Pension schemes handle members' data in increasingly sophisticated ways. Information may be accessed using different media or from different locations. Data sharing has become more common in recent years. In addition, the increased awareness of cyber-crime means expectations around security have changed. All of these changes have implications for data protection compliance, meaning that pension schemes may need to update their processes. This note identifies key areas which may benefit from review and suggests practical ways to ensure compliance. Changes to European data protection legislation due to come into force in May 2018 will place a greater emphasis on formal compliance processes, so review of processes now will also help schemes prepare for regulatory change in this area.
WHY DOES DATA PROTECTION MATTER?
In the UK the Data Protection Act 1998 (the "Act") provides a set of rules concerning how organisations should handle information about individuals. Running a pension scheme involves the collection and processing of large quantities of member data. This may include information that people consider to be very private or sensitive: about earnings; bank account details to enable benefit payments; details of partners or dependents and, in some cases, details about an individual's health. The storage and use of all this data is subject to the provisions of the Act.
The Information Commissioner is responsible for ensuring compliance with the Act. Since 2010, the Commissioner has been able to impose fines of up to £500,000 for serious breaches. Forthcoming changes to European law will increase penalties still further (with fines of up to 4% of annual turnover in some cases), so it is important to get things right.
What has changed for pension schemes?
The operation of pension schemes has become increasingly complex so that, although schemes' overall purposes have not changed, the ways in which data is handled have. For example:
- scheme administrators may wish to off-shore some services or administration to reduce costs;
- members may be given access to information about their benefits via the internet;
- trustees may wish to share information about members with insurers as part of projects to hedge risk, or employ third parties to provide member verification services.
All such projects have implications for data protection compliance.
KEY LEGAL REQUIREMENTS
- The key requirements of the DPA are that any processing of personal data is registered with the Information Commissioner's Office (the "ICO"), and that organisations which control personal information (known as "data controllers") comply with eight "data protection principles" set out in the DPA. These place particular obligations on data controllers and give individuals certain rights in respect of their data.
- Data controllers must tell individuals how their data is processed and what it is used for. Before doing something new or different, consideration should be given as to whether members must be given notice or whether consent is required. For example, before collecting health information about individuals they should be provided with clear, specific information about how their data will be used, with whom it will be shared, and their consent to this use must be obtained.
Keeping data secure
- Trustees have an obligation to ensure that personal information is held securely, and to prevent unauthorised access. Ensuring compliance remains the trustees' responsibility, even where information is held by service providers. Under the Act, specific contractual obligations must be included in agreements with service providers.
- The obligations around security are potentially the most important under the Act, as loss of data can have the most serious impact on individuals. The majority of the monetary penalties imposed by the ICO are for security breaches.
Sending data overseas
- Trustees (or employers) who wish to send data outside the European Union must ensure that it will be adequately protected, unless the transfer falls within one of a number of narrowly defined exemptions. There are a number of approved mechanisms for providing such protection, and trustees who use an overseas service provider should ensure that one of these mechanisms is used.
- It can also happen that an individual trustee (or director of a trustee company) may live overseas. In such cases, appropriate protection must be in place when sharing scheme information with the trustee (or director), unless the information remains in the UK.
What if things go wrong?
For serious breaches which are likely to result in substantial damage or distress, the ICO can levy fines of up to £500,000. Most such fines have been in relation to security breaches. For example, in July 2014 an online travel services company received a £150,000 fine after a coding error on their website login page was exploited by a hacker, who was able to access thousands of customer details.
The ICO may also serve an Enforcement Notice, requiring a data controller to put things right. It is an offence to breach an Enforcement Notice.
Individuals have a right to compensation if there is a breach which causes them damage or distress, but they cannot claim for distress alone, they must also have suffered damage.
Action points for trustees
- Review your privacy notices to members – are they up to date? Do they reflect what you might wish to do with data in the future?
- Do you have a security breach protocol in place for what actions you need to take, and whom to involve, if you suffer a data breach?
- Review your arrangements with service providers to ensure that they are appropriately documented in line with current standards. Check that service providers are complying with their obligations. In one case, a high-profile data loss occurred because a service provider had changed its information disposal processes. As there was no written obligation on the provider to keep the client informed of its security arrangements, the client had been unaware of this change. A lack of clarity around service provider obligations can make it harder to obtain redress in this type of scenario.
THE NEW EU DATA PROTECTION REGULATION – WHAT WILL CHANGE?
A new General Data Protection Regulation, to replace the existing Data Protection Directive, will come into force on 25 May 2018. Regulations have direct effect in national law, without any requirements for further implementing legislation. The new Regulation will make a number of significant changes to the current position:
- stronger enforcement powers for national data protection authorities: meaning that fines could be levied of, potentially, as much as 4% of a company's annual worldwide turnover;
- more detailed notice and consent requirements: controllers will have to provide individuals with more detailed information about processing, such as: the basis on which data is processed; the different rights available to them, and whether their personal data will be transferred internationally;
- more prescriptive requirements when using service providers: additional obligations will need to be included in contracts with service providers, which means almost all existing contracts are likely to require amendment;
- data breach notification: an obligation to notify security breaches to data protection authorities (and, in some cases, to the individuals affected) will apply to all controllers. This will make the likelihood of investigations by national data protection regulators much greater;
- controller’s responsibilities: there will be a much greater emphasis on accountability, with data controllers required to adopt policies and implement measures to ensure (and demonstrate) that processing is in compliance with the Regulation. For most controllers this will be one of the most noticeable differences from the existing regime, as putting in place a comprehensive data protection compliance programme will become an explicit legal obligation.