There is an increasing need for trustees and employers to be aware of their obligations under data protection legislation.
This is for several reasons including:
- The Information Commissioner, the organisation which enforces data protection legislation in the UK, has the power to fine organisations up to £500,000 for serious breaches.
- Individuals who are adversely affected by any breaches are entitled to recover damages from trustees/employers for any injury or distress. Trustees should be aware of the risk of significant reputational damage as well as public interest issues. Breaching the legislation may result in serious financial loss to individuals as well as compromising personal safety.
- Data protection compliance is going to become even more important when new European rules are adopted later this year. The rules will radically change data protection requirements in the UK.
Current data protection laws in the UK are set out in the Data Protection 1998 (the Act). The Act requires organisations to process personal data in accordance with certain principles. The Act also creates rights for individuals to access their personal data. The obligation to follow the principles rests on the “data controller” which is the organisation which determines the purposes or the manner in which personal data is processed. Pension scheme trustees and employers will be deemed to be “data controllers” and therefore must comply with the principles.
Scheme members must be informed about how trustees will use their personal data. Application forms will need to be reviewed to ensure they provide the necessary information to individuals about how their personal data will be used.
Sensitive personal data
Special consideration must be given to “sensitive personal data”. Sensitive personal data includes specific information about an individual’s physical or mental health, religion, or ethnic origin. If such information is to be collected and used, the trustee must obtain that member’s explicit prior consent. There are also important implications if trustees or employers appoint outsiders to process personal data of members on their behalf. If scheme administrators are appointed, trustees are required to have a contract in place which makes it clear that the administrators must take appropriate steps to protect security. The contract must also contain certain restrictions as to where the personal data can be transferred.
The Act also requires trustees/employers to take appropriate steps to protect security of personal data, and the recent flurry of data security breaches has highlighted the need for organisations to be aware of their legal requirements under the Act.
The Act requires organisations to take “appropriate technical and organisational measures” against accidental loss, destruction or damage to personal data. Problems can arise if trustees appoint contractors to process personal data on their behalf. In such circumstances, trustees/employers are required to obtain contractual guarantees from contractors in relation to the contractors’ technical and organisational security measures.
The importance of security is highlighted in the recent decision of the Information Commissioner relating to Scottish Borders Council. Scottish Borders Council was fined £250,000 for failing to put appropriate security measures in place. The Council had instructed a data processor to digitise member records and discard old hard copy records. For some reason, the data processor appointed by the Council chose to dispose of employees’ paper pension records by leaving hundreds of files containing salary and bank account details in an overfilled paper recycling bank in a supermarket car park. The Council was held to have breached the requirement in the Act to adopt appropriate security provisions, because it had failed to obtain any kind of guarantees from its contractors on how personal data would be kept secure. Although the fine was reversed on appeal, this case illustrates the risk of failing to impose appropriate security undertakings on contractors.
European data protection laws
Europe’s data protection laws will shortly be overhauled. The laws will be adopted in Brussels this year and will be fully operational in the UK by 2017. Although the new rules have not been finalised, it is expected that the laws will substantially increase the obligations of trustees.
Among the new requirements will be obligations to adopt policies, a requirement to implement appropriate measures to demonstrate that personal data is being processed in accordance with the new rules. Documentary evidence will be required of all processing operations.
Another key change will be a requirement for organisations to notify any data protection breach to the relevant authorities (under the Act this is currently limited to serious breaches). Organisations will also be required to conduct an impact assessment before undertaking any processing that presents any privacy risks. More importantly, the level of maximum fines will increase significantly from £500,000 to 100 million Euros or 5% of annual worldwide turnover.
What you can do now
Trustees and employers should therefore take their data protection responsibilities seriously. Now would be an appropriate time to review your current application processes, security measures, member’s consents and any contracts that trustees have in place with outsiders who process personal data on behalf of the scheme.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.