Data protection

GMPF privacy notice

Data protection is the term normally used to describe the laws that deal with data and its use. The main purpose of data protection rules is to make sure people and organisations are gathering and storing data properly.

The Data Protection Act 2018 and the General Data Protection Regulations (known as GDPR) set out these rules. You can find out more about them on the Information Commissioner’s Office website. 

Everybody has the right to access recorded information held by public authorities, including Tameside Metropolitan Borough Council the administering authority for the Greater Manchester Pension Fund. You can find out more about Freedom and Information on the Tameside MBC website.  

Why is GMPF allowed to use my data?

Greater Manchester Pension Fund (GMPF) has a legal responsibility to look after the pensions of our members and to run the pension fund. We need to use data to do this. This is one of the reasons allowed under data protection laws. There are six conditions for using personal data set out in the law and having a legal obligation is one of them. Some types of data are classed as ‘special category data’. We need your consent to process this type of data.

Who holds my data and why?

Tameside Metropolitan Borough Council runs GMPF. The council is the ‘data controller’ under the law and holds all the data. We hold your data so that we can: 

  • Contact you 
  • Work out your pension benefits
  • Pay your pension benefits
  • Produce statistics about what we do
  • Work out how much money we need to pay pensions in the future
  • Make decisions about how and where to invest pension contributions
  • Monitor the quality of our services to you and train our staff in best practice 
  • Test calculation updates, identify software faults and test new software functionality.

What types of data do you hold?

We hold two types of data about a person. In the data protection rules these are called ‘personal data’ and ‘special category data’.

Personal data

Some examples of the personal data we would normally hold about members or other potential beneficiaries include:

  • Contact details – your name, address, telephone number and email address
  • Identifying details – your date of birth, national insurance number, employee and membership numbers
  • Information that is used to decide the pension benefits you are entitled to
  • Information that is used to work out your pension benefits, for example, your pay
  • Financial information needed to pay a pension, such as bank account and tax details
  • Information about your family and other dependents who may be entitled to pension benefits if you die

We also obtain the personal data of people who we work with, such as contractors, advisors and other professionals who are involved in the investment and administration work we do. This will usually be limited to names, phone numbers, email and physical addresses or other personal data necessary for the work that is being carried out.  

Special category data

Special category data is sensitive data, such as information about your health, religion or political beliefs. There are extra protections for this type of data. We will only process special category data if we have your consent or another legal reason for doing so.

If you give your consent to allow us to process this data, you can withdraw it at any time by telling us in writing. You may want to speak to us about this beforehand in case withdrawing your consent means that we have to stop paying you your pension.

Another example of special category data is information about a criminal conviction. We would only hold this information if you owed money to your employer or GMPF because of a crime you had committed and where we were collecting it back from your pension.

Where do you get my data from?

We get some data directly from you, so for example when you fill in a form and send it to us. We also get some data from others, including:

  • Your current or past employer, or a company that took them over
  • A relative or solicitor acting on your behalf 
  • A public database, such as the register of births, deaths and marriages 
  • Government or official bodies, such as His Majesty’s Revenue and Customs (HMRC)

Who do you share my data with?

Each section within GMPF gathers the data they need to carry out their role. For example, the Pensions Administration section will collect the data of a pension scheme member, while the Pensions Legal section will collect the contact details of a contractor or tenant. Sometimes a section may share data with another GMPF department to complete a transaction or to provide a service. So for example, the Administration section may pass a member’s details to the Legal section if there is a matter that needs legal advice. 

We may share your data with several other organisations. In many cases, this is so they can process data on our behalf following our instructions. Organisations that do this are called ‘data processors’ and are just as responsible for keeping your data safe as we are. Here are some examples:

