Welcome to the 27th Clarity Guide. This Clarity Guide sets out some of the practical issues trustees should be aware of when they receive and are preparing a response to a data subject access request from a member or beneficiary of the pension scheme (or another person who is a data subject in respect of whom the trustees hold personal data). Trustees must respond to the data subject access request without undue delay and at the latest within one month of receipt, except in limited circumstances. A typical time line is set out below together with some common questions that can arise in practice.
How do trustees know they have received a data subject access request?
There are no legal requirements in terms of the format and it is not necessary for the request to be in writing nor for it to say that it is a data subject access request.
It may be helpful to have a form for data subjects to complete, but trustees cannot require individuals to use a particular form or method to make a data subject access request. Any request from a data subject enquiring about their personal data should be treated as a potential data subject access request and the request does not have to be addressed specifically to the trustees. For example it could be sent to the pensions manager or a member of the third party administration team.
Larger schemes may find it helpful for all data subject access requests to be submitted internally to a single point of contact, and could have a dedicated email address for this purpose. This reduces the risk that a request is overlooked and the one month maximum time period to provide a response is not met.
Where it is unclear whether or not the request amounts to a data subject access request to the trustees, the trustees may seek professional advice and should confirm with the data subject whether or not they are making a data subject access request.
Can trustees charge a fee for responding to data subject access requests?
No, the trustees must in most cases provide a copy of the personal data free of charge. If multiple copies are requested, the trustees may charge a reasonable fee based on administrative costs.
When can trustees delay their response beyond one month and for how long?
Trustees may extend the one month period by two further months where necessary, taking into account the complexity and number of requests. If the trustees wish to extend the period, they must inform the individual within one month of receipt of the request and tell them the reasons for the delay.
What information must the trustees provide in response to the data subject access request?
The trustees must provide a copy of the personal data held by them, information about the purpose(s) for which that personal data is processed and with whom it is shared. In addition, the data subject's personal data and information about the source of that personal data must be provided. Much of this additional information will already have been included in the trustees' privacy notice. It may be helpful to have a checklist prepared to assist with the review process before providing the response to the individual.
The information included in the response should be redacted so that only the personal data relating to the data subject is supplied. In practice, it may therefore be safer to extract the personal data from the scheme's records and insert into a separate schedule so as to reduce the risk of providing personal data relating to another data subject. For example, if the data subject was discussed at a trustee meeting, only an extract of the relevant part of the minutes needs to be provided.
Is there a particular format that the trustees must use to provide their response?
If the request is made by letter, then generally the response should be provided in hard copy. If however, the data subject makes the data subject access request in electronic format, e.g. via a website or in an email, then the response may be provided by email.