Pension scheme trustees have been working hard to towards compliance with GDPR but most still have a “to do” list. We consider the priorities.
“Today is not a deadline. It is the beginning of a new chapter of data protection." That was the view of Elizabeth Denham, the Information Commissioner, on television on 25 May when the General Data Protection Regulation (GDPR) came into force.
Now the flurry of opt-in and privacy notice emails has died down, we look at what pension scheme trustees should be doing to ensure they continue to comply with their obligations as data controllers.
For an understanding of the key areas of GDPR, read our previous article Countdown to GDPR: FAQs for pension trustees.
If you would like any further information on anything in this article, please get in touch with Catrin Young who is leading on our GDPR project for pension trustees, Alice Honeywill or your usual contact in our pensions team.
- Q. Do we need to consider the Pensions Regulator’s recent guidance on cyber security principles?
- A. Yes all trustees should do this and take appropriate action.
- Q. Which contracts should we prioritise?
- A. You should prioritise contracts with data processors. But consider also whether you should adopt or update contracts for in-house support. Also decide whether data sharing agreements are appropriate for projects involving data sharing between trustees and employers and others.
- Q. When should we send out privacy information?
- A. You should ensure processes are in place to provide a privacy notice when contact is made with an individual for the first time. It may help to consider the advantages of ‘just in time’ communications. You should update privacy information if you change the purposes for which data is processed. If details in your privacy notice change (e.g. names of suppliers, or contact details), update your privacy notice.
- Q. What should we be doing?
- A. In broad terms you should ensure that processes on data retention are set up and adhered to, including when trustees retire.
- Q. Does trustee insurance cover potential data protection breaches?
- A. All trustees should review their insurance in relation to data protection breaches.
- Q. Do we have to keep our data map up to date?
- A. Yes, trustees should ensure their data map is updated regularly and in particular on any change in supplier.
- Q. Does data protection need to become part of the DNA of the scheme and the wider business?
- A. Yes, it is clear trustees need to have data protection as a prime consideration at all times and in particular when planning any novel project or activity that might throw up issues not encountered before.
- Q. What is privacy by design?
- A. Privacy by design is the idea that trustees and others will need to consider data protection up front for any new project or activity.
- Q. Is it right that trustees need to log all breaches in the security of personal data but only some breaches need to be reported to the ICO?
- A. Yes.
- Q. Is there still a fee to pay?
- A. Yes.
GDPR does not use the words “cyber security” and the section dealing with security is short. It says personal data must be “processed in a manner that ensures appropriate security of the personal data” including protection against:
- unauthorised or unlawful processing
- accidental loss, destruction or damage.
This security is to be achieved by deploying “appropriate technical or organisational measures”.
The ICO identifies this as GDPR’s “security principle”. Briefly though it is put, this principle is the mainstay of data protection. The largest penalties the ICO has issued against businesses to date have been as a result of failures to operate appropriate and up-to-date security systems.
In April, the Pensions Regulator published its guidance for trustees on cyber security principles for pension schemes (PDF). It reminds trustees that the Regulator can intervene where trustees fail in their duties to operate internal controls and that building cyber resilience is key to operating adequate internal controls.
The guidance says trustees should receive regular training and have access to the skills and expertise required to understand and manage cyber risk. We suggest trustees consider approaching the employer’s IT department for this support in the first instance.
The guidance also says:
- trustees should ensure cyber risk is on their risk register earmarked for at least annual review and on any substantial changes in scheme operations e.g. a change in IT systems or a change in administrator
- in some cases trustees may want, or need, to have the effectiveness of their cyber risk management independently assessed by an auditor or seek accreditation such as Cyber Essentials or ISO 27001.
Further, the guidance encourages trustees to probe their suppliers of computer equipment or services (e.g. a third party administrator) about their cyber security arrangements and to enquire what independent accreditations they have.
GDPR requires trustees, as data controllers, to ensure they have written contracts in place with their data processors covering specified matters including confidentiality and security commitments, end of contract provisions and audit and inspection rights.
Trustees should now:
- finalise contracts with data processors in particular because it is a breach of GDPR not to have these contracts in place
- consider whether contracts for in-house support should be adopted or updated.
Many suppliers and advisers to trustees did not circulate their draft terms until May, leaving little time for them to be reviewed, amended and agreed. The danger now 25 May has come and gone is that the sense of urgency might dissipate. Trustees need to guard against this and continue to push the project to completion as soon as reasonably possible.
Many data controllers have also proposed revised contract terms. These agreements should be finalised too.
Where in-house support is provided to a pension scheme, the employer will often be acting as a data processor, and a GDPR-compliant contract is required.
Consider too whether a data sharing agreement is appropriate for projects where data is shared between the employer and the trustees or other third parties.
Trustees need to ensure processes are in place to provide a privacy notice when making first contact with an individual.
They should consider ‘just in time’ communications.
They should update privacy information if they change the purposes for which data is processed. If details in a privacy notice change (e.g. names of suppliers or contact details), update the privacy notice.
Trustees will either already have sent privacy notices to scheme members and beneficiaries, or be due to do so shortly. However, this should not be seen as a one-off exercise. Where a scheme remains open to new joiners, copies need to be sent to new members.
Under an exemption, there is no requirement to issue a privacy notice where the information has been provided by someone other than the data subject and “providing them with the information is likely to render impossible or seriously impair the objectives of that processing”.
Arguably, this justifies not sending the information to someone named in a member’s expression of wish form over death benefits. Where trustees have decided it would be disproportionate and contrary to the purposes of the processing to send a privacy notice to those named in an expression of wish form, they should ensure their administrator has procedures in place to send these out when first contact is made with an individual, even if only to seek information. To rely on the exemption, a copy of the the Trustees privacy notice needs also be made publicly available, perhaps on the scheme or employer's website.
