Pensions and data protection
Pension schemes routinely collect and process data relating to members. The storage and processing of member information is subject to data protection…
The current regime
Pension schemes routinely collect and process a large amount of data relating to members, some of which will be sensitive - for example details about a member’s earnings, bank account details, and in some cases health and sexual orientation. The storage and processing of member information is subject to the provisions of data protection law.
The current EU data protection regime is based on The Data Protection Directive which was introduced in 1995. In the UK the Data Protection Act 1998 (DPA) currently governs how information about individuals should be handled.
The key requirements of the DPA are that any processing of personal data is registered with the Information Commissioner; that ‘data controllers’ comply with the DPA’s eight data protection principles; and that ‘data controllers’ ensure that their ‘data processors’ do the same. In the pensions sphere trustees and managers are ‘data controllers’, and their third party providers such as administrators are ‘data processors’.
The DPA’s eight key data principles are that personal data must be: (1) fairly and lawfully processed; (2) processed for specified and lawful purposes; (3) adequate, relevant, and not excessive in relation to the purpose for which it is processed; (4) accurate and where necessary kept up to date; (5) not kept for longer than is necessary; (6) processed in line with the rights of the individual; (7) kept secure; and (8) not transferred outside the European Economic Area unless the information is adequately protected.
The Information Commissioner, who ensures compliance with the DPA, has the power to impose fines of up to £500,000 for serious breaches, and certain breaches can also give rise to criminal offences.
The new regime
Technology is rapidly changing the way in which data are being shared and accessed. In light of these developments and the different approaches that EU member states have taken to implementing the 1995 directive, the EU is introducing an updated, and more stringent data protection regime: ‘The General Data Protection Regulation’ (GDPR) which will be formally adopted this year, in all likelihood becoming applicable in the UK two years later.
The GDPR will only increase potential penalties further so employers and trustees of pension schemes should act now to review and update data handling processes to ensure continued compliance with data protection law.
The GDPR will, amongst other things, strengthen the rights of members in several areas, widen the meaning of personal data, and introduce major changes to consent requirements for data processing requiring that a member’s consent to the processing of their data must be freely given, specific and informed, and must be given explicitly. There will also be increased accountability for data controllers being required to adopt policies and measures to ensure that information is being processed in line with the GDPR.
The GDPR will also introduce increased enforcement powers by significantly increasing the maximum potential fine for breaches of data protection law.
Trustees and employers should ensure that they are compliant with the current regime. If neglected, any existing weaknesses will present even greater compliance concerns under the new regime. Trustees and employers should also start planning their compliance with the more stringent new regime effective from 2018. To achieve this, trustees and employers should act now to:
- Review the way in which data are processed to ensure that appropriate security standards are in place. Consideration should be given to encrypting data and taking steps to ensure that only authorised people can access data. Trustees should note that if they are deemed to form part of a ‘relevant filing system’, minutes of trustee meetings, expression of wishes forms, and employer communications could all come within the ambit of the DPA, and members could potentially have a right to access such documents.
- Security breach policies should be reviewed to ensure that adequate procedures are in place to follow if any data breaches occur.
- Scheme members must be told why personal data are being collected and what is being done with them. Particular care should be taken in the handling of sensitive personal data, such as data about health or race, as members’ consent will usually be needed every time such data are collected. Procedures for dealing with information requests from members about their personal data should also be reviewed.
- All member forms and notices should be reviewed to ensure that they are up to date, provide sufficient information to members, and reflect how information is being processed both now, and how it might be processed in the future. This is particularly important if information is being passed to any third parties. Also, note that trustees do not have an automatic right to receive personal data from employers (and visa versa), and organisations should always check what information they are entitled to and can pass on.
- Trustees and employers may be held liable if a third party fails to comply with data protection principles. Contracts and arrangements with all service providers should therefore be reviewed to ensure they specify that data are to be kept secure, that providers will not take any action which will cause the trustees to breach their data protection obligations, and finally that appropriate indemnities and insurance cover is in place in respect of any liability that may arise. Trustees should then regularly audit and monitor service providers to ensure that they are complying with their data protection obligations.
- Finally it is advisable at this stage for all existing processes and procedures to be reviewed to ensure that they are updated and expanded as necessary to comply with the looming GDPR.