1 data protection and UK pension schemes Practical issues and future developments 2016. 2 data protection and UK pension schemes : Practical issues and future developments | 2016. data protection is changing Most pension scheme trustees will be familiar with the basics of data protection but how do they apply in practice, in a landscape where data risks have changed radically? And what difference will new rules, in the form of the General data protection Regulation, make when they come into effect from 25 May 2018? This briefing provides a refresher on the basics of data protection , highlighting practical issues for pension schemes under the current law, as well as signposting key areas where trustees need to start preparing now for future change. Allen & Overy LLP 2016. 3. A refresher on the basics pension schemes run on personal data that includes also consider a wider range of service providers . everything from a member's name, address and date of for example, communications teams, medical officers, birth details to their salary and other financial investment consultants, actuaries and lawyers could also information.
2 Some of that personal data will be sensitive be relevant. Legal responsibility for DPA compliance (for example, information about a member's physical and falls on data controllers rather than data processors. mental health). The DPA sets out eight data protection principles which By virtue of their role in handling members' personal govern the way that personal data is obtained, stored, data , trustees are data controllers under the data used and shared; it also sets out the conditions subject to protection Act 1998 (the DPA). Typically, which personal data may be processed. The diagram on data processing is carried out on trustees' behalf by the next two pages highlights issues which are internal or external administrators, but trustees should particularly relevant for pension scheme trustees. Jargon buster data includes any information recorded as part Personal data means data which relate to a living of a relevant filing system (whether electronic individual who can be identified from that data or or paper-based) or other accessible record from that data and other information which is in, and which is or can be processed automatically.
3 Or is likely to come into, the possession of the data controller. data controller means a person who (either alone or jointly or in common with other persons) determines the Processing means obtaining, recording or holding purposes for which and the manner in which, information or data or carrying out any operation involving any personal data are, or are to be, processed. data , including organising, altering, retrieving, consulting or using it. It also includes disclosing the data and ultimately data processor means any person (other than an erasing or destroying it. employee of the data controller) who processes the data on behalf of the data controller. Sensitive personal data includes information about a member's physical and mental health. ICO means the Information Commissioner's Office, It does not encompass simple financial information. the UK data protection regulator. Additional restrictions apply to sensitive personal data . 4 data protection and UK pension schemes : Practical issues and future developments | 2016.
4 Practical reminders for pension scheme trustees data controllers must follow the data protection principles: The data protection principles Have you reviewed your fair processing notice recently? Is the language up-to-date? Does it cover Personal data must be processed fairly and all purposes for processing and all potential data lawfully (including meeting appropriate recipients? This can be an issue, for example, conditions see facing page). on DB transfer exercises. Traditionally, this notice was frequently given alongside the membership application form, but with Ensure personal data are obtained and the roll-out of auto-enrolment, application processes processed for specified and lawful purposes have in many cases become redundant. and are not processed in any manner Is information given in the scheme booklet, or in incompatible with those purposes. member newsletters? Do all members receive it? Ensure personal data are adequate, relevant and Ensure that you do not hold irrelevant information, not excessive in relation to processing purpose.
5 By arranging for periodic data audits. Forms and questionnaires should only require information which is relevant to their purpose. This is the foundation for much wider trustee Ensure personal data are accurate responsibilities for example, implementing the and kept up-to-date. Pensions Regulator's guidance on improving data quality, and the reconciliation of data underlying guaranteed minimum pensions. Do you know your scheme's conditional data score? Are you still taking Keep personal data no longer than is necessary. action to improve it? Statutory record-keeping requirements often set minimum periods for keeping data , but these may not be long enough to enable trustees to respond to Process personal data in accordance with the member queries or complaints, potentially decades rights of data subjects. into the future. You need to consider on a case-by-case basis whether particular records still need to be retained for the purposes of the scheme.
6 Appropriate technical and organisational This will typically require contracts to be put measures must be in place to protect against in place with processors and data importers. unauthorised or unlawful processing, and against See pages 6 and 7. accidental loss or destruction of personal data . Personal data should not be transferred to a jurisdiction that does not offer an adequate level of data protection . Allen & Overy LLP 2016. 5. Personal data may not be processed unless one Obtaining member consent has generally or more of the following conditions is met*: been the most straightforward way for trustees to comply with the first data protection principle. The individual has consented. Consent must Traditionally, members consented by signing be freely given, specific and informed. a response to a fair processing notice. Again, auto-enrolment complicates matters, since trustees cannot require workers to give their consent to data processing as a condition of membership.
7 Other conditions must be considered where consent is not available. Processing is necessary for the performance of a contract to which the individual is a party or for the taking of steps at the request of the data subject with a view to entering into a contract. For the purposes of enrolment and re-enrolment, the statutory compliance' condition will protect trustees. However, in the normal lifecycle of a Processing is necessary for compliance with scheme, processing will extend to activities which a legal obligation (other than an obligation are not required by legislation for example, imposed by contract) to which the data sending out scheme newsletters or other controller is subject. information. Processing is necessary for the purposes of Trustees may be able to validate processing on the the legitimate interests of the data controller grounds that it is within their legitimate interests as or the third party to whom the data is disclosed data controllers for example, to assess the (this must be balanced against the individual's membership profile in order to make decisions legitimate interests).
8 About DC investment options, or to send non-mandatory information to members. Sensitive personal data may not be processed without the individual's explicit consent. *The DPA sets out further conditions for processing, but these are the most relevant in the pension scheme context. 6 data protection and UK pension schemes : Practical issues and future developments | 2016. Appropriate technical and organisational measures' for data security With increasing awareness of cyber risks, ensuring data The actual measures to be taken will vary depending on security is a very hot topic. data controllers must put the sensitivity of the data , technological developments appropriate technical and organisational measures in and implementation costs, but you should ensure place to protect against unauthorised or unlawful compliance both by the scheme and by any third party processing, and against accidental loss or destruction data processors. You should also review and monitor of personal data .
9 Breach of the data security principle is compliance regularly. the most common trigger for enforcement action being taken by the ICO. Further help For more information, please get in touch with any of our experts listed at the back of this briefing, or see our separate guide Cybersecurity and pension schemes '. Your data processing arrangements The DPA lays down specific requirements for the The contract should also set out how subject access contract between a data controller and data processor. requests and other communications from members The agreement must: are to be dealt with (including response times) and should cover the termination of the contract, be in writing;. to ensure a smooth handover to new administrators and include a requirement that the processor acts appropriate protection for all data during that process. only on the controller's instructions; and The requirement for a written contract could also apply require the processor to comply with data to actuaries, payroll agents and members' employers if security obligations equivalent to those applying they undertake any processing on your behalf.
10 To the controller. You should review existing data processing arrangements to ensure that they include these requirements and that reporting and monitoring arrangements for data security are satisfactory to the trustees. If cross-border data transfer is envisaged, then appropriate provisions should be included. Allen & Overy LLP 2016. 7. Transferring data outside the EEA. Cross-border data transfer is another hot topic. whether data is being transferred outside the EEA. In brief, cross-border data transfers outside the and if so, on what basis. European Economic Area (EEA) are prohibited unless In respect of transfers from the EEA to the , the third country ensures adequate protection or other Safe Harbor' arrangements previously facilitated conditions are met. transfers by deeming entities registered under the There are various ways of ensuring protection : Safe Harbor to provide an adequate level of for example, you could use standard model clauses protection .