Trustees should consider providing short focused privacy information when new data is collected e.g. explaining how a marriage certificate is used when it is requested. This is known as 'just in time' communication.
If trustees decide to process personal data for a purpose that is different from that set out in their original privacy notice (e.g. if they decide to share personal data for national statistical analysis), they will need to issue a new privacy notice.
Trustees should review their privacy notice regularly for accuracy, and update it if details change. This might include e.g. details of suppliers, overseas processing, or contact details.
Trustees should ensure that processes in relation to data retention are set up and implemented, including when trustees retire.
As the Information Commissioner has said, GDPR presents a good opportunity for housekeeping.
Many clients have already adopted a policy to anonymise member data in administration reports, papers on the exercise of trustee discretions and minutes of meetings.
Others have agreed to delete personal data held in individual trustee hands if they are comfortable copies are retained in a central location. Typically this would be in the records of the third party administrator.
Trustees should take data retention as an ongoing process and should continue to work their way through their filing systems, electronic and paper, to see what can be destroyed or deleted.
Trustees should keep their retention policy under review, particularly once members have transferred out of the scheme, died without leaving a dependant or exercised their right to be forgotten. Whilst retaining some data will be justifiable in those circumstances, trustees should consider whether it is necessary to retain all data or, if it is, limit access to the data to reduce the risk of a data breach.
It should be automatic that retiring trustees are asked to return or destroy all personal data relating to the scheme and to sign a declaration to confirm they have done so.
With the increased financial penalties for breach of GDPR, many trustees have been considering the extent of their personal liability. Insurance policies are available to cover the cost of regulatory fines (including those issued by the ICO) although it remains to be seen whether the premiums for these will increase.
Many policies provide that such cover is only available where the cost is paid for directly by the employer, reflecting the statutory restriction in the Pensions Act 2004 that scheme assets shall not be used to reimburse a trustee in relation to fines or civil penalties imposed under pensions legislation.
That said, note there is no equivalent statutory restriction for fines or civil penalties imposed under GDPR.
Trustees may also have the benefit of an indemnity from the employer under the scheme’s trust deed and rules. However, for directors of corporate trustees, the Companies Act 2006 renders an indemnity for criminal fines and regulatory fines void. For trustee directors, therefore, insurance will become even more important.
However, these risks must be balanced against the risk of enforcement action being brought against individual trustees or trustee directors in the first place.
The ICO launched its Regulatory Action Policy consultation on 4 May. Trustees may take comfort from the fact that it states the ICO will target its most significant powers for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data. Furthermore, it says the approach will be to encourage and reward compliance.
Those who self-report, engage with the ICO to resolve issues and can demonstrate strong information rights and accountability arrangements can expect these factors to be taken into account.
The trustees as a body will be the data controller and while one can expect the vast majority of enforcement action to be taken against the body, action against individuals (including individual trustee directors) cannot be ruled out for the most serious and criminal matters.
GDPR itself only introduces civil penalties, but the new Data Protection Act 2018, includes a number of recordable criminal offences, all of which are punishable by a fine and not imprisonment.
Offences include obstructing ICO investigations, making a false statement in response to an ICO information notice and altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure e.g. in response to a subject access request from a data subject.
It seems likely, therefore, that the ICO will take a similar approach to that taken by the Pensions Regulator who will only take action against individuals, including trustee directors, where the act giving rise to the fine was done with their consent or connivance or was attributable to their neglect, with those most culpable being the greatest target.
Trustees of well-run trustee boards with robust governance processes should have little cause for concern.
GDPR requires trustees to maintain a record of the processing activities under their responsibility. This should record, among other things, the purposes of the processing, a description of the technical and organisational security measures, and the envisaged time limits for data to be deleted.
Trustees will have spent much time collating this information from their advisers and suppliers for 25 May and will have prepared a data map. Trustees should ensure it covers the trustees' own data processing, and any in-house support. GDPR requires this information to be in a single written document and that it is kept up-to-date.
A copy must be provided to the ICO on request.
Trustees should include data protection in their business plan e.g. by earmarking for annual or biannual review their data protection policies, procedures, experience and training (including refresher training). Regular reviews of the data map could usefully be included.
Privacy by design
Under GDPR, data protection needs to be at the forefront of all processing activities, from the creation of data through to its destruction. The security measures and business practices of the trustees and their advisers should be regularly reviewed to ensure that they remain appropriate to the risks. Trustees should be mindful of the requirement to undertake a privacy impact assessment if any processing activity is likely to result in a high risk to individuals.
The ICO's Guide to GDPR says trustees need to establish the likelihood and severity of the risk to people’s rights and freedoms as a result of the breach. If a risk is low, there is no need to report e.g. because the laptop lost on the train was password protected and all personal data encrypted.
That said, trustees need to keep a log of all breaches, including an explanation of why a decision was reached to report to the ICO, or not to do so.
The requirement to report (some) breaches to the ICO is new under GDPR.
However, even if trustees do not report, they still need to be able to justify their decision. The log should include the date of the breach, how it occurred, who was responsible, when and how the trustees became aware of it, whether it was reported and, if it was not, the rationale for that decision. The log can then be produced to the ICO if required.
Data protection needs to become part of the culture of the trustees and the scheme sponsor.
There is no longer a requirement for data controllers to register with (or 'notify') the ICO but all pension trustees will need to pay an annual fee.
What happens next?
GDPR is a new area and over time more guidance and experience of the ICO’s approach will emerge. Trustees should look out for updates relevant to pension schemes.