Privacy policy

The purpose of this policy is to explain how Nest Insight collects and uses your personal information and how we comply with data protection law. The UK General Data Protection Regulation and the Data Protection Act 2018 (‘Data Protection legislation’) regulate how we process your personal information.

In this policy, we explain some things about the personal information that we hold about you (whether we collect this from you or it is provided to us), and your rights regarding this information. It is important that you read this information  carefully, together with any other privacy notices and information that we provide you from time to time. Nest Insight may be referred to as ‘we’ or ‘us’ in this policy.

Outline of policy:

  1. Privacy rights in relation to Nest Insight
  2. Processing your data for research purposes
  3. Processing your data for marketing and other non-research purposes
  4. Security and your data rights

Privacy rights in relation to Nest Insight

Nest Insight is a research and innovation centre finding better ways to support people’s financial wellbeing, now and in later life. We are part of the National Employment Savings Trust Corporation (‘Nest’) which is the Trustee and provider of the Nest pension scheme (the scheme). Nest looks after all aspects of the scheme, including research related to pensions and savings, in line with the Nest Order and Rules and the law. Nest is registered with the Information Commissioner’s Office. For privacy information on Nest’s management of the scheme please visit nestpensions.org.uk.

We may collect and receive different types of personal information about you. Personal information we hold about you includes any information that identifies you (e.g. name, address, phone number etc.). It can also include personal information which relates to specific topics which are thought to be more privacy sensitive and called special categories of information (e.g. information about your health, your ethnicity, religion etc.). When we use special categories of data, we will ask for your explicit consent. Where we determine the reasons for which we use your personal information and the means of processing your personal information, we are the controller.

For further information on your data rights, see the section below on ‘Security and your data rights’.

Processing your data for research purposes

What personal information do we use and where do we obtain it?

We may use the personal information Nest already holds on you

One of Nest’s legal duties for looking after the scheme is to make sure it meets the needs of its users. This includes its members, the employers who enrol them, and the advisors acting on behalf of employers. Nest needs to conduct research to better understand how individuals manage money and their pensions. For some of our research, we may access your personal information that Nest collects and receives in order to administer your Nest account. You can find out about the information Nest holds about you in the Nest Privacy policy. We may also use personal information that you have provided directly to us where you have consented to do so.

Third-parties share personal information with us

Third-parties may share your personal information with us where they have a legal basis to do so. This can include consent (please see below), legal obligation, public task, your vital interests, contractual requirement or legitimate interests depending on the processing requirements of the research activity. The legitimate interests can be their interests or the interests of another party. They will do this if they consider the processing of your personal information is necessary for legitimate purposes but they will need to balance this against your interests.

Consent

When we rely on your consent as the legal basis for processing your personal information, you can easily withdraw your consent at any time. We explain how you can do so each time we ask for your consent.

We may receive personal information about you from third-parties where you have provided your consent. These could include:

  • your employer
  • your savings provider
  • a research recruitment agency.

How we’ll use your personal information

Research activities

If you provide your consent to participate in our research, we will use your personal information (as applicable):

  • to invite you to participate in our surveys, interviews and/or focus groups, and other types of research that we carry out
  • to invite you to participate in webinars, roundtables or focus groups
  • to administer prize draws (our prize draws are also subject to our terms and conditions, which will be communicated to you at the time) or compensation as a thank you for taking part in our research
  • to administer surveys where you have agreed to take part

How we use Nest Insight research

We abide by the Market Research Society’s Code of Conduct. We will minimise our use of personal data by only collecting the data we need for the research. Depending on the requirements of the project we will seek to anonymise your personal information as soon as possible and once your personal information is anonymised it will no longer be subject to Data Protection legislation. In addition, the research findings will be fully anonymised before being published. We may use the anonymised results of research to inform Nest, the finance industry, academics, policymakers and the public about pensions and saving behaviour.

The research teams are committed to sharing research for the benefit of society and the economy. The anonymised research findings will be published in the form of articles, case studies, research reports and presentations, blogs, videos and podcasts whether by us, our funders (if any), or our collaborators. Anonymised research results will also be openly accessible on our website and shared on social media.

How we use your information at roundtables or events

As part of our research, we undertake roundtable meetings and online events where we may need to collect data such as names, audio and video recordings or other personal information. All invitations for meetings or online events will specify whether it will be recorded so you can decide whether you want to take part. You will have the option to turn off your camera and microphone at online events but personal data may still be recorded during the event. This data is retained solely for administrative purposes and not for distribution to ensure that we capture contributions and will not be retained for longer than necessary.

What personal information we use and how long we keep it

Data we may use for research

Our research activities may vary and you will be informed of the data that will be collected at the start of the research activity.   Data may include surname, forenames, previous names, job title, employment status, organisation you work for, industry you work in, date of birth, gender, marital status, details of dependants, telephone number, audio and video recordings and transcripts of your interaction with us, correspondence address, emails, information about your opinion on pensions and savings and details of your pensions and savings. Any other data processed will be notified to you at the time of processing.

We may collect special categories of data such as ethnicity, sexual orientation and health data for the purposes of research only. We will obtain your explicit consent before we do so.

We will always seek to pseudonymise or anonymise this data before using it for research. Pseudonymisation may involve replacing names or other identifiers which are easily attributed to you with, for example, a reference number. Pseudonymisation reduces risk to your personal information.

Nest member data

The member data we use will depend on the requirements of a project but may include name, date of birth and postcode. We will also seek to anonymise and pseudonymise your personal information where possible before using it for research.

How long we may keep it for the purpose of research

The personal information processed for the purpose of research will only be stored for as long as is necessary to complete the research analysis and publish the findings. For most projects we will keep your personal information for no longer than 6 months after the completion of the research project but on some projects we may need to keep this for longer for the purpose of review but this will be no longer than 10 years. After this, any personal data except Nest member data will be deleted or anonymised.

Third-parties

From time to time, we may need to pass your personal information on to trusted third-parties.

Third-party websites

Our website or the information we provide you with may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

You may also be subject to third party platform terms and conditions for example, when you join an online event using a third party platform.

Third-party service providers

We may use third-parties to support our research and the administration of our surveys and interviews, and we will obtain your consent before we do this. We seek to ensure that we have the necessary safeguards and security measures in place when we do so. When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them. When we share data with third-parties, they may be a processor acting on instructions from us or another processor or a controller in their own right. These third-parties may include transcription services or market research agencies such as online survey providers. If there are any additional privacy policies or terms and conditions which apply to you from the use of third-parties, we will communicate this to you.

Third-party research (including with Nest member data)

We may need to share your personal data with other government bodies or departments, as well as with third-party research partners (such as universities, think tanks, etc.). We will generally be required to do this because of a legal obligation. The member data we use will depend on the requirements of a project but may include name, date of birth and postcode. Wherever possible, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.

Transfers outside the United Kingdom (UK)

Your personal data will generally be processed in the UK. However, some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the UK, we will only make that transfer if:

  • the country to which the personal information is to be transferred ensures an adequate level of protection for personal information
  • we can put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Model Contract Clauses which includes the UK’s international data transfer agreement (ITDA) or the EU’s standard contractual clauses (EU SCCs) supplemented by the ITDA addendum; and
  • the transfer is necessary for one of the reasons specified in data protection law.

In some situations, we may request your consent to the transfer to ensure this is lawful.

If we use any third-party service providers who are not based in the UK, we will carry out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and seek to ensure that the necessary safeguards are in the contract.

Processing your data for marketing, events and other purposes

We may receive personal information about you if you:

  • attend our events, meetings or conferences where there may be photography or recording of events, and/or you exchange business contact information and/or business card contact details with us;
  • submit your information via the mailing list sign-up box on our website or contact us directly via insight@nestcorporation.org.uk.

We may also receive information about you from third-parties or through our social media sites where you have provided your consent.

How we’ll use your personal information

Consent

We will generally rely on your consent as the legal basis for processing your personal information. You can easily withdraw your consent at any time. We explain how you can do so each time we ask for your consent.

We may send you (via email):

  • communications about, or invitations to participate in, events, research topics, ideas and programmes
  • communications to inform you about published results of Nest Insight programmes and research.

We may send you requests to provide us with your opinion on the events that you have been involved in or attended. We may share anonymised feedback on events you have attended within Nest Insight to improve our services.

What personal information we use and how long we keep it

Data we may use for marketing communication, events and keeping you informed

This may include data such as your surname, forename(s), job title, organisation you work for, telephone number, correspondence address and email(s).

How long we keep it for the purpose of marketing communication, events and keeping you informed

receive communications from us. You can choose to unsubscribe via the link at the bottom of the emails we send you, or you can let us know via insight@nestcorporation.org.uk that you no longer wish to receive communications from us. We will remove your contact details from our mailing list within 1 month of receiving your request to ensure you do not receive further communications from us in the future. We may also send you emails from time to time to confirm if you wish to still receive communications from us.

Where we collect data for meetings or events, we will only store that data for as long as necessary for processing information related to the meeting or event. This shall be no longer than five years after the meeting or event.

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims or complaints. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Other data we may use for other purposes

If we use your personal information for any other purpose we will notify you (through fair processing notices we issue to you at the time of collecting the data), of how this will be processed and how long we will keep this data for.

Third-parties

From time to time, we may need to pass your personal information on to trusted third-parties.

Third-party processors and websites

When we share data with third-parties, they may be a processor acting on instructions from us or a controller in their own right. We seek to ensure that we have the necessary safeguards and security measures in place when we use third-party processors. When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them.

Our website or the information we provide you with may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

For compliance purposes

We may need to pass your personal information as requested and required to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal obligations for compliance purposes.

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third-parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.

Security and your data rights

We want to ensure that we process accurate information about you and need your help to make sure that we do this. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your data.

The information security management systems operated by Nest Corporation and our IT managed services provider are both independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust and helps protect your data.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How can you access and correct your personal information?

How can you correct your personal data?

You can correct the information that we hold about you by emailing insight@nestcorporation.org.uk

How can you access your personal information or data and exercise your rights?

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a ‘data subject access request’.

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your right to access or rectification of your personal information that we hold about you, as set out above you have the right to, or to make a request (under certain circumstances) to:

  • restrict or object to the processing of the personal information we hold about you (see Note 1)
  • erase your personal information (see Note 1)
  • receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability’) (see Note 2)
  • withdraw your consent for us to process your personal information, where based on consent (see Note 3)
  • object to automated decision-making including profiling.

We must be able to verify your identity. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Note 1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note 2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest Insight processes your personal information in order to comply with its legal obligations, the right to data portability will not apply.

Note 3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know. Please note if your personal information is anonymised, Data Protection legislation including the rights set out above will no longer apply. If you withdraw your consent, please note that data that has been processed before the date of withdrawal will still have been legally processed and will be unaffected by the withdrawal.

If you withdraw yourself from our research, your data in relation to the research will be deleted, as soon as reasonably practical, usually within one week. Please note this may affect your eligibility for any prize draws or any compensation offered to take part in the research.

To make a request under these rights you can email us at: insight@nestcorporation.org.uk

Use of cookies and website analytics purposes

Cookies

If you use our website and want more information about cookies we use, or if you’d like to change your cookie settings, please go to our Cookie policy page.

Third-party processors for website analytics purposes

We use website analytics providers in order to provide valuable information and insight into the performance and use of our website. We also share information about your use of our site with those web analytics providers. You’ll find more information in our Cookie policy. From this page, you will also be able to manage your preferences and be able to opt-in or out from cookies that are not essential to the operation of the website.

We may also share your personal information with any other third-party where you have given your consent.

Changes to this policy

We may change our privacy policy from time to time. If, or when any material changes are made, we will let you know about them on our website. We encourage you to check our website for updates on a regular basis. This version was last updated in May 2024.

Queries and further information

For queries about how your personal information is used or to make a complaint: contact our data protection officer at dataprotectionofficer@nestcorporation.org.uk

Further information

The information provided in this privacy policy is in addition to any other privacy information we may give you on our website or via other channels (including paper communication, secure message, e-mail, telephone etc.).

Contact us

If you want to contact us, you can contact us by emailing:

  • For marketing and general queriesinsight@nestcorporation.org.uk
  • If you have a question about any aspect of our research or prize draws that you’ve been invited to take part in: insightresearch@nestcorporation.org.uk. They will do their best to answer your query and should acknowledge your concern within 10 working days and give you an indication of how they intend to deal with it.
  • If you remain unhappy or wish to make a formal complaint: please contact Will Sandbrook, the Managing Director of Nest Insight at sandbrook@nestcorporation.org.uk.

Raise a complaint with the Information Commissioner’s Office

If you have concerns about the way we handle your personal data and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office (ICO) or raise a complaint:

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

via their website at: ico.org.uk/concerns

© Copyright Nest 2024