Given the need to reduce costs outsourcing to non-UK locations has become commonplace in the field of pensions administration. There are several factors, however, which the trustees of pension schemes must consider before agreeing to their provider outsourcing their services.
Under the Data Protection Act the trustees are the 'data controllers' and are responsible for any breaches of data protection requirements in relation to the scheme, regardless of whether the breach occurs at the hands of the scheme administrator or a subcontractor. Breaches are arguably more likely to occur in the context of outsourcing where the data is being transferred to another country. Each time data is copied or sent the risks are multiplied.
The trustees must ensure there are appropriate safeguards in place to protect the personal data of the members:
- This will be harder for the trustees and the administrator to monitor as the operations will no longer be based in the UK.
- Staff in the overseas office must be given adequate training regarding data protection. This could be costly, and whilst these costs will inevitably be a cost borne by the administrator rather than the trustees; it could result in an increase to the cost of the service to the scheme (or it could just balance out any cost saving achieved by the outsourcing exercise). Whether there is a cost saving needs to be evaluated by the trustees.
- The UK administrator must put appropriate checks and audit procedures in place to ensure the subcontractor is meeting the necessary service standards.
Scheme members will have to be informed regarding the transfer of their personal data. This could be costly for the scheme and so the trustees should consider requiring the administrator to complete this task at their own cost.
The Data Protection Act registration for the trustees must be amended.
Liability for breaches of the data protection legislation:
Data breaches by a subcontractor may be more difficult to identify and may be more likely to occur. The trustees need to protect themselves against such potential breaches. Strict safeguards must be implemented to protect the trustees in case of breach by the subcontractor. Amendments to the Administration Agreement between the trustees and the UK administrator will be needed and are likely to include discussions on the following issues:
- The trustees must ensure that the UK administrator is to be held directly responsible and liable for any breach by the overseas contractor. If a breach does occur, the implications of that breach may be wide-ranging for the trust and difficult for the UK administrator to put right.
- The trustees should seek an indemnity from the UK administrator in respect of any losses resulting from the acts or omissions of the administrator's overseas subcontractor.
- Many developing world countries, including India, which is a popular location for outsourcing, have no data protection laws in place and litigation in these countries can be time-consuming and expensive. Clauses will need to be added to the Administration Agreement regarding the jurisdiction and locality of any litigation which arises. The trustees should seek to ensure that any litigation will take place in the UK, and that UK law will prevail in the event of any dispute. The trustees should seek to ensure the EU standard terms on outsourcing (as per the EU Directive on standard contractual clauses for the transfer of personal data 95/46/EC) are replicated in the contract for services between the UK administrator and the overseas subcontractor.
- If there is a breach of data protection by an employee of the overseas subcontractor, it will be difficult and costly for the trustees to investigate and ensure the data is regained. Whilst the trustees can make the UK administrator liable for such breaches, irreparable damage may occur and the trustees need to carefully consider this issue when deciding whether to agree to the proposal.
Other more general concerns
- The trustees have a duty to act in the members' best interests. Trustees should evaluate whether outsourcing may result in a lower quality service due to lack of expertise and experience in the overseas office, and due to the time taken for the UK administrator to communicate and co-ordinate operations with the overseas subcontractor.
- All client and member-facing services will usually remain in the UK. The trustees and scheme members will usually have no direct contact with the overseas subcontractor. However, if the trustees have a problem or query, the resolution may be delayed as a result of time differences.
- The trustees should also seek an undertaking from the UK administrator that the overseas subcontractor will not re-subcontract any work or assign its obligations to any other party without the prior written consent of the trustees.
- The future is uncertain. Will the UK administrator eventually seek to outsource further areas of the business such as the client and member facing services, as many companies have done? This could make communication more difficult for the trustees. The trustees should seek an undertaking that the UK administrator will not outsource any other services without the trustees' prior written consent.
To summarise, in non-UK outsourcing cases (even where outsourcing is limited), amendments to the trustees' Administration Agreement with their UK administrator will be needed and the trustees' legal advisers should preferably be involved.