In January 2012 the European Commission published proposals to overhaul the existing data protection regime in EU Directive 95/46/EC (the “1995 Directive”). The Commission took the view that that regime required modernisation to tackle the impact that technology and globalisation have had on the way in which personal data are now used, and to harmonize the disparate ways in which EU member states had implemented the 1995 Directive.
These proposed changes (the “New Regulations”), if and when implemented, are expected significantly to alter data controllers’ and data processors’ responsibilities, and this in turn may have direct consequences for pension scheme trustees (“trustees”) amongst others.
Current UK Data Protection Regime
The Data Protection Act 1988 (“DPA”) implemented in the UK the provisions of the 1995 Directive. The DPA distinguishes between “data controllers” (defined as those persons who (alone or with others) determine the purposes for which, and the manner in which, personal data are to be processed) and “data processors”, who process personal data on the data controllers’ behalf.
Trustees often fall within the category of data controllers, in which case they are required to notify (register) with the Information Commissioner’s Office (“ICO”) unless any applicable exemption therefrom applies. To the extent that they operate as data controllers, trustees must observe the provisions of the DPA including the eight principles set out in its Schedule 1, failure to comply with which may result in (amongst other things) the ICO bringing enforcement action against them.
To the extent that they operate as data controllers, trustees are liable under the DPA for the acts of third party data processors in relation to scheme members’ personal data. The definitions of both data processors and processing of data are drawn very widely under the DPA, and therefore trustees are potentially liable for breaches of data security committed by a whole host of third parties including the scheme’s administrators, advisers and annuity providers as well as the employer in certain circumstances. Therefore, contracts concluded by trustees with external data processors should contain sufficient contractual protection to take account of such risks.
The New Regulations will generally impose more stringent requirements on data controllers and data processors. Those data controllers failing to comply with them risk adverse consequences, including significant fines (up to 2% of worldwide turnover in relation to the most serious breaches). Serious breaches for which trustees might be liable could include failing to comply with the more stringent regime applicable to special categories of data and to notify data breaches to the ICO.
The New Regulations will need to be approved by the EU member states and be ratified by the European Parliament. It could therefore take some time before they come into force. Regulations are however directly effective, so the New Regulations will have immediate effect in EU member states (including the UK) once they have been implemented.
We will provide an update on progress once the European Commission issues further guidance.