Privacy Notice - Employees

This notice is for employees, or prospective employees, of Railpen and provides information about how we ensure employee data is protected and handled at Railpen.

Jump to:

Data controllership

Who are we

We are the Railways Pension Trustee Company Limited, RAILPEN Limited, RAILPEN Investments Limited (each with its registered address at 100 Liverpool Street, London EC2M 2AT) and each is registered with the Information Commissioner’s Office (ICO) as a separate "data controller" in respect of personal information handled for the Railways Pension Scheme.  We are also a data processor for personal information handled on behalf of our clients in pension schemes such as but not limited to Zurich, Thressenkrupp and Scheinder.


This privacy notice is intended to give you a clear picture of how we handle and protect your personal information. It describes what we collect about you, why, how it is handled, with whom we share it, and where and how long we handle it before it is securely destroyed.

It is important that you read this notice, together with any other privacy notices we may provide on specific occasions when we are handling personal information about you, so that you are aware of how and why we are using such information.


Whose personal information we handle

We handle and protect personal information relating to:

  • current and former employees, temporary workers and contractors
  • candidates seeking employment with Railpen


Why we use personal information

For data protection purposes we justify the handling of any personal information we receive based on:

  • our contractual commitment with you - handling your personal information so that we can provide the services and benefits we set out in our contract with you or the contract you hope to receive after applying for a role with us.
  • our legitimate interests - handling your personal information for ours or a third party’s legitimate business interests provided they do not override your rights or freedoms.
  • your consent – from time to time we will obtain your valid consent to handle your personal information if there is no other appropriate data protection legal basis.

Below are the purposes we have identified to handle and protect your personal information.

Reasons for handling your personal information


Manage change

  • Support you with changes to business processes
  • Provide you with advice on suppliers you manage

Undertake audits and monitoring review activities

  • Hold you accountable for actions following audits and monitoring reviews

Record personal investment & holdings

  • Record whether you or your relatives do not have any conflicts of interest given we are financial firm

Manage risks

  • Hold you accountable for any risks you own and manage
  • Support and hold you accountable for risk event management

Monitor and assess policy adherence

  • Record calls for those in scope of the Market Abuse Act
  • Monitor and assess if you adhere to IT Security policies

Approve SMCR persons

  • Record and review that senior managers are fit and proper persons to run a financial firm

Provide references

  • Provide you with references when moving on from the firm

Recruit employees

  • Assess your application form, CV and other particulars  and interview you for advertised roles

On-board employees  

  • Enrol candidates to become employees of Railpen by undertaking background checks, collect bank details for salary payments, and provide employee benefits

Undertake performance reviews

  • Carry out regular appraisals to discuss you performance at work

Manage job change

  • Manage changes your role e.g.  if you change roles, go on secondments, need to upgrade your contractual terms

Manage exits

  • Support you leaving the firm due to change of jobs, retirement, redundancy and so on

Take disciplinary action

  • Hold you accountable and discipline you if you have not adhered to the firm’s code of conduct or other policies

Support learning & development

  • Support you with you learning and development needs to carry out your role compliantly and competently.

Respond to third party information requests

  • Provide responses to third parties' requests for information about you e.g. mortgages. references and so on.

Manage wellness & provide occupational health

  • Assess and support your health and wellbeing whilst at work

Provide rewards

  • Pay, support and advise on your remuneration, recognise your contribution to the workforce and consider your benefits. 

Publish internal communications

  • Tell you about articles, blogs, vlogs, briefings and so on published on the intranet or via Railpen's YouTube Channel

Send all broadcast emails

  • Send you emails to keep you updated on key changes and activities at Railpen

Manage live events

  • Record sessions you might be part of such as lunch and learns and town halls

Set up accounts with external supplier provided systems

  • Set you up on external supplier systems so you can access them to fulfil your role

Respond to queries

  • Record how you have dealt with queries relating to management of our investments

Onboard new investments

  • Record how you have gathered documentation or created a report for Railpen on an investment manager and their risks

Monitor investments

  • Record how you monitor third party investments/investment managers

Manage IT support

  • Log requests to provide you with or fix IT equipment or IT software  

Review user access

  • Review your user access so that you can access appropriate only information and records

Bringing into Service

  • Identify any new service you might require – usually through project initiatives

Manage suppliers

  • Record how you manage suppliers e.g. their SLA's, performance and change & problem management.

Manage our Security Operations Centre

  • Monitor the IT software and equipment you use to detect or prevent intrusion or malicious activity on our IT network 

Pay employees

  • Pay your salary, benefits and rewards

Reimburse expenses

  • Reimburse your expenses claimed

Manage travel and accommodation

  • Facilitate travel and accommodation bookings you make

Report and record incidents

  • Manage IT security and data protection incidents and breaches you report

Investigate cases of fraud

  • Investigate suspected attempts of fraud made by you to deceive the firm for your own profit.

Investigate allegations made by whistleblowers

  • Record and investigate allegations or concerns made to our whistleblowing helpline

What personal information we handle

In order to handle your personal information for the above reasons we may collect and use the following types of personal information about you and, in some circumstances, your spouse, civil partner, partner or dependants:


Personal details Financial Details Details about others Employment history

Postal address
Email address
Telephone number
Background checks i.e. criminal history, appearances in the media e.g. newspaper articles
Photo ID (Passport / Driving License) Passport No
Video recordings
Annual leave records
Emails Internet protocol (IP) address

  • Bank account details
  • Payroll records
  • Tax status
  • Salary
  • Pension
  • Benefits and rewards
  • Credit history
  • Financial sanctions received
  • Financial holdings
  • Marital status and dependants
  • Next of kin and emergency contact information
  • Start and end dates
  • Workplace location
  • Recruitment information e.g. copies of your right to work, references and other information such as in a CV, cover letter or application
  • Employment records e.g. job titles, work history, working hours, training records and professional memberships
  • Performance information
  • Disciplinary and grievance records
  • Whistleblowing disclosures
  • Conduct Records and outcome details

What special category and sensitive personal information we handle

We may also handle the following "special categories" or more sensitive personal information:

  • Trade union membership
  • Information about your health, including any medical conditions, health and sickness records.
  • Information about criminal convictions and offences
  • Your ethnicity/race
  • Your sexuality and gender identification, including reassignment
  • Your religious beliefs

Below are the purposes we have identified to handle and protect your special category or personal sensitive information.

Reasons for handling your special category or sensitive personal information


Employment law


  • Record and support your leaves of absence, which may include sickness absence or family related leaves, physical or mental health issues, disabilities and workplace health and safety such as your fitness to work and appropriate workplace adjustments.
  • Provide you with benefits as agreed in your contract with us
  • Pay you trade union premiums
  • Perform  background checks on you for recruitment purposes or in connection with Financial Conduct Authority requirements
  • Undertake audits and investigations into alleged wrongdoing

Substantial public interests

  • Support with recruitment and support of an inclusive and diverse workforce
  • Approve SMCR persons

Vital interests

  • Protect yours or someone else’s vital interests – usually by making a disclosure to a third party to support you or a third party with whom you have some involvement

Explicit consent

  • Obtain your explicit consent to handle your personal information where no other appropriate lawful basis under data protection law exists. We do not need your consent if we use special categories of your personal information to carry out our legal obligations or to exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to handle certain special category or sensitive personal information. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.


Where we get your personal information from

We collect personal information about applicants, employees, workers and contractors through the application and recruitment process, either directly from you, a referee or a recruitment or employment agency. 
We also engage a number of suppliers to carry out financial and criminal screening and health checks to ensure that you are suitable to the role and that we are able to appropriately support you to carry out the job you are hired to do.

We may collect additional personal information in the course of job-related activities throughout the period of you working for us. For example, your performance conversations, appraisals, annual leave and sickness absence records.


With whom we share your personal information

From time to time, we may need to share your information with other parties. Where this is necessary, we are required to comply with all relevant data protection legislation. The types of third parties we may need to share some of your performance information with include:

Law enforcement, judicial and local authorities

Suppliers to Railpen

Where appropriate, we will share your personal information with third parties such as law enforcement agencies, courts and regulators.  This is usually when we are required by law to disclose your details.


In some instances Railpen outsources the collecting, storing, handling or destruction of your personal information for example, to support employee training, perform background checks, administer certain staff benefits, for example Occupational Health or Private Medical Insurance Providers, or to undertake competence testing, provide rewards and compensation, seek consultancy advice, help with business continuity and organise travel and accommodation.

Sharing your personal information overseas

Our core systems, records management, and administration services relating to our employees and candidates are all carried out and stored within the UK.

Where it is necessary to transfer your personal information outside the UK we will ensure that the correct safeguard is used so that the data is protected to an equivalent extent as it would be if it remained in the UK.  This is usually by transferring to a country that is approved as having essentially equivalent data protections under the UK Adequacy Regulations.  However, from time to time it might be necessary to do a Transfer Risk Assessment, and where appropriate, the receiving party putting in place an International Data Transfer Agreement designed by the ICO or the EU Commission’s Standard contractual clauses and the UK’s approved addendum to recognise it into UK law.


How we keep your personal information secure

We are committed to protecting your personal information from loss, misuse, disclosure, alteration, unauthorised access and destruction. We take all reasonable precautions to safeguard the confidentiality of personal information.

Although we make every effort to protect your personal information the transmission of information over the internet is not completely secure. As such, you acknowledge that we cannot guarantee the security of personal information transmitted to us over the internet, and that any such transmission is at your own risk.

Once we have received your personal information, we will use strict procedures and security features to prevent unauthorised access (and take steps to ensure that any third parties with whom we share your personal data do the same).

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.


How long we keep your personal information

We will only retain your personal information for as long as necessary.  Necessity will be based on our legal obligations, regulatory guidance and industry good practice.  We have documented how long we keep records containing personal information and why in polices and standards on retention and destruction.

In some circumstances, we may anonymise your personal information instead of destroying it so that it can no longer be associated with you but were anonymised information can be used to add value to our products and services.

Rights and our obligations

Your rights

You will have a number of rights under data protection law. These include the right to:

  • receive a copy of the personal data we hold about you
  • request personal data to be amended if it is inaccurate or incomplete
  • request the deletion or removal of personal data where there is no compelling reason for its continued use
  • block or restrict the processing of your personal data
  • object to the processing of your personal data

There is also a right for your to receive your personal information (in a structured, commonly used and machine-readable format) and to transfer it  to another service provider or data controller. This right applies where your personal information is being handled on the basis of your consent or in line with a contract to which you are party. In order to exercise any of the above rights please write to the Data Protection Officer (DPO).

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

We may also not be able to support you if you do not provide us with up to date personal information.  Therefore, please do keep us updated of any changes in your personal circumstances.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Your rights to lodge a complaint with the Regulator

At all times, you have the right to report a concern or lodge a complaint with the Information Commissioner’s Office. Please refer to the ICO at or by calling them on 0303 123 1113. Of course, we hope that we can resolve your issue quickly and fairly ourselves.

Our Data Protection Officer

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at:

or write to DPO at:

7th Floor,
100 Liverpool St,

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.