Site map

Help us make USS better for everyone; join our research community

Privacy notice

This privacy notice explains how the scheme may use your personal data in its operations and the rights you have in relation to your personal data

Universities Superannuation Scheme (the ‘scheme’) is the principal pension scheme for academic and comparable staff in UK universities and other higher education and research institutions. It is a hybrid scheme providing both defined benefit (‘DB’) and defined contribution (‘DC’) pension benefits to its members.

This privacy notice explains how the scheme may use your personal data in its operations (whether you are a member of the scheme, a spouse or other beneficiary of a member of the scheme or otherwise engage with the scheme) and the rights you have in relation to your personal data. For further information on your privacy rights, see Your data subject rights below.

For all members, beneficiaries and other individuals that engage with the scheme, Universities Superannuation Scheme Limited (‘USS’) of the Royal Liver Building, Liverpool, L3 1PY (Company Number 01167127) is the sole corporate trustee (the ‘trustee’) of the scheme and acts as the Data Controller of your personal data. USS is registered with the Information Commissioner’s Office as a data controller under The Data Protection (Charges and Information) Regulations 2018 with registration number Z5491571. USS is also responsible for this website (www.uss.co.uk) (website) and for member only accessible areas of the website (www.uss.co.uk/my-uss) (My USS).

USS Investment Management Limited (USSIM) a company incorporated in England & Wales (Company Number 03380864) and having its registered office at Royal Liver Building, Liverpool, L3 1PY, is a wholly-owned subsidiary of USS. Its principal activity is to provide investment management and advisory services to USS. USSIM is registered with the Information Commissioner’s Office as a data controller under The Data Protection (Charges and Information) Regulations 2018 with registration number ZA318116.

USSIM processes significantly less personal data than USS and only in very limited circumstances does is process personal data of members or beneficiaries of the scheme. The majority of the processing that it will engage in relates to investment transactions and investments it manages on behalf of USS. Where there is a difference in the way in which USSIM collect, process or share personal data, this is set out in the relevant “USSIM” sections below. As USSIM does not operate its own website and only processes personal data as a consequence of its appointment as Investment Manager to USS, we have combined the relevant information for both controllers below.

Within the USS group of Companies, we take our respective obligations under data protection and privacy laws very seriously and have appropriate procedures in place to ensure your information and your rights are protected. If you have any questions concerning our use of your personal data, please contact us at dpo@uss.co.uk.

Table of contents

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

Who this notice applies to

Universities Superannuation Scheme Limited

In administering the scheme, USS will collect personal data concerning a variety of people, both members and non-members of the scheme. This privacy notice applies to the following categories of person.

USS Investment Management Limited

In managing investments and undertaking investment transactions on behalf of USS, USSIM will collect personal data concerning a variety, but limited number, of people connected to each prospective and/or actual transaction, ongoing management of the investments and corporate business functions.

Back to top

What personal information do we hold about you?

Personal information or personal data is any information about an individual which can be used to uniquely identify that person. Depending on the nature of your relationship with USS (and/or USSIM), we will collect, store and process the categories of personal data about you listed in the tables below, some of which you may provide to us directly and some of which we may collect from third parties (e.g. your employer).

USS

USSIM

Back to top

How do we use your information?

We primarily use your personal data for the purposes of administering and managing the scheme, its assets and the benefits payable to our members and their beneficiaries. The table below describes the lawful basis upon which we rely to process your personal data, the purpose for our processing and what personal data we will process. For more information on the lawful bases which we rely on to process your personal data, please see the section Lawful basis of collection and processing below.

Below, you can also find further details on some additional kinds of personal data we may process about you (such as special category (or sensitive) personal data, spouse/civil partner data and information on the National Fraud Initiative).

USS

USSIM

Special category personal data

Some of the information we may need to use is considered sensitive or 'special category' personal data such as information concerning your health. We will only use this personal data for limited and specific purposes. For example, any medical information you supply to us either directly or via your employer will be assessed by our independent medical panel for the purposes of evaluating your application for ill health retirement and it may also be used for any assessment of appeals made against our decisions in relation to ill health retirement applications. We will only process this personal data where:

  • we have a legal basis to process this information under employment, social security, or social protection law,
  • where the processing is substantially in the public interest in an occupational pensions’ context,
  • where the processing is necessary for the prevention and detection of fraud,
  • where it is necessary for a legal claim,
  • where it is necessary for member ill health assessments, or
  • where we have obtained your explicit consent (which we will seek at the time we collect the data).

