The NHS Business Service Authority (NHSBSA) and employers with staff in the NHS Pension Scheme are Joint Controllers for pension information. The NHSBSA have responsibility for information received from employers and pension members. Employers are responsible as Controller for the quality and timeliness of the information they provide to the NHSBSA.
We are updating the NHS Pensions member privacy notice to cover GDPR requirements and will communicate this to members as well as working with employers to publicise it. The privacy notice is now available at: www.nhsbsa.nhs.uk/yourinformation
The GDPR provides rights for individuals, such as the right of access. Where an individuals request for one of these rights is received by the NHSBSA we will respond directly. Employers will need to respond to any individual requests they receive.
If a personal data breach of the NHSBSA held information were to occur the NHSBSA will take the necessary action. If the NHSBSA become aware that such a breach was caused by the actions or omissions of employer staff then the NHSBSA will advise the employer Data Protection Officer (DPO). Should such a breach result in compensation claims then the NHSBSA DPO will discuss this with the employer DPO.
Updated Information Governance policies are available now at: https://www.nhsbsa.nhs.uk/our-policies/policies-and-procedures
Further guidance about GDPR is available on NHS Digital’s website.