Pension plan trustees handle high volumes of members’ personal data and, in doing so, must comply with data protection requirements. Although trustees typically outsource activities involving the processing of member data to advisers and service providers (regarded as their data processors), trustees remain responsible for compliance with data protection legislation, including the acts and omissions of those third parties.
Recent fines issued by the Information Commissioner’s Office (ICO) demonstrate that a breach of data protection requirements by an adviser or service provider could be costly for trustees from both a financial and reputational perspective. Trustees cannot afford to be complacent.
Data Security – Lessons to be Learned
Where data controllers (including pension plan trustees) fail to comply with the principles of the Data Protection Act 1998 the ICO can impose fines of up to £500,000 per data protection breach. In June 2012 the ICO imposed its largest fine to date, £325,000, on Brighton & Sussex University Hospitals NHS Trust. In July 2012 it imposed its second largest fine of £225,000 against Belfast Health & Social Care Trust.
The overwhelming majority of monetary penalties levied by the ICO have been for failures to keep personal data secure, leading to data loss or wrongful disclosure of data. Fines have also been imposed when the data breach occurred because of the wrongful (and often criminal) act of a third party, for example, where mobile devices such as laptops or USB keys containing data have been stolen, or data has been made publicly available after a hacking attack on a company’s website. In these cases, the lack of deliberate wrongdoing by the data controller did not amount to an effective defence.
Many of the events leading to fines have involved the inadequate data security of the data controller itself. However, fines have also been levied when the security measures of a third party contractor have been found inadequate. In the Brighton & Sussex University Hospitals NHS Trust case, the Trust was fined because it sub-contracted work to another organisation and failed to check its data security measures and have an adequate agreement in place ensuring compliance with data protection legislation. When hard disks containing high volumes of sensitive personal data (which should have been destroyed by the sub-contractor) were in fact sold by the sub-contractor, the Trust was held responsible by the ICO.
The actions of the ICO to date clearly demonstrate that pension plan trustees must remain vigilant when outsourcing activities involving the handling of member data – they could be held accountable for any subsequent lapse in data security.
Avoiding Data Security Breaches
Set out below are some of the key actions that that pension plan trustees should take regarding data protection. These fall into two categories, practical and legal.
- Trustees should be familiar with the personal data that is held by the pension plan and work with data processors to ensure that this is correctly maintained. Security measures should be adopted that are appropriate to the degree of sensitivity of the data.These measures should be regularly reviewed
- Trustees must ensure that systems are in place to quickly identify and address security breaches, limiting damage to individuals.
- If personal data is stored on or accessed from mobile or portable devices, or transferred across a network, trustees should ensure that it is encrypted. In cases where laptops were stolen, the businesses involved could probably have avoided fines from the ICO if the data on them had been encrypted.
- Trustees must carry out security checks on their service providers (prior to their appointment taking place) to ensure they are capable of keeping pension plan data secure.
- It is essential that written agreements are in place with all those who handle member data on behalf of the pension plan and that these agreements meet the requirements of the Data Protection Act 1998.
- All agreements with service providers should oblige those service providers, amongst other organisational and technical security measures, to encrypt data on portable devices.
- If personal data is transferred to or accessed by anyone outside the European Economic Area then extra requirements apply under the Act and specific contractual protection will usually be necessary. It may not be immediately obvious that data may be accessed outside the EEA, but more and more service providers (such as pension plan administrators) sub-contract work to organisations outside the EEA to save cost. Trustees should ensure that agreements with service providers contain restrictions on the extent to which data can be accessed outside the EEA and, if this is to occur, ensure compliance with the relevant legal requirements.
Many of these requirements will not come as a surprise to pension plan trustees. There is overlap between trustees’ obligations under the Act and the expectations of the Pensions Regulator in terms of data quality and internal controls. For example, threats to data security, and measures taken to mitigate this risk, should be recorded on the pension plan’s risk register.
It is important that trustees of pension plans have policies in place to address the steps that should be taken in the event of a breach of data security, so that swift action can be taken to minimise the damage and distress caused to affected individuals.
Larger fines are more likely to be imposed for repeated breaches of data security or where the data controller has done little or nothing to address previous data protection failings. If a breach does occur then steps should be taken to prevent it being repeated, such as providing key individuals with training and making changes to data protection policies and procedures.
Having the proper policies in place to ensure that a breach of data security is handled correctly and taking action to prevent repeat breaches can make the difference between a fine and a lesser regulatory sanction, as well as minimising the impact of the breach on pension plan members.