  • Adare post out letters and newsletters on our behalf and process data to create annual pension statements and P60s for pensioners. 
  • We link to information held by Experian which allows the forms on this site to complete and verify addresses you insert.
  • We use BACS to pay our pensions in the UK and Convera UK Ltd to pay pensions overseas in a local currency. 
  • We send and receive data from HM Revenue & Customs (HMRC).
  • Hymans Robertson is our actuary. Their main role is to decide how much money we need to pay benefits and how much employers must pay in. They need information about the pensions people are building up to do this. We also share similar data with the Government Actuary’s Department (GAD), who carries out a similar role for the Government when they are looking at the cost of the LGPS as a whole.
  • RNIB help us to produce documents in Braille. 
  • Languageline translate foreign documents into English and documents from English into other languages.
  • We may share data with your employer to help them to carry out their LGPS pension responsibilities and may also provide your former employer with data if they need to pay extra costs linked to your pension. If your former employer is no longer responsible for these payments, then we may provide those details to the organisation that has taken over that responsibility. 
  • We may share data with other public bodies to prevent and detect fraud and error. 
  • We take part in the National Fraud Initiative (NFI). The NFI is a data matching exercise that assists public bodies and private sector organisations to prevent and detect fraud and error.
  • We use GBG Solutions to carry out a verification of your bank details prior to paying any pension benefits. This is to help detect and prevent fraud and error. The bank account verification will confirm that your name and address match those attached to the bank details you have provided. 
  • We use Target Professional Services Ltd to run a monthly check against the General Register Office's records to identify pensioners who have died. We also use them to help us to trace the addresses of members who have moved house and not told us their new address. 
  • If you are going through a divorce case, then we may have to provide information to the court, your solicitor or the solicitor of your spouse.
  • Your data may be shared securely with other departments inside GMPF and Tameside Metropolitan Borough Council (TMBC) where those departments provide a service to GMPF. For example, to provide legal advice. 

We also provide data to the LGPS national insurance database. This is a way of sharing member information with other LGPS funds.

The database is owned by the Local Government Authorities (LGA) who contract South Yorkshire Pension Authority to maintain the service.

We use the database to assist us carry out the following duties:

  • To make sure we don't double up when paying a lump sum death grant.
  • To check for previous LGPS membership when a member re-joins the LGPS, with a view to automatically aggregating that membership as required by the regulations.
  • To check if the member is entitled to a refund of contributions.
  • To check if a member has other rights that would either prevent payment of, or need to be taken into account when assessing the eligibility for a ‘de minimis’ payment or a trivial commutation.
  • To check if a member has a statutory right to a transfer out, in accordance with the law.
  • To trace a member’s address if we have previously receive returned mail.
  • To ensure overseas pension members are receiving the correct benefits.

What data does the ReciteMe accessibility tool use?

If you use the ReciteMe accessibility tool to read any pages, your computer's IP address will be sent to the third party who provides this tool. This is for analytic and performance monitoring, so that they can deal with any problems that arise. You can find out more information by visiting the ReciteMe website.

Do you share data with my employer?

We may share data with your employer or their advisers to help them understand how much they have to pay into GMPF to pay for the pensions of their employees.

There may be times when we need to share data with other organisations connected with your employer. For example, a contractor may need to know what the pension costs are likely to be if they are going to bid for work currently done by a GMPF employer. 

When we share your data with your employer, they become a data controller and have to follow the law in the same way.

Do you share data with my additional voluntary contributions (AVCs) provider?

If you chose to make AVCs, you will have given your data to the provider when you first started. We share data with them and providers of annuities if you ask us to do this on your behalf when you retire.

You can find out how your AVC provider manages your data by visiting their website.

Do you ever share data with organisations outside the United Kingdom?

There are some situations when this might happen, for example if you went to work abroad and wanted to transfer your pension there.

Currently, UK Data Protection laws remain identical to the ones applicable across the European Union, and the same protections apply. However, this may change.  In any event, we will process your data following any rules applicable at the time.

If we have to transfer your data outside the European Union, we will check that the appropriate safeguards are in place and follow the laws that apply.

How long do your keep data for? 

We should only keep data for as long as we need it to carry out the job we had collected it for.

However, we need to keep everything long enough to be able to respond to questions or complaints about the benefits we pay or about how we have made decisions.

If you are a GMPF member, this means that we will keep your data to:

  • Work out your pension benefits
  • Pay you those benefits, in many cases for the rest of your life
  • Work out and pay pension benefits to your dependents or beneficiaries
  • To answer questions and queries 

We will keep your data for at least 15 years after we stop paying your pension or after you transfer it to another pension provider.

What are my rights?

