GDPR – list of subprocessors
Third Party Privacy Notice
Last Modified: 22 September 2020
Lane Clark & Peacock LLP (“LCP”) uses certain subprocessors in the general running of its business and to assist it in providing its services to its clients. A subprocessor is a third party service provider or data processor engaged by LCP, who has or potentially will have access to or process personal data. LCP engages different types of subprocessors to perform various functions as explained in the table below.
Contractual safeguards
LCP requires its subprocessors to enter into agreements that satisfy the requirements of Article 28 of the General Data Protection Regulation, including but not limited to obligations to:
- process personal data in accordance with LCP’s documented instructions;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- not engage a subprocessor without prior specific or general written authorisation of LCP and when engaging a subprocessor, impose the same data protection obligations as are in place between itself and LCP;
- provide regular training in security and data protection to personnel to whom they grant access to personal data;
- implement and maintain appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data;
- promptly inform LCP about any actual or potential security breach; and
- cooperate with LCP in order to deal with requests from LCP’s clients, data subjects or data protection authorities, as applicable.
Subprocessors
The following is an up-to-date list (as at the date at the top of this page) of the names of LCP’s key subprocessors and the purposes for which they process personal data, as well as which clients these are potentially applicable to.
Entity Name | Purpose | Clients |
Box-It UK Ltd |
Box-It provide paper archiving services to LCP. Box-It personnel are not authorised to view any materials in boxes in storage. They are certified with ISO 27001. |
All clients |
BPR Group Europe Ltd |
BPR Group is LCP’s confidential paper shredding service provider for its office in London. Staff carry out all shredding on-site at LCP’s London office. |
All clients |
Civica Election Services Limited
|
Civica provides electoral voting services to LCP. Whilst LCP maintains the contractual relationship with Civica, personal data is, where possible, sent directly from our clients’ pensions administrators and / or the sponsoring employer to Civica. Civica is certified to ISO27001. |
Clients utilising LCP’s outsourced pensions management services in relation to trustee election exercises. |
Crown Agents Limited |
Crown Agents provide LCP with electronic pension payment services, in local currency, to pensioners located outside the UK. Their cyber security strategy is aligned with ISO 27001 and they are a member of the Cybersecurity Information Sharing Partnership (CISP) of the UK National Cybersecurity Network (NCSC). |
Pensions Administration clients |
Daisy Communications Limited |
LCP uses Daisy, an ISO 27001 certified third party, to provide off-site data centre services. The data centre staff have physical access to LCP servers to provide on-going hardware support services but do not have network level access to these systems. |
All clients |
Datasite UK Ltd |
Datasite provide LCP and our de-risking clients with a secure online data room for our longevity de-risking projects. All data uploaded to the data room is hosted within the EEA and both Datasite and its data rooms are certified to ISO 27001:2013. |
De-risking clients |
Data Protect UK Limited |
Data Protect provide off-site backup media storage services to LCP. All backup media sent to Data Protect is encrypted. |
All clients |
Eserve.IT Limited |
Eserve.IT are used for the destruction of all data hardware that is disposed of (eg disk arrays, servers, PCs, laptops, backup tapes). Data is destroyed either by physical destruction (ie hard disk shredding) or erased using specialist software. The disposal of IT equipment follows the requirements of the EU Waste Electrical and Electronic Equipment (WEEE) Directive. Certificates of media destruction are provided to LCP. |
All clients |
eShare Ltd |
eShare are an ISO 27001 certified software company, who provide online trustee meeting packs, known as ‘BoardPacks’, software to LCP. All eShare equipment uses encrypted disks. |
Trustee clients that use our Logs service |
Kentec Mail & Courier Service Ltd |
Kentec provide off-site printing services to LCP. The client’s prior approval is sought before LCP sends personal data to Kentec. Only Kentec staff who require access to their system are allocated user log on details. Folders containing personal / restricted data are password protected and are not available to members of staff who are not authorised to access such files. |
Any client with prior approval |
Mailjet SAS |
Mailjet provides email delivery services for LCP Horizon. Mailjet is ISO 27001 certified and all data exchanged is encrypted. |
Clients using the LCP Horizon service |
Microsoft |
Microsoft provides LCP with cloud services. Their compliance offerings in respect of information security are numerous and can be found here https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings |
All clients |
NetDocuments Ltd |
NetDocuments is a document and email management platform providing LCP with email management software. |
All clients |
CORVID PayGate Limited |
PayGate provide LCP with electronic pension payment services to pensioners located within the UK. All transactions processed via any of their secure payment web services are encrypted using the latest SSL encryption. This encrypts all data sent from the browser to PayGate in such a way that only their servers can read it. |
Pensions Administration clients |
Pureprint Group Limited |
Pureprint are an ISO 27001 and Cyber Essentials Plus certified printing company, providing off-site printing services to LCP. The client’s prior approval is sought before LCP sends personal data to Pureprint. |
Any client with prior approval |
Rackspace Limited |
Rackspace are an ISO 27001 certified web hosting company for LCP created websites and web applications. LCP websites and applications are hosted on LCP dedicated web servers located in the UK. All personal data hosted at Rackspace is encrypted. |
Clients using LCP created websites hosting personal data, which include LCP Horizon, the online transfer value tool, member websites and client modellers. |
Shred-It Limited |
Shred-It is LCP’s confidential paper shredding service provider for its office in Winchester. All Shred-It employees are screened to BS 7858:2012 which provides comprehensive staff vetting assurances. |
All clients |
Target Professional Services UK Ltd |
Target provide a variety of services to LCP, including member tracing, mortality screening and verification of member data. They are ISO 27001 certified and client data is encrypted with 256-bit AES encryption. |
Pensions Administration clients |
Zest Technology Ltd |
Zest provides LCP with a flexible benefit system which is provided to some clients. They are certified with ISO 27001. |
Clients using LCP’s flexible benefit portal. |
Software providers, network providers and consultancies
LCP also uses a number of software providers, network providers and consultancy firms that, in instances where support is provided, may be able to access LCP’s systems and incidentally see personal data.