The Scottish Borders Council has recently been fined £250,000 for breaching its data protection duties under the Data Protection Act 1998 (Act). Failing to keep personal data secure in this way also has significant implications for pension schemes.

In this case, the data in question had been outsourced to a contractor to process but the contractor failed to dispose of the hard copy records in the appropriate manner, instead depositing them in an over-filled recycling bin in a supermarket car park.  The “rubbish” contained 676 files with the Council employees’ names, addresses, national insurance numbers, salaries and bank details.  As the Council failed to secure a contract with the offending company, it was held liable for the incident; the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection law in the UK, labelled the incident as a “serious breach”. Yet, loss, disclosure or theft of data is not confined to physical records. In fact, digital records present an even greater risk given the ease with which large volumes of data may be extracted on an electronic medium.

Why are Trustees’ and, potentially also, Scheme Administrators at risk?

The Act governs the collection, processing and use of personal data. Both processing and personal data are widely defined and include information collected in the context of the governance and administration of occupational pension schemes.

In most cases, pension scheme trustees will be “data controllers” for the purposes of the Act and therefore will take on the same responsibilities. Trustees will often use external administrators to process the information on their behalf, as was the case in the Scottish Border Council matter.  As was shown in that case, trustees will be held responsible for any breaches by third parties unless they have taken adequate measures to protect members’ personal data and keep it secure.

Trustees must notify the ICO that they are a data controller and register the personal data that they control.  Any failure to notify is a criminal offence for which trustees may be liable, unless they are exempt. In relation to trustees the only exemption generally available is that may be relevant is if the individual is the sole member and the sole trustee of an occupational pension scheme.

Administrators of a scheme will usually be “data processors” under the Act as they will be processing members’ personal data on behalf of trustees.  However, where administrators are independently, or jointly, determining the purposes for which members’ personal data may be processed, they may also be held to be data controllers and therefore be primarily liable under the Act.

In January this year new draft EU Regulations were published which will potentially introduce a number of changes in relation to data protection.  These include an obligation on companies to report any serious data breach to the authorities within 24 hours and the maximum fine will be capped at 2% of the annual worldwide turnover of the company or firm involved.  Another change that scheme administrators should be aware of is that data processors, as well as data controllers, may also be held primarily liable for breaches of the Act.  This change is aimed at sharing the responsibility amongst all parties involved rather than the data controller being solely responsible and is a landmark step change in data protection regulation.

ICO Powers

The ICO can issue fines of up to £500,000 for any serious breach of the Act.  The most likely provisions of the Act which may be breached in relation to the loss or disclosure of members’ personal data is the Seventh or Eighth Principles i.e.

  1. Appropriate technical and organisational measures shall be taken against unlawful and unauthorised processing of personal data.
  2. Personal data should not be transferred outside the EEA unless that country provides adequate level of protection for the rights and freedom of the data subjects.

In order to be found liable the ICO must prove that the data controller deliberately or knowingly failed to take reasonable steps to prevent the breach.  The fine that is given depends on the seriousness of the breach and is clarified using the following indicators:

  • Number of individuals affected
  • Nature of the personal data
  • Whether it was reasonable to expect that a breach may occur
  • Was the breach within the data controller’s direct control?

How can Trustees and Scheme Administrators minimise their risk?

To achieve compliance and protect the reputation and brand of a pension scheme and minimise the potential costs of a breach, trustees and, where relevant when acting as data controllers, scheme administrators should:

  • use third parties who have safeguards in place to maintain data security;
  • check that all contracts with third parties include data security clauses;
  • check all liability caps in the contracts to ensure that the third party will pay the whole amount should a breach occur;
  • undertake due diligence on third parties;
  • perform regular audits to check compliance;
  • review insurance cover and exclusions;
  • be ready to manage breaches if they occur; and
  • devise and put in place a contingency plan to determine what to do in the event of an incident.