This is for several reasons. First, the Information Commissioner (ICO), the organisation which enforces data protection legislation in the UK, has the power to fine organisations up to £500,000 for serious breaches. Second, individuals who are adversely affected by any breaches are entitled to recover damages from trustees/employers for any injury or distress. Trustees should be aware of the risk of significant reputational damage, as well as of public interest issues. Breaching the legislation may result in serious financial loss to individuals, as well as compromising personal safety.
Historically, financial institutions have been reasonably prudent in taking steps to protect the confidentiality of their customers’ personal information. Most pension providers are aware of the requirements of the Data Protection Act 1998 and have compliance processes in place to address concerns relating to security and unauthorised disclosure of personal data. However, sweeping new changes to the regulation of the use of personal data are about to be introduced.