Deloitte ARA Privacy Statement
Last revised: 30 May 2018
This Privacy Statement explains what personal information we may gather about you when we provide our clients with services and how this personal information may be used and shared. This Privacy Statement also sets out your rights in relation to your personal information and tells you who you can contact if you have questions.
This Privacy Statement is divided into the sections listed below. Click on the links to navigate to the relevant topic:
- Who does this Privacy Statement apply to and what does it cover?
- What personal information do we collect?
- How do we collect personal information?
- Disclosing personal information relating to third parties
- How do we use your personal information?
- On what legal basis do we process personal information about you?
- To whom will we disclose your personal information?
- How do we keep your personal information secure?
- How long will we keep your personal information?
- What are your rights?
- Changes to this Privacy Statement
- Contact us
Who does this Privacy Statement apply to and what does it cover?
This Privacy Statement applies to Deloitte’s Actuarial, Rewards and Analytics practice (ARA), carried on by Deloitte MCS Limited and Deloitte Total Reward and Benefits Limited (DTRB) entities within the Deloitte Network (also referred to as “Deloitte”, “we”, “us”, and “our”). As used in this Privacy Statement, the “Deloitte Network” refers to one or more of Deloitte Touche Tohmatsu Limited a UK private company limited by guarantee, and its network of member firms and associated entities, each of which is a legally separate and independent entity. Please see deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
This Privacy Statement applies where Deloitte’s ARA practitioners are providing services including actuarial and other services in Deloitte MCS Limited and pensions, investment, employee benefits and reward advisory services in DTRB. When Deloitte carries out these services, we are acting as a Data Controller and this Privacy Statement sets out how we will process your personal information when providing services to our client.
Your personal information will be protected and handled with utmost consideration for its confidentiality and your privacy, and Deloitte will only disclose it to those who need to know in order to appropriately provide the services to our client.
This Privacy Statement contains additional details about when we may share your personal information with other members of the Deloitte Network and other third parties (for example, our service providers).
In this Privacy Statement, we refer to handling, collecting, protecting, analysing, calculating, storing and other professional services in connection with your personal information as "processing".
What personal information do we collect?
Deloitte may collect personal information relating to you such as:
- contact details;
- date of birth;
- Government identifiers (such as national insurance number); or
- financial information.
Deloitte may also need to process personal information about you that may be considered sensitive or a special category (for example about your health or ethnic origin) that we require to be able to provide the services to our client or that may become apparent to us based on the personal information that we receive.
How do we collect personal information?
Deloitte may collect personal information about you in different ways, for example:
- you may provide it directly to us;
- we may obtain it because of the services that Deloitte provides or has previously provided to our client;
- we may receive it from other members of the Deloitte Network or from third parties, such as your employer, relevant health professionals and/or other relevant authority/administrative bodies; or
- we may have observed or inferred from the information you provide to us and the way you interact with us.
This personal information can be received in any manner, including in-person discussions, telephone conversations, and electronic or other written communications.
Without access to all the personal information that we need we may be unable to provide or complete the services to our client.
Where another person (our client, a company, trustee or partnership or any third parties acting on your or their behalf) provides your personal information to us, they must also comply with their obligations under the relevant privacy laws and regulations. Should you feel that the entity for whom you work or a third party has not provided you with proper details about the personal information that they hold about you or has not obtained any necessary consent for us to process that personal information as described in this Privacy Statement then please contact them directly.
Disclosing personal information to us relating to third parties
If any personal information which you provide to us relates to any third party, for example a spouse or civil partner, individuals (including children) who depend on you financially, or a joint account holder or beneficiary or where you are a trustee of a trust, then by providing us with their personal information you confirm that you have obtained any necessary permissions from those persons to the reasonable use of their personal information in the way set out in this Privacy Statement, or you are otherwise permitted to give us this personal information. You should share a copy of this Privacy Statement with those other individuals when disclosing any personal information about them to us.
How do we use your personal information?
Deloitte collects personal information about you to:
- provide services to our client; or
- produce aggregate insights that do not identify you.
We may also use your personal information for the purposes of, or in connection with:
- compliance with applicable legal, regulatory or professional requirements;
- requests and communications from competent authorities; or
- protecting our rights and/or property.
