A quick guide to new data protection complaints procedures for pension schemes

The Data (Use and Access) Act 2025 introduces a new requirement for data controllers to implement a data protection complaints procedure – and the deadline to do so is 19 June this year.

For trustees, this is primarily about ensuring that members have a clear route to raise concerns about how their personal data is handled, and that those concerns are dealt with appropriately and promptly.

This quick guide sets out the key actions trustees should take now to comply with the new requirements, taking into account guidance from the Information Commissioner’s Office (ICO) and the Pensions Administration Standards Association (PASA).

What trustees need to do

1. Put in place a complaints process for data protection issues

Trustees must provide members with a way to raise data protection complaints directly. There is no obligation to produce a separate process just for data protection complaints, and trustees may wish to incorporate this into their existing internal dispute resolution procedure (IDRP).

The process should cover complaints about handling of subject access requests; use or sharing of personal data; and data security arrangements.

2. Let members know

Data subjects must be informed that they can make a complaint to the trustees (or relevant data controller) and that they have the right to escalate complaints to the ICO if dissatisfied.

This information should be provided when data is collected (for example, in a scheme’s privacy notice) and in response to any subject access requests.

3. Ensure appropriate handling timescales and processes

Trustees should ensure their processes enable them to acknowledge complaints promptly (and in any event within 30 days), investigate without undue delay, and keep the complainant updated on progress.

Once the investigation is complete, trustees should communicate the outcome without unjustified or excessive delay and explain any next steps.

Trustees should also keep clear records of complaints, how they were investigated, the outcome and any action taken.

4. Align with administrators

Trustees should ensure that their administrator can identify and escalate data protection complaints appropriately, and that responsibilities for handling complaints are clearly documented.

The PASA guidance emphasises the importance of clear operational processes and coordination between trustees and administrators in handling data-related queries and complaints.

5. Be prepared to deal with parallel complaints

Where a complaint includes both data protection issues and wider concerns, trustees should be mindful of the handling timescales applying to each aspect of the complaint. Data protection aspects of complaints should be dealt with as soon as possible and should not be delayed while other elements of the complaint are being resolved.

Helpful tip: life assurance schemes and other trust-based arrangements

The new requirements will also apply to trustees, acting as data controllers, of other trust-based arrangements such as life assurance schemes. Unlike occupational pension schemes, these arrangements will not typically have an IDRP and therefore trustees will need to ensure that an appropriate complaints process in place. This may be a standalone process or one that is clearly documented and signposted to data subjects (for example, in a privacy notice).

Find out more

The deadline is just a few weeks away, so if you would like to discuss any of these issues in more detail, or would like assistance updating privacy notices or internal complaint handling procedures, don’t hesitate to contact our specialist Pensions team.

This article was co-authored by Trainee Valentin Pyataev.

Contributors: