Skip-to-content

Third Party Privacy Notice

GDPR – list of subprocessors

Last Modified: 02 May 2019

Lane Clark & Peacock LLP (“LCP”) uses certain subprocessors in the general running of its business and to assist it in providing its services to its clients. A subprocessor is a third party service provider or data processor engaged by LCP, who has or potentially will have access to or process personal data. LCP engages different types of subprocessors to perform various functions as explained in the table below.

Contractual safeguards

LCP requires its subprocessors to enter into agreements that satisfy the requirements of Article 28 of the General Data Protection Regulation, including but not limited to obligations to:

  • process personal data in accordance with LCP’s documented instructions;
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • not engage a subprocessor without prior specific or general written authorisation of LCP and when engaging a subprocessor, impose the same data protection obligations as are in place between itself and LCP;
  • provide regular training in security and data protection to personnel to whom they grant access to personal data;
  • implement and maintain appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data;
  • promptly inform LCP about any actual or potential security breach; and
  • cooperate with LCP in order to deal with requests from LCP’s clients, data subjects or data protection authorities, as applicable.

Subprocessors

The following is an up-to-date list (as at the date at the top of this page) of the names of LCP’s key subprocessors and the purposes for which they process personal data, as well as which clients these are potentially applicable to.

Entity Name Purpose Clients

Box-It UK Ltd

Box-It provide paper archiving services to LCP.  Box-It personnel  are not authorised to view any materials in boxes in storage. They are certified with ISO 27001.

All clients

BPR Group Europe Ltd

BPR Group is LCP’s confidential paper shredding service provider for its office in London. Staff carry out all shredding on-site at LCP’s London office.

All clients

Crown Agents Limited

Crown Agents provide LCP with electronic pension payment services, in local currency, to pensioners located outside the UK. Their cyber security strategy is aligned with ISO 27001 and they are a member of the Cybersecurity Information Sharing Partnership (CISP) of the UK National Cybersecurity Network (NCSC).

Pensions Administration clients

Daisy Communications Limited

LCP uses Daisy, an ISO 27001 certified third party, to provide off-site data centre services. The data centre staff have physical access to LCP servers to provide on-going hardware support services but do not have network level access to these systems.

All clients

Data Protect UK Limited

Data Protect provide off-site backup media storage services to LCP. All backup media sent to Data Protect is encrypted.

All clients

Eserve.IT Limited

Eserve.IT are used for the destruction of all data hardware that is disposed of (eg disk arrays, servers, PCs, laptops, backup tapes). Data is destroyed either by physical destruction (ie hard disk shredding) or erased using specialist software. The disposal of IT equipment follows the requirements of the EU Waste Electrical and Electronic Equipment (WEEE) Directive. Certificates of media destruction are provided to LCP.

All clients

eShare Ltd

eShare are an ISO 27001 certified software company, who provide online trustee meeting packs, known as ‘BoardPacks’, software to LCP. All eShare equipment uses encrypted disks.

Trustee clients that use our Logs service

Kentec Mail & Courier Service Ltd

Kentec provide off-site printing services to LCP. The client’s prior approval is sought before LCP sends personal data to Kentec. Only Kentec staff who require access to their system are allocated user log on details. Folders containing personal / restricted data are password protected and are not available to members of staff who are not authorised to access such files.

Any client with prior approval

Mailjet SAS

Mailjet provides email delivery services for LCP Horizon. Mailjet is ISO 27001 certified and all data exchanged is encrypted.

Clients using the LCP Horizon service

Microsoft

Microsoft provides LCP with cloud services. Their compliance offerings in respect of

information security are numerous and can be found here https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

All clients

NetDocuments Ltd

NetDocuments is a document and email management platform providing LCP with email management software.

All clients

CORVID PayGate Limited

PayGate provide LCP with electronic pension payment services to pensioners located within the UK. All transactions processed via any of their secure payment web services are encrypted using the latest SSL encryption. This encrypts all data sent from the browser to PayGate in such a way that only their servers can read it.

Pensions Administration clients

Pureprint Group Limited

Pureprint are an ISO 27001 and Cyber Essentials Plus certified printing company, providing off-site printing services to LCP.  The client’s prior approval is sought before LCP sends personal data to Pureprint.

Any client with prior approval

Rackspace Limited

Rackspace are an ISO 27001 certified web hosting company for LCP created websites and web applications. LCP websites and applications are hosted on LCP dedicated web servers located in the UK.  All personal data hosted at Rackspace is encrypted.

Clients using LCP created websites hosting personal data, which include LCP Horizon, the online transfer value tool, member websites and client modellers.

Shred-It Limited

Shred-It is LCP’s confidential paper shredding service provider for its office in Winchester. All Shred-It employees are screened to BS 7858:2012 which provides comprehensive staff vetting assurances.

All clients

Target Professional Services UK Ltd

Target provide a variety of services to LCP, including member tracing, mortality screening and verification of member data. They are ISO 27001 certified and client data is encrypted with 256-bit AES encryption.

Pensions Administration clients

Zest Technology Ltd

Zest provides LCP with a flexible benefit system which is provided to some clients. They are certified with ISO 27001.

Clients using LCP’s flexible benefit portal.


Software providers, network providers and consultancies

LCP also uses a number of software providers, network providers and consultancy firms that, in instances where support is provided, may be able to access LCP’s systems and incidentally see personal data.