A quick guide to data protection for pension schemes

Not only are 21st century trustees looking after members’ pensions – they’re also looking after members data. 

With data protection being a growing risk area, it's vital that trustees ensure that their pension schemes are fully compliant with data protection laws. 

Our new quick guide sets out three steps by which trustees can ensure data protection success when dealing with personal data in a pensions context.  

23rd September 2022

Many say that data is the ‘new natural resource’, the resource that drives all aspects of the 21st century economy. Indeed, as Jeff Weiner, the former CEO of LinkedIn famously stated: "Data really powers everything that we do".  

Nowhere is this statement truer than in pensions, which runs on data of a personal nature. Dates of birth, employment histories, NI numbers, bank details – pension schemes’ data reserves are ever-growing, and making sure they are handled properly is a core part of running any scheme. 

Below we have detailed three steps that trustees and pension managers can follow to ensure success when it comes to data protection.

Step 1: Know the law

GMP, anti-franking, equalisation – the pensions industry is used to dealing with jargon, and the world of personal data is no different. Data controllers, psuedonymisation, impact assessments – it is easy to feel overwhelmed, and the best starting point is making sure you understand what the law requires you to do.

Post-Brexit, the most important pieces of data protection legislation for UK pension schemes are:

  • The ‘UK GDPR’, the UK version of EU General Data Protection Regulation 2018; and
  • The Data Protection Act 2018, which supplements the UK GDPR.

Guidance on data protection is also published by the UK data protection regulator, the Information Commissioner’s Office (the ICO).

Most pension schemes will be data controllers when it comes to personal data. This means the trustees or managers are responsible for deciding how personal data is used, and for what purpose. Data protection legislation sets out six principles that all controllers must follow:

  1. Data must be processed lawfully, fairly and transparently. This includes giving data subjects a privacy notice;
  2. Data must be collected and used for a specific, legitimate purpose;
  3. The use of data must be minimised as much as possible;
  4. Trustees and managers must ensure that data is accurate;
  5. Data must be processed in a way that ensures it is kept secure;
  6. Trustees and managers have to keep records to show they are meeting their obligations. 

Many of these duties sit alongside existing pensions obligations e.g. ensuring member data is accurate. 

Step 2: Know what you have, and how you use it

Once you know what the law says, the next step for trustees and managers is to make sure you know what personal data you hold, and how it is being used in practice. This is most easily done by ‘data mapping’ how data is shared both inside and outside the scheme. Some key tips for success include:

  • Making sure you understand who you hold data about (members, beneficiaries, advisers), the kinds of data you hold (names, addresses, work histories), and who you share the data with (advisers, employers, third parties).
  • Data must be shared securely and only for legitimate purposes, and data mapping will help you make sure this is the case. The Scheme administrator will often act as the ‘conduit’ for all data flows, so their input and support is key.
  • Where data is being shared, it is important to that appropriate contractual protections are in place, and that you are aware of any data that is being shared outside of the UK (for example, to ‘off-shore’ data centres). 

Most data will be shared with a schemes professional advisers – administrators, actuaries, lawyers etc. – who have their own data protection obligations and might already have carried out some of the work for you.  

A common area where data sharing protections might be less rigorous is data shared to or from a sponsoring employer, so it is important that this is not overlooked. 

Step 3: Have a plan for when it all goes wrong

Like all things in life, mistakes in are inevitable when it comes to dealing with personal data. The UK GDPR defines a personal data breach as any breach of security that leads to any accidental or deliberate loss, alteration or access to personal data. This can cover everything from sending a benefit statement to the wrong address, all the way to sophisticated ransomware attacks on data records.

Depending on the nature of a data breach, trustees and managers are required to notify the ICO – and, in certain circumstances, members themselves – of a breach within 72 hours. It is therefore crucial to work out a data breach response plan in advance, covering:

  • Who trustees and advisers should contact if a breach has occurred;
  • Who will investigate and deal with the breach – often a sub-committee of trustees with adviser support ensures a quick response – and report to the ICO and members if required; and
  • Record keeping – details of all breaches (including those which are reported) should be held on file. 

And finally: Refining your approach

Once you’ve got to grips with it, it is important that you keep your approach to data protection under review. A common pitfall is to prepare excellent policies and then put them in a drawer and forget about them! 

Regular reviews of data processing – for example, as an annual standing item at Trustee meetings – will help ensure you are up to date with the latest requirements.