Data protection is a key issue for pension schemes. Trustees risk fines and reputational damage if they fail to have proper protections in place for member data. Here, Nick Graham, head of our Data Protection team, reflects on the lessons to be learned from a recent loss of member records which landed one organisation with a very large fine.
On 10 September 2012, the Information Commissioner's Office (ICO) fined Scottish Borders Council (SBC) £250,000 for failing to properly protect member data. The fine related to more than 600 files of confidential information, including members' salary and bank details, being left in an overflowing supermarket recycling bin. The files were recovered by the police, who had been alerted by a member of the public. A further 172 files, deposited at a different recycling point, could not be found.
It turns out the files had been disposed of by a company which SCB had employed to digitise member records. However, it had not sought any guarantees about the security of the old paper records. The severity of the fine reflects just how seriously the ICO will treat a large-scale escape of sensitive personal data.
What are the lessons for trustees?
Under the Data Protection Act 1998 (DPA) trustees are classed as data controllers. Data controllers must put in place what the DPA refers to as "appropriate technical and organisational measures" to protect personal data against unauthorised or unlawful processing and accidental loss or destruction.
The reality for most pension schemes is that scheme data is held and used by someone else on the trustees' behalf – an employer's in-house pensions administration team or a professional third party provider. The DPA refers to these people as data processors. In choosing a data processor, it is important for trustees to check the processor has its own appropriate safeguards in place for both electronic and hard copy member data. The processor's duties should be set out in a formal contract covering matters such as:
- The protection to be applied to holding data. This will normally include technical standards for holding electronic data and how individuals with access to sensitive personal data such as bank details should be screened.
- The procedures for dealing with requests from members about their personal data, including procedures for verifying a member's identity and sending information both by post and electronically.
- Data disposal. Erasing electronic data can be tricky with there having been several cases of firms selling old computers without properly deleting data.
- Controls on transferring data outside the UK and especially outside the European Economic Area. This is particularly important where a processor or a scheme sponsor is part of an international organisation.
- Rights to have safeguards checked and independently audited. There is no substitute for making a site visit to your data processor's offices and regular monitoring of the data processor's activities.
- Steps to be taken by and the consequences for the processor if there is a breach of its duties.
Proper data protection is a key part of good scheme governance. The difficulties of putting suitable safeguards in place should not be underestimated. Getting it wrong risks fines, loss of member confidence and wider reputational damage. There is also the risk of being liable for member losses which result from the misuse of data. A clear and comprehensive legal agreeement with data processors should be a key part of trustees' data protection strategy.