Privacy Notice

Aon UK Limited provides services and products in relation to your Online Benefits Services, on behalf of your employer.

We are committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our customers, business partners, and others who share their personal information with us.

If you are accessing this Notice from outside of the European Economic Area, kindly go to our privacy center at aon.com and select the respective country on the right-hand site of the page to get to the local privacy notice which will provide further details. and select the respective country on the right-hand site of the page to get to the local privacy notice which will provide further details.

What does this Privacy Notice do?

This Privacy Notice ("Notice") explains Aon UK Limited information processing practices. It applies to any personal information you provide to us and any personal information we collect from other sources in the provision of Online Benefits Services. This Notice is a statement of our practices and of your rights regarding your personal information. This is not a contractual document, and it does not create any rights or obligations on either party, beyond those which already exist under data protection laws.

This Notice does not apply to your use of third party sites linked to this Online Benefits platform (the “website”).

Who is responsible for your information?

Throughout this Notice, "Aon" refers to Aon UK Limited including its affiliated companies and subsidiaries (also referred to as "we", "us", or "our").

We provide Online Benefit Services as a processor on behalf of and in accordance with the instructions of your employer which is a controller for the purposes of data protection laws. This means your employer remains primarily responsible for your personal information and we may re-direct a query about our use of your personal information to your employer. You should refer to your employer's privacy notice for more information about their practices and your rights regarding your personal information.

We have expressly indicated throughout this Notice where personal information is collected by us as a controller (for example, information collected by cookies which we place on the website). For all other types of personal information collected, your employer is the controller and we are a processor.

When and how do we collect your information?

We collect personal information in the following ways:

  • When we perform Online Benefits Services for our clients, such as your employer. We may collect personal information from you, your employer or its service providers (such as payroll providers);
  • When you register with us or use the website, including access to third party sites linked to this website;
  • When you provide updated personal information to us or our service providers (e.g., by telephone, webchat or post).
  • If you contact us with a complaint or query.

What information do we collect?

Information provided to us by our clients, your employer and their nominated service providers

  • Contact Information: including name, address, postcode, contact details (for example work email, work mobile number, office location);
  • Personal Identification: such as National Insurance Number or national identification number, payroll number;
  • Demographic information: such as date of birth, age, gender, marital status;
  • Employment information: such as date of hire, employment status, pay history, tax withholding information, date of termination;
  • Benefits programme participation and cover information: such as benefit elections, pension entitlement information, beneficiary information, claims information, benefit plan account balances or accrued benefits, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, or other adjustments;
  • Financial information: such as salary, tax code, third party deductions, bonus payments, benefits and entitlement data, national insurance contributions details; and
  • Sensitive personal information such as medical information or in relation to life, health, or employee benefits programs sponsored by your employer; and where necessary in relation to ill-health early retirement and ill-health reviews to determine the benefits paid to you;

Information provided by you through the website and/or our employee contact centre

  • Family Information: such as dependent and beneficiary information for participation and coverage, typically name, relationship, age;
  • User Account Information: such as password and personal email address;
  • Case Details: such as complaints and queries;
  • Travel and Expenses: such as non-medical claim information; and
  • Benefits programme participation and cover information such as benefit elections, beneficiary information, claims information. More information about the personal information collected, together with the purpose and legal basis for collecting the information is provided below.

If you contact our employee contact centre either via telephone, webchat or email we will record the call and retain the webchat or email for quality purposes and query handling.

We will not collect any sensitive personal information unless this is required. Sensitive personal information includes a number of types of data relating to: race or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical or mental health and sexual life.

If you provide us with unsolicited sensitive personal information for example over the phone or via webchat, you understand and give your explicit consent that we may collect, use and disclose this information to appropriate third parties for the purposes described in this Notice. If you provide personal information about other individuals such as dependents, you must obtain their consent prior to your disclosure to us or you may be required to give us your explicit consent on their behalf.

Information we collect over the website

For purposes of this Notice, "website" includes our mobile applications.

We may ask you for some or all of the following types of information when you register on the website, request services, manage your account, or access various content and features. We collect and use this information as a controller in our own right. This information includes, but is not limited to:

  • Contact information: such as name, e-mail address, postal address, phone number and mobile number;
  • User Account Information: such as user name, password, password reminder questions and password answers;
  • Communication preferences: such as which newsletters you would like to receive, your views on things like wellness, finance and retirement preferences and interests; and
  • Case Details: such as call recordings for training and quality purposes.

In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice.

Mobile Devices

If you access our website on your mobile telephone or any other mobile device, we may also collect your unique device identifier or mobile device IP address, as well as information about your device's operating system, mobile carrier and your location information. We may also ask you to consent to providing your mobile phone number (for example, so that we can send you SMS notifications). We collect and use this information as a controller in our own right.

