The Fund has established a Data Protection Policy which sets out our compliance with the requirements under data protection legislation.

Please view the Policy in the Downloads section.

Protecting our members data is core to the Fund’s operating model and we have developed and continue to enhance the Fund’s cyber security assurance programme to ensure we proactively protect our systems and data. The Fund takes steps to build its cyber resilience, which involves our ability to assess and minimise the risk of a cyber incident occurring, but also to recover when an incident takes place. Furthermore, external assurance on the steps undertaken by the Fund undergoes external assessment and benchmarking against evolving industry practice, with outcomes and annual activities reported to the Pension Committee and Pension Board.   

Both the Fund and our Employers are considered Data Controllers under data protection legislation as we both have individual and separate access to information about individuals who are members of the scheme. Following GDPR and the implementation of the Data Protection Act 2018, the Fund utilises a Memorandum of Understanding which sets out the data controller role for each of our two bodies and seeks to provide assurance on our management of data. The Local Government Association (LGA) believe that this Memorandum of Understanding removes the need for a formal data sharing agreement as it imposes obligations on both parties to comply with the requirements of data protection legislation. A copy of the Fund’s Memorandum of Understanding is available in the downloads section.

The Fund has also produced an Assurance Statement in its management of data and a ICO checklist for Data Controllers, these can be found in the Downloads section.

Rights of Access

The Fund has a duty to protect the personal data it processes and to inform members about how their data is managed and used by the Fund.

In line with data protection legislation, an individual has a right to request information held about them. A request for information about an individual other than the subject of the information will be rejected except in the following circumstances:

  • parents may request information about a child under 16;
  • a Solicitor/Professional Advisor may request information on behalf of an individual with that individual's approval via a WMPF specific LOA

How to make a request

A request may be made by email to or you can request access to your information in writing.

How are requests managed?

Once a request has been received and validated the Fund will have 30 calendar days in which to respond. In some cases, where there is a large amount of information, the Fund may need to contact you to extend the timeframe for a response. An explanation of the reasons for the required extension will be provided and you will be given the opportunity to reduce or specify the information you are seeking. Once the Fund has collated all the information it will be provided in the format requested, either by email or by post.

Should you require any further information with regards to Data Protection at the Fund, please email the Fund’s Data Protection Officer at