Pension data loss leads to £250,000 fine

Lax arrangements with a supplier being used to digitise pension scheme records for a Local Government Pension Scheme (LGPS) administering authority lead to the authority being fined. The case involved a Scottish local authority but is relevant to all pension scheme trustees and all employers providing pension arrangements for staff. This speedbrief looks at the implications of this enforcement action.

Data protection: a quick reminder

The DPA requires that anyone who handles personal data (including sensitive personal data) complies with the eight data protection principles. A key principle is that personal data must be kept secure. Personal data means data about a living individual who can be identified either from the data alone or from that data together with other data which the data controller already has (or is likely to have). Special care is needed for details which if misused may lead to greater harm and distress, such as details about health issues or national insurance numbers or bank details.

The DPA distinguishes between data controllers and data processors and regulates all and every use of personal data from hosting and storage through digitisation to records destruction. It is the data controllers (ie persons able to determine the way in which personal data is processed like employers or pension scheme trustees for instance) that are required to comply with the DPA. Data processors by contrast are appointed on behalf of data controllers to provide a service that involves the handling of the data controller's personal data. Data processors (pension scheme administrators, providers of auto-enrolment services or businesses providing IT related services relevant to data and records) do not have any direct compliance responsibilities under the DPA. The contracting data controller is always responsible for the actions of their data processors. By law certain terms to safeguard personal data must be in a written contract between the parties. Suppliers often try to deal with these requirements, if at all, in minimal fashion but it is not their data and not their risk, so it is essential that data controllers protect themselves by ensuring they have sufficiently robust and detailed contract terms in place. The case leading to this recent fine provides a stark reminder of this.

The case

The administering authority of the LGPS fund appointed a supplier, GS, to digitise the Fund’s records of its former members. GS was used by other councils for similar work. The authority did not have a written contract in place with GS. Unfortunately, once scanned, GS did not look after the paper records containing peoples’ details as it should have been and discarded files were thrown into a recycling bank where they were spotted by a member of the public. The police secured the paper bank and on investigation by the data protection regulator, the Information Commissioner’s Office or ICO, found that GS had placed 10 boxes, containing 848 files between them into recycling paper banks. Only 676 files were recovered. They contained details such as names and addresses, national insurance numbers and dates of birth, as well as bank account details in many cases. Up to the incident, GS had already digitised around 8,000 pension records, potentially over a seven year period, some of which records contained details of ill health benefits. It was believed that these paper files were also put into recycling banks. Once files had been scanned, GS sent the digitised details on unencrypted disks in the normal post back to the authority.

The ICO was understandably concerned about the complete absence of care shown for other people’s data with which the authority and GS were entrusted. This was especially the case because the pensions files by their nature contained confidential details, information on ill health benefits and financial information, requiring them to ‘have been afforded the highest level of security’. The ICO highlighted the following failures: not selecting a data processor providing sufficient guarantees for its technical and organisational data security measures and compliance with them; not having a written contract in place; not checking whether the supplier had secure data destruction facilities; not giving any instructions about, not providing in any contract for the secure disposal of files post scanning; not requiring the supply suitable certificates of destruction; not having regular monitoring in place. This brief list alone is indicative of the level of care and detail which the ICO stipulates is needed for the proper discharge of obligations to safeguard personal data.

Comment

Incidents involving such pension scheme data in the future appear fated to receive stern treatment from the ICO since aggravating factors triggering the use of the fine and its size, included ‘the nature of the confidential data’; the volume of data involved and number of individuals affected; and the risk of ‘identity fraud and possible financial loss’. Those operating in the pensions market should take heed since the ICO expects those operating in the same market as a data controller fined to sit up, take notice and take action where needed. The next player caught in the market may receive an event higher fine. Currently, fines can be up to £500,000. However, if proposed changes to data protection laws come into force as drafted, that will increase to 2% of global turnover.