), lines are open Monday - Friday 9am - 5pm. Alternatively you can contact us by using the contact us page on this website.

How we use Hotjar and Google Analytics

Hotjar

Our website (www.uss.co.uk including My USS) uses certain services provided by Hotjar Limited (“Hotjar”), a company that specialises in website analytics and feedback.

These services provide us with an opportunity to better evaluate and analyse how you use our website. They provide us with important feedback and information on behavioural patterns of users across our website’s pages.

We use these services in order to improve the functionality of our website, making it more user-friendly and simpler for you to use. The services offered by Hotjar allow us to track and record information such as mouse clicks, mouse movements, scrolling activity as well as non-personally identifiable information you type into some pages of our website, including some customer satisfaction surveys you choose to complete. This is done using cookies. For more information please visit www.uss.co.uk/public/about-cookies.

All analysis and feedback information we collect is anonymous unless you provide your email address so we can respond to any feedback you provide us. We anonymise any fields where you may input sensitive information, for example, login details or text you enter into fields on a page. Cookies placed on your computer or device’s browser will collect and process the following non-personally identifiable information:

  • Device's IP address (captured and stored in an anonymised format);
  • Device screen resolution;
  • Device type (unique device identifiers), operating system, and browser type;
  • Geographic location (country only);
  • Preferred language used to display the Hotjar enabled site;
  • Mouse events (movements, location and clicks);
  • Keypresses;
  • Referring URL and domain;
  • Pages visited on our websites; and
  • Date and time when pages were accessed on our websites.

For more information you can visit the Hotjar website and read their privacy policy www.hotjar.com/privacy.

You can disable this tracking and analysis tool at any time by visiting www.hotjar.com/opt-out. Please note that clearing your cookies, running in incognito/private mode, or using a different browser will enable tracking again.

Google Analytics

Our website (www.uss.co.uk including My USS) uses a service call Google Analytics provided by Google. This service provide us with an opportunity to better evaluate and analyse how you use our website. It provides us with important feedback and information on behavioural patterns of users across our website’s pages.

All analysis and feedback information we collect is anonymous apart from your IP address in some cases. Google Analytics uses Cookies placed on your computer or device’s browser to collect and process the following information:

  • Time of visit, pages visited, and time spent on each page of the webpages;
  • Referring site details (such as the URL you used to arrive at this site e.g. google search);
  • Type of web browser (Chrome, IE, Firefox);
  • Type of operating system (OS);
  • Flash version, JavaScript support, screen resolution, and screen colour processing ability;
  • Network location and IP address;
  • Document downloads from our website.

For more information about how we use cookies, and how to disable them, click here to navigate to our About Cookies page.

Our Use of Cookies

Cookies are used to pass session data between pages. Our cookies neither reveal nor contain any identifying or personal data and cannot read any information on your computer or interact with other cookies on your system.

If you do not want your browser to accept our cookies you can turn off the cookie acceptance option in your browser settings. However, disabling cookie support may prevent this site from functioning properly and you may not be able to utilise fully all of its features and information.

For more information about how we use cookies, and how to disable them, click here to navigate to our About Cookies page.

Updates

We may update this privacy policy from time to time without notice to you and any revised privacy policy will appear on this page. You should check back frequently for any updates or changes to this policy.