How do we use your personal information?

The following is a summary of the purposes for which we use personal information. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information will be provided to you below.

  1. Provision of website: to make the Online Benefits platform available to you, including providing links to other websites and displaying information from other providers;
  2. Scheme Management: to help our clients run their benefit arrangements;
  3. Regulatory Compliance: for meeting on-going regulatory, legal and compliance obligations including assisting with investigations or prevention of crime, providing you with updated versions of this Notice (where required);
  4. Process and service improvement: to maintain and improve processes used in running the scheme (for example, automated benefit calculation routines), products or services and uses of technology, including testing and upgrading of systems;
  5. Anonymisation: we will anonymise personal information (such that it can no longer be reidentified) in order that it can be used with other data for data analysis, modelling, benchmarking and research purposes. We may share aggregated and anonymised data with third parties provided that we shall not publish externally or otherwise disclose any information which might reasonably identify you; and
  6. Benchmarking, Modelling & Analysis: personal information will (in some instances in identifiable form, in others anonymous form) be processed for data analysis, modelling, benchmarking, and research purposes in order to improve understanding of life expectancy and other demographic aspects relevant for assessing pensions and insured liabilities. We may share limited identifiable data with third party agencies such as existence tracing providers to support these purposes. We will not otherwise publish externally or otherwise disclose any information which might reasonably identify you.

If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected for, we will request your consent. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations.

Legal basis

All processing (i.e. use) of your personal information is justified by a "lawful basis" in accordance with applicable data protection laws.

As a processor we process your information solely in accordance with the contractual obligations agreed with your employer.

You should refer to your employer’s privacy notices for full details of the legal basis relied upon by your employer. The types of legal basis which may be relied upon by your employer are as follows:

  1. Necessary to pursue your employer’s legitimate commercial interests ensuring that the processing does not infringe the rights and freedoms conferred to you under applicable data privacy law, in particular for the purposes listed above under (a) (Provision of Website), (d) (Process and Service Improvement), (e)(Anonymisation) and (f) (Benchmarking, Modelling & Analysis);
  2. Pursuant to legal or regulatory obligations, including requirements to make any disclosures to authorities, regulators or government bodies for the purposes listed above under (c) (Regulatory Compliance);
  3. Necessary for performance of a contract: where necessary to take steps to fulfil obligations in accordance with the terms of your pension scheme agreement or employment contract and the website terms of use n particular for the purposes listed above under (a) (Provision of Website) and (b) (Scheme Management);
  4. In limited circumstances, necessary for statistical purposes listed above ()(Anonymisation)() ( Benchmarking, Modelling & Analysis) to improve understanding of benefit trends and other demographic aspects. to ensure that any output of statistical analyses will not include personal information which might reasonably identify you;
  5. In limited circumstances, processed with your consent, where you are required to provide sensitive information such as medical details to process a claim, or where your prior consent is required in order to send you marketing communications. Before collecting and/or using any sensitive personal information, or criminal record data, a lawful basis will be established which will allow use of that information. This basis will typically be:
    • your explicit consent;
    • the establishment, exercise or defense by us or third parties of legal claims; or
    • a specific exemption provided for under local laws of EU Member States and other countries implementing the GDPR, such as in relation to the processing of personal data for insurance purposes, or for determining benefits under an occupational pension scheme.

How long do we retain your personal information?

How long we retain your personal information depends on our instructions from your employer, as the controller. Your employer's retention practices will, in part, be determined by the purpose for which your personal information was obtained and its nature. We will keep your personal information for no more than the time required to fulfil the purposes described in this Notice unless a longer retention period is permitted by law. We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when instructed by your employer.

Our standard retention period is 6 years from when you are notified as a leaver of our scheme by your employer.

In specific circumstances we may store your personal information for longer periods of time where either we or your employer is under a legal obligation to do so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Do we disclose your personal information?

We will disclose your personal information in accordance with your employer's instructions and authorisations, which may include the recipients described below:

  1. Within Aon: We may share your personal information with other Aon entities, brands, divisions, and subsidiaries to serve you, including for the activities listed above;
  2. Your Employer and their service providers such as pension administrators and payroll providers;
  3. Business Partners: We disclose personal information to business partners who provide certain specialized services to us, or who co-operate with us on projects. These business partners operate as separate controllers, and are responsible for their own compliance with data protection laws. You should refer to their privacy notices for more information about their practices. Examples include:
    • Banking and finance products - credit and fraud reporting agencies, debt collection agencies, insurers, reinsurers, and managed fund organizations for financial planning, investment products and trustee or custodial services in which you invest; and
    • Insurance broking and insurance products - insurers, reinsurers, other insurance intermediaries, insurance reference bureaus, medical service providers, fraud detection agencies, our advisers such as loss adjusters, lawyers and accountants and others involved in the claims handling process.
  4. Authorised Service Providers: We may disclose your information to service providers we have retained (as sub-processor/processors) to perform services on our behalf. These service providers are contractually restricted from using or disclosing the information except as necessary to perform services on our behalf or to comply with legal requirements. These activities could include any of the processing activities that we carry out as described in the above section, ‘How we use your personal information.’ Examples include:
    • Benefit providers who administer services that we provide to your employer;
    • IT service providers who manage our IT and back office systems and telecommunications networks; and
    • contact center providers.
    These third parties appropriately safeguard your personal information, and their activities are limited to the purposes for which your personal information was provided.
  5. Authorised third parties: third parties you have authorised us to share information with such as nominated beneficiaries or third party sites linked to this website;
  6. Legal Requirements and Business Transfers: We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request; (ii) in response to law enforcement authority or other government official requests; (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss; (iv) in connection with an investigation of suspected or actual illegal activity or (v) in the event that we are subject to a merger or acquisition to the new owner of the business. Disclosure may also be required for company audits or to investigate a complaint or security threat.

Do we transfer your personal information across geographies?

We operate on a global and worldwide basis and we therefore reserve the right to transfer personal information about you to other countries including without limitation the United States of America, the United Kingdom, Ireland, Poland, Singapore and India to be processed for the purposes outlined in the Notice. In particular, we may make such transfers to offer, administer and manage the services provided to you and improve the efficiency of our business operations. We shall ensure that such transfers comply with all applicable data privacy laws and regulations and provide appropriate protection for the rights and freedoms conferred to individuals under such laws.

Where we collect personal information about you in the United Kingdom or the European Economic Area we may transfer the information to countries outside the UK or EEA for the processing purposes outlined in this Notice. This may include transfers to countries that the European Commission and UK data protection regulator consider to provide adequate data privacy safeguards and to some countries that are not subject to an adequacy decision. Aon has an intra-group data transfer agreement in place which regulates cross-border transfers of your personal information within the Aon Group and which incorporates the UK and EU standard contractual clauses approved by the European Commission and UK data protection regulator. Where we transfer personal information to third parties located in countries that are not subject to an adequacy decision we shall put in place appropriate safeguards, such as the aforementioned data transfer agreements approved by the European Commission and UK data protection regulator, as appropriate. Where necessary, we may implement additional technical, organizational or contractual measures to ensure an adequate level of protection for your personal information.

If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal information when this is transferred as mentioned above.

Do we have security measures in place to protect your information?

The security of your personal information is important to us and, in co-operation with your employer, we have agreed upon reasonable physical, technical and administrative security standards to protect your personal information. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information. Our service providers and agents are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorized purpose.

How can you update your communication preferences?

You can update your communications preferences after you log into your account on the website.

Other rights regarding your data

Subject to certain exemptions, and in some cases dependent upon the processing we are undertaking, you have certain rights in relation to your personal information.

As a controller your employer remains primarily responsible for your personal information and we may re-direct a query about our use of your information to them.

Where authorised by your employer to respond on their behalf to a request or query you make, we may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you.

Subject to your employer's instructions, legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others or if we are legally entitled to deal with the request in a different way.

Right to Access

You have right to access personal information which we hold about you. If you have created a profile, you can access that information by visiting your account.

Right to Rectification

You have a right to request us to correct your personal information where it is inaccurate or out of date.

Right to be Forgotten (Right to Erasure)

You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your personal information is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the information.

Right to Restrict Processing

You have the right to restrict the processing of your personal information, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

Right to Data Portability

You have the right to data portability, which requires your employer to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.

Right to Object to Processing

You have the right to object the processing of your personal information at any time, but only where that processing is has our legitimate interests as its legal basis. If you raise an objection, your employer has an opportunity to demonstrate that it has compelling legitimate interests which override your rights and freedoms.

Right to Withdraw consent

You have the right to withdraw consent at any time, whenever we have asked for your consent for processing your personal information without affecting the lawfulness of processing based on consent before its withdrawal.

Right to complain

You have the right to complain to your local data protection authority about our processing of your personal information.

International Transfers

As noted above, you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Economic Area.

Complaints

If you wish to make a complaint about the way we use your personal information you should raise this with us by contacting us in the first instance: [email protected]

However, if you are not satisfied with the way we have handled your complaint you have the right to raise the matter with your local data protection authority.

Contact Us

If you have any questions about the content of this Notice or the rights conferred to you under the applicable data privacy laws you should contact the Data Protection Officer via the Global Privacy Office at the following address: [email protected]

You should also refer to your employer's privacy notice for more information about their practices and your rights regarding your personal information.

Changes to this Notice

We may update this Notice from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page. We encourage you to periodically review this Notice so that you will be aware of our privacy practices.

This Notice was last updated in February 2024.