You have a right to:

  • Ask for a copy of any personal data we hold about you
  • Ask us to put right anything in your data which is wrong or out of date
  • Ask us to stop processing your data if it is wrong until the errors are put right

If you wish to do any of these things, or you have questions or worries about how we are using your data, please contact us. You can also get more information on your rights and Subject Access Requests (SARs) by going to the Tameside MBC website.

Alternatively you can visit the Information Commissioner's Office website to find out more about your rights. This includes your right to complain about this section of our website.

What can I do if something is wrong?

Tameside Metropolitan Borough Council’s data protection officer (DPO) is responsible for ensuring that GMPF is complying with data protection law.

You can contact the DPO if you have an issue or concern about how we are handling data by telephone on 0161 342 3028, email information.governance@tameside.gov.uk, or by mail to the address below.

Data Protection Officer
Tameside One
Market Place

The council’s full data protection statement is on their website.

You can refer the matter to the Information Commissioner’s Office if you are unable to resolve the issue.

Do you use Microsoft Teams and Zoom?

Yes. We use Microsoft Teams (MS Teams) to organise virtual meetings, hold webinars and to work collaboratively. We do this with our partners, our employers, with colleagues at other LGPS funds, several other associated organisations and occasionally with our members too. We also use Zoom to hold some virtual meetings. GMPF Zoom meetings are arranged by Tameside MBC and the use of Zoom is covered by the Tameside MBC privacy notice.

GMPF uses the core capabilities in MS Teams, including business messaging, calling, video meetings and file sharing. Personal data is processed and stored in Microsoft’s cloud servers to provide these services. MS Teams is not used for any automated decision-making, including profiling.

If you are invited to join a GMPF Team in MS Teams (so invited to be a guest user), you should read this part of our privacy statement together with our ‘Guest terms of use for MS 365’ before accepting the invite to join.

What personal data do you process in MS Teams?

We process the following categories/types of personal data:

  • Personal identifying information: username, first name, surname, email, work telephone number, occupation and preferred language
  • Electronic identifying information: IP address, cookies, connection data and access times
  • Films, pictures and video and sound recordings
  • Metadata used for maintenance of the service provided
  • Any data as (potentially) processed in the context of file sharing for professional activities (for example messages, images, files, voicemail, calendar meetings, contacts and the like)

Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of our Data Protection Officer.

Personal data is processed by the service provider, Microsoft, for the following activities:

  • Providing end-user support and troubleshooting for Office365 applications and features related to conducting virtual meetings and teleconferences
  • Tracking changes to users and groups
  • Managing content uploaded to MS Teams, including data retention policies
  • Managing MS Teams settings
  • Supporting, operating and maintaining online services

For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.

Who has access to personal data held in MS Teams and to whom is it disclosed?

Personal data is disclosed on a need-to-know basis to the following recipients:

  • The GMPF Systems & IT Maintenance team and external users included in the MS Teams team that is used for the exchange of information.
  • GMPF and Microsoft staff involved in the data processing necessary to provide the service.

Personal data is stored in the UK. It is not used for any other purposes, nor is it disclosed to any other recipient.

How do you protect and safeguard my personal data?

We implement appropriate technical and organisational measures to safeguard and protect your data from any accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

MS Teams has been configured to preserve the confidentiality of the information you exchange by implementing encryption in transit and at rest. Anonymous access is not authorised. Any information you add to a group in MS Teams, be it in chat, video conference or file sharing, will be available only to the specific users and groups indicated above.

Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.

What rights do I have to my data held in MS Teams?

You have the right to request confirmation as to whether or not your personal data is being processed, and, where that is the case, to request access to it as well as to information on the purpose of the processing or the categories of personal data concerned. You also have the right to rectification and to request the correction of inaccurate personal data. You have the right to ask the Data Protection Officer to restrict the processing of your personal data under certain circumstances, such as if you think that the processing is incorrect or unlawful. You have the right to request the erasure of your personal data without undue delay under certain circumstances, such as if your personal data is no longer necessary for the purposes for which it was collected or if it has been unlawfully processed. You have the right to object to the processing of your personal data under certain circumstances. You can assert your above-mentioned rights by contacting us.

How long do you store data in MS Teams?

Different types of data will be stored in MS Teams for different lengths of time in line with GMPF’s data retention policy. You can request more details about this by contacting us.

Created by Clay10 Creative