The Pensions Regulator (the "Regulator") has issued a press release reminding pension scheme trustees of their obligation to achieve the Regulator's scheme data targets by the end of the year.
In 2010 the Regulator set the following targets for completeness of scheme data records:
- common data created after June 2010: 100%
- common data created before June 2010: 90%
Common data is data which all schemes will hold in relation to members, irrespective of the type of scheme, such as member names, addresses, dates of birth and National Insurance numbers. The targets must be achieved by the end of 2012.
The Regulator's press release comes at a time when the Information Commissioner's Office (the "ICO") has recently released figures, published by the BBC, which reveal that there are now ten times as many personal data security breaches reported to it compared to five years ago. About a third of these involved sending information to the wrong postal or email address. These figures underline how important it is that trustees not only ensure that their scheme records are accurate, but also that scheme data is handled securely and processed in accordance with the requirements of the Data Protection Act 1998 (the "DPA"). The ICO has wide powers to deal with organisations that fail to protect personal data, which could include criminal prosecution and imposition of fines of up to £500,000.
Failure to keep accurate scheme records may mean that trustees breach their obligations under the DPA. For example, in its 2010 record-keeping guidance, the Regulator stated that "An address should be present for all members of all schemes. Because of DPA requirements an exception is permissible for active members of those trust-based schemes in which communication is normally sent via the employer. 'Gone away', 'unknown' or similar should be treated as missing data." If trustees are informed that a member is no longer at the address they hold for that member, they must ensure that this is recorded and that no further communications are sent to that address. Continuing to send communications to an address which the trustees know to be incorrect could constitute a breach of the DPA.