On what legal basis do we process personal information about you?
As set out above, in ARA we process personal information when providing services including actuarial and other services (in Deloitte MCS Limited) pensions, investment, employee benefits and reward advisory services (in DTRB).
We are required by law to set out in this Privacy Statement the legal grounds upon which we rely in order to process your personal information.
We may use your personal information for the purposes outlined above because:
(a) we have a legitimate interest in processing your personal information, which may be to:
- provide services to our client;
- ensure that our client engagements are well-managed;
- evaluate, develop or improve our services or products; or
- protect our business interests.
or (b) we are subject to legal or regulatory obligations, such as providing information to a public body or law enforcement agency.
We will not process sensitive or special category data without your explicit consent unless permitted by law.
To whom will we disclose your personal information?
In connection with one or more of the purposes outlined in the “How do we use information about you?” section above, we may disclose your personal information to:
- other members of the Deloitte Network;
- those with whom you have requested us to share information, such as your spouse or civil partner;
- our client (in the context of performing our obligations under the relevant client engagement);
- competent authorities, including courts and authorities regulating us or another member of the Deloitte Network, in each case to comply with legal or regulatory obligations or requests;
- service providers handling your information on our behalf; in each case, such service providers will be contractually bound by confidentiality and privacy obligations consistent with the obligations in this Privacy Statement; or
- third parties to whom we disclose information in the course of providing services to our client.
Subject to the terms of our client engagement letters, please note that some of the recipients of your personal information referred to above may be based in countries or regions without data protection rules similar to those in effect in your area of residence. In such cases, adequate safeguards will be in place to protect your personal information. Such adequate safeguards might include a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal information to those countries.
For further details about the transfers described above and the adequate safeguards used by Deloitte with respect to such transfers, please contact us using the details below.
How do we keep your information secure?
We have in place reasonable commercial standards of technology and operational security to protect your personal information from loss, misuse and unauthorised access, disclosure, alteration or destruction. Only authorised personnel, with appropriate awareness of relevant privacy and security obligations, are provided access to personal information.
How long will we keep your information?
We retain personal information as long as is necessary to fulfil the purposes identified in the “How do we use information about you?” section above or as otherwise necessary to comply with applicable laws, professional standards, or as long as the period in which litigation or investigations might arise in respect of our services to you or our client.
What are your rights?
You have various rights in relation to your personal information. In particular, you have a right to:
- obtain confirmation that we are processing your personal information and request a copy of the personal information we hold about you;
- ask that we update the personal information we hold about you, or correct such information that you think is inaccurate or incomplete;
- ask that we delete personal information that we hold about you, or restrict the way in which we use your personal information;
- withdraw consent to our processing of your personal information (to the extent our processing is reliant on your consent); and
- object to our processing of your personal information.
Any request for access to or a copy of your personal information must be in writing and we will endeavour to respond within a reasonable period and in any event within the period required by applicable data protection legislation. We will comply with our legal obligations as regards your rights as a data subject.
Where our processing of special category personal information is reliant on your consent and you withdraw that consent, we will cease processing the relevant information for the purposes of providing our services and the effect may be that we are no longer able to provide the services. However, we may still retain a copy of the relevant information for as long as necessary to comply with applicable laws or professional standards, or as long as the period in which litigation or investigations might arise in respect of our services.
Changes to this Privacy Statement
We may modify or amend this Privacy Statement from time to time at our discretion. When we make changes to this Statement, we will amend the revision date at the top of this page and the modified or amended privacy statement shall apply to you and your personal information as of that revision date. We encourage you to review this Privacy Statement on our website periodically to be informed about how we are protecting your personal information.
If you wish to exercise any of the rights relating to your information set out above, or if you have any questions or comments about privacy issues, or you wish to raise a complaint about how we are using your information you can contact us in the following ways:
- write to Data Protection Officer, Deloitte LLP at 2 New Street Square, London EC4A 3BZ; or
- send an email to DPO@deloitte.co.uk.
If you have any concerns about our use of your information, you also have the right to make a complaint to the Information Commissioner's Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113. If you are not based in the UK, you have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction. If you would like to be directed to the appropriate DPA, please contact us.