Communication recording

We monitor, record, store and use any telephone, email or other communication with you in order to maintain a record of the instructions given to us by our members or requests we have received from other third parties. We also record and retain communications for crime prevention purposes and to comply with our regulatory obligations and use this information for internal training purposes to improve the quality of our customer service.

Spouse data

USS does not always hold sufficient data on retired members’ spouses/civil partners to enable us to accurately calculate and manage the liabilities of the scheme. To ensure that we have sufficient funds to meet our liabilities to members and their spouses, we collect additional information about spouses/civil partners from third party tracing services. The information we look to collect about spouses/civil partners of our members is as follows: (i) relationship between the spouse/civil partner and the member; (ii) month and year of birth; (iii) gender; and (iv) surname of the spouse/civil partner. We have a legitimate interest in collecting this personal data to better understand and manage the scheme’s liabilities and to ensure that we have adequate funds to meet these of both members of the scheme and to support the trustee to appropriately discharge its duties. Should you or your spouse object to our collection and use of this data, please contact us using the details provided below.

National Fraud Initiative

We participate in the National Fraud Initiative (‘NFI’), which is a data matching exercise carried out by the Cabinet Office. We provide the Cabinet Office with particular sets of personal and financial data about our scheme members to conduct this matching exercise. The categories of personal data for private sector companies that may be shared to carry out the NFI exercise are detailed here. You can view further information on the Cabinet Office's legal powers and the reasons why it matches particular information here.

Back to top

Lawful basis of collection and processing

We take care to ensure that our collection and processing of your personal data is lawful. In the section How we use your information above, we have explained which lawful basis is used by us to collect and process your personal data for the various purposes set out above, the following section explains what these are.

Legitimate interest

Legitimate Interest means the legitimate interest that USS and the trustees we act for have in conducting and managing our business to enable us to give you the best service, to meet our obligations as a trustee of a pension scheme and to give you the best and most secure experience. As explained above, we have a legitimate interest in processing your personal data for:

  • the purposes of administering your pension and any payments or benefits owed to you,
  • communicating with you about the scheme and your entitlements,
  • modelling, profiling, statistical and trend analysis for the purposes of managing the funding and investment strategy of the scheme and ensuring we can meet our liabilities,
  • ongoing management of our relationship with you, and
  • our internal business purposes which include business and disaster recovery, document retention/storage and IT service continuity (e.g. back-ups and helpdesk assistance) to ensure the quality of the services we provide to you.

Where we have a legitimate interest and it is necessary to process and collect your personal data, we will take appropriate steps to ensure that this processing does not prejudice your rights and freedoms as an individual. Where we process personal data based on our legitimate interests (or the legitimate interests of a third party) you have a right to object to this processing where you feel that your privacy rights are unfairly impacted by our processing. For further information on this ‘right to object’ and details on how to exercise it, please see Your privacy rights below.

Legal obligation

Legal obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that USS is subject to. For example, we collect certain information from your employer to meet our obligations set out by the Pensions Regulator to automatically enrol you in the scheme. Additionally, we may also be required by applicable legal obligations to use your personal data in certain ways. For example, we are required to provide information to HMRC about the tax liabilities of our members.

Performance of a contract

Performance of a contract means that the processing we undertake is necessary for the performance of a contract between us and you. For example, the My USS terms and conditions form a contract between us and you when you use My USS we need to process certain personal data such as your username and password in order to provide this service to you.

Special category personal data

We may need to collect and process special category personal data in order to administer your pension benefits and for other limited purposes. Please see the section Special category personal data above for the lawful bases we rely upon when we do so.

Back to top

Who does USS Share your personal data with?

Within the USS group

In limited circumstances, your data may be shared with different entities within the USS group. The sharing of this information is done only in support of the scheme and is not used to directly impact you individually. An example of this would be USS sharing limited amounts of your personal data with one of our investment entities in order to assist with the calculation of future liabilities on the scheme (also known as funding strategy).

