Any other business: Hillary Clinton found herself in hot water recently over use of a private email account during her tenure as US secretary of state. The breach of White House data protocols ignited criticism.
Pension scheme trustees can learn from the former first lady’s mistakes when handling sensitive member data.
They have been urged to review the requirements of the Data Protection Act 1998 and to ensure contracts with third-party administrators result in compliant data processing.
Monica Cope, managing director at scheme data specialist Veratta, identified a number of administration scenarios that pose significant risks to the security of member data.
“Are [trustees] informed every time a laptop with their scheme information is mislaid? If data is accessed on a mobile device, how are they protected?,” she said.