From 6 April 2010, the Information Commissioner has the power to levy penalties on data controllers for serious breaches of the Data Protection Act 1998. The maximum penalty is £500k and there has been a great deal of press on this as a result.

Trustees need to remember that they are the “data controller” for the purposes of the Act, even where they appoint a third party administrator to undertake the scheme administration on their behalf. As data controllers, trustees are required to comply with certain data protection principles when collecting, holding and using members’ personal data and must ensure that those who process personal information on their behalf, eg a third party administrator, advisers, annuity providers and the employer (known as “data processors”) also comply with the provisions in the Act.

Under the new Regulations, before levying a penalty the Commissioner must issue a notice of intent to the data controller. The notice must set out the breach and give reasons for the decision to levy a penalty. The Commissioner must also explain why this is a serious breach “of a kind which is likely to cause substantial damage or distress”. The notice sets out the amount of the penalty and the proposed (future) due date.

Once the notice has been received, the data controller may make written representations to the Commissioner. Data controllers who are served with a penalty notice may also appeal against the penalty and/or its amount.

Technical information

The new power for the Commissioner to levy a penalty of up to £500k is set out in The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 31). The Regulations were laid before Parliament on 12 January 2010 and take effect on 6 April 2010.  

To view them go to:  

Action required

Speak to your administrator and check your administration agreement

As part of good governance and effective risk management, trustees should be monitoring their administrators on a regular basis. Now would be a good time to check that they are complying, in particular, with their obligations as the data processor of members’ personal data. Trustees should also check the administration agreement. Does it adequately cover Data Protection requirements and is it clear on who would be liable in the event of a fi ne being levied on the Trustees for breach of the Date Protection Act 1998?