Outside of USS

In fulfilling our obligation to run the scheme in an effective manner, we will need to share your personal data with the third parties we work with to administer the scheme. We also receive personal data about you from various third parties as we’ve set out in the table below.

These third parties will include any of your employers (including former employers) who participate in the scheme and our third-party suppliers who we have engaged to assist us with the administration of the scheme or our wider business.

The third parties we work with

We also work with a number of other selected third parties to provide both USS and USSIM with services, including companies that provide us with technical services and support and assistance in respect of our website, companies that provide back-office services and companies that provide hosting services.

Additionally, there may be circumstances where we share your personal data in certain scenarios not otherwise include above. For example:

  • if required to do so by law or where we are asked to do so by a public or regulatory authority such as The Pension Regulator, the Information Commissioners Office, law enforcement agencies or the Department for Work and Pensions;
  • if we need to do so in order to exercise or protect our legal rights, users, systems and services (for example, where your personal data is relevant to legal proceedings); or
  • In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal data in response to requests which do not override your privacy interests.

Back to top

International transfers

Wherever possible we will ensure your data is processed within the United Kingdom (UK) or European Economic Area (EEA). Certain countries outside the EEA have been approved by the European Commission (EC) as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions. View the full list of EC approved countries. However, should it be necessary to transfer your personal data outside the EEA to any countries not on the approved EC list, we will ensure appropriate legal protection is in place to protect your data, including but not limited to, binding corporate rules, model contractual clauses, or other legal grounds permitted by applicable legal requirements. If you would like further information on the protection we have in place with our suppliers outside the UK or the EEA, please let us know.

Back to top

Data retention

We will store your personal data for no longer than is necessary for the purposes we collect your data for.

If you are a member (or a nominated beneficiary of a member), we have obligations to retain accurate records of your entitlements under the scheme which can last a considerable time as pension benefits accrue and are paid out over long periods of time. To ensure that we properly discharge our duties to you and your employer, we will retain your personal data from the start of our relationship with you (i.e. when you initially join the scheme as a member or are nominated as a beneficiary by a member) until at least six years after the end of our relationship with you (i.e. once all benefits have been paid to you as a member and any eligible beneficiaries). As a general rule, this means that we will retain core personal information, employment information, pay and banking information, beneficiary information and documentary information for up to 100 years from the start of our relationship so that we can be sure we have discharged our obligations.

If you are a visitor to the website, a visitor to My USS or an individual we communicate with who is not a member, we may hold your personal data for a minimum of six years from the date of your visit or your most recent correspondence with us in order to comply with our legal obligations and to maintain evidence of our relationship (unless you are also a member, in which case the longer retention period described above with apply).

There may also be circumstances in which we need to retain your personal data for longer than the periods set out above. For example, where any legal disputes arise between us or where we are required by law to retain your personal data for longer periods.

Back to top

Your data subject rights

We have set out a summary of your rights in relation to your personal data below. If you would like more details about your rights or to exercise any of these rights, please see the section Contact our Data Protection Officer below.

