Pension schemes have a long lifecycle. They need personal data to put pensions into payment decades after a member first joined the scheme and may need to deal with claims about calculation errors decades after that. Schemes with a complex history of mergers and bulk transfers-in may have significant quantities of legacy data. Any scheme administrator looking at the string of equalisation claims in recent years, and current GMP reconciliation processes, could be forgiven for concluding that the baseline for data retention in the pension scheme context is simply ‘Keep everything, because you never know’.
The ‘you never know’ approach to data retention may look like a good option when historic documents are in the media spotlight – for example, the Home Office is reported to have said that its decision to destroy the landing cards of the Windrush generation was taken in line with data protection law, including the duty to ensure that personal data held is accurate and up to date and not kept for longer than necessary. Our view of how long is ‘necessary’ can vary over time.
Can long-term data retention be a viable approach? The current focus on preparing for the General Data Protection Regulation includes a requirement for pension schemes to focus on data retention policies – privacy notices to members, for example, should include information about ‘the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period’. The Information Commissioner’s Office has published guidance on retention, which states specifically that ‘personal data should not be kept indefinitely ‘just in case’, or if there is only a small possibility that it will be used’.
Storing data is in itself an act of data processing, which must have a lawful basis under the GDPR – for example, that it is necessary for compliance with a legal obligation to which the controller is subject, or is necessary for the purposes of the legitimate interests pursued by the controller (and is not overridden by the interests or fundamental rights and freedoms of the data subject).
The ICO’s guidance on the lawful grounds for processing helpfully states that:
- The legal obligation referred to need not be an explicit statutory obligation – it includes common law duties (for example, compliance with trust law), but must have a sufficiently clear basis in either common law or statute. Trustees should be able to identify the obligation by reference to a specific legal provision or to advice or guidance (including industry guidance).
- The legitimate interests ground is more flexible, but requires a balancing test against the individual’s interests, rights and freedoms which should be documented; the details of the specific interests identified should be transparent in privacy information.
In many cases, both grounds may be available to justify retention – but what is clear is that trustees must consider the issue and formulate a policy. Dusty boxes of documents sitting insecurely in a former trustee’s garage should be dealt with as soon as possible; and although the thought of sorting through documents in secure off-site storage may be unappealing, trustees should be aware of what data they are holding, whether they still have a lawful basis to hold it, and how they plan to deal with it if not.