  • Request access to your information - commonly known as a data subject access request (DSAR). As a data subject you have a right to request details about what personal data of yours USS holds and processes. Upon receipt of a valid SAR we will provide you with a copy of all the personal data we hold about you. In certain circumstances we may obscure or withhold certain information if this is not directly related to you.
  • Request we correct information about you – if the information we hold about you is incorrect, you can request that we make corrections to maintain the accuracy of your personal data. If you are an active member of the scheme you can ask for us to amend your information via your pensions contact at your employer, who will pass this request on to us. Alternatively, the ways in which you can contact us directly can be found on our contact us page.
  • Request we erase information about you – commonly known as the right to be forgotten, you have the right to ask us to delete personal data where there is no good reason for us continuing to process it. You also have the right to ask us to erase personal information where you have exercised your right to object to processing (as detailed below). This right is not absolute, and we may refuse your request in certain circumstances, such as where we are under a legal obligation to retain your information or have another valid reason to continue processing it.
  • Object to processing – where we are relying on a legitimate interest (or the legitimate interest of a third party) to process your personal data, you have the right to object to this processing if you feel that a situation or circumstance particular to you warrants your objection to this processing of your personal data. This is not an absolute right and if we can show compelling legitimate grounds for processing your personal data which override your interests, rights and freedoms, or we need your personal data to establish, exercise or defend legal claims, we can continue to process it.
  • Restrict processing – if you want us to suspend processing your personal data you can request the restriction of processing under certain conditions. We will continue to store this personal data until your request has been confirmed. An example would be if you wanted us to suspend processing your personal data while you establish the accuracy or reason for processing it.
  • Data portability – you have the right to transfer personal data you have provided to us to another party where we are processing this information in order to perform a contract with you or where you have provided your consent for us to do so. We will transfer to you, or a third party upon receipt of valid consent from you, your personal data in a structured, commonly used, machine readable format. We reserve the right to determine the appropriate levels of security required to transmit this personal data to you or your nominated third party.
  • Withdraw consent – There may be certain times where we ask for your clear written consent to process your personal data. Where we do this, you have the right to withdraw this consent at any time.

All requests will be dealt with on an individual basis and the ultimate decision relating to such requests will be made by our Data Protection Officer. We will respond to your request as soon as we can, and by law we have up to one month from the receipt of a valid data subject request to complete the request you have made. If we can show good grounds to request that this time be increased by a maximum of two months, although we will let you know when we need to extend our time to respond and why. We will need to verify your identity as part of the process to protect your privacy and may request identification documents form you, such as a copy of your passport to identify you and a copy of a recent utility bill to verify your address. The one month period for us to respond to your request will only begin after we have verified your identify.

We may refuse to act on (or charge a fee to respond to) any data subject request which is invalid or excessive (e.g. where you have made repeated requests for the same information). If you feel we are not processing your requests in accordance with the law, in the first instance please contact our Data Protection Officer.

Please note that it is important that the personal data we hold about you is accurate and correct. If any of your personal data changes during your time at USS, please keep us informed, so together we can ensure the accuracy of your personal data.

Back to top

Security

We take the security of your personal data very seriously. We have put in place technical and contractual measures to prevent the unauthorised disclosure or use of your personal data. We have implemented organisational measures to keep your personal data secure against the threat of human intervention. These measures include training all of our employees, and providing them with regular reminders of their individual obligations and responsibilities. We are accredited to the international standard of information security, ISO27001:2013. This ensures we internally monitor our compliance with a series of technical and non-technical security controls, and we are periodically audited by an external body who check we are maintaining compliance to the international standard. Although we work hard to protect your personal data, no method of security is entirely secure and transmission of personal data via the internet always presents risks. Please contact us using the details on this website if you have any concerns about the security of your personal data.

Back to top

Our use of cookies and analytics

Our website uses certain analytics services provided by Hotjar Limited (Hotjar) and Google (Google Analytics). Both services are used to evaluate and analyse how users interact with the website and My USS, enabling us to make improvement to the functionality and user experience. The use of both of these services and more information about how we use cookies to ensure the functionality of the website and My USS, and how to disable non-essential cookies, are detailed in our cookies section.

Back to top

Contact our Data Protection Officer

To discuss any part of this privacy notice or if you have a query, you can contact our Data Protection Officer by email dpo@uss.co.uk.

Back to top

Complaints to the Supervisory Authority

You also have the right to complain to a supervisory authority if you believe we are not processing your information in accordance with the law. The supervisory authority for the United Kingdom is the Information Commissioner’s Office (ICO) and their contact details are available on their website ico.org.uk. Please be assured that we take all complaints seriously and if you would like to discuss these in the first instance with our Data Protection Officer, then you can email dpo@uss.co.uk.

Back to top

Updates to this privacy notice

We may update this privacy notice with minor amendments from time to time without notice to you and any revised privacy notice will appear on this page. You should check back frequently for any updates or changes to this notice. USS will take reasonable steps to notify individuals when more substantive changes have been made to this privacy notice such as notifying you via our website or including information about changes in our communications with you.

Back to top

Use this form to request a copy of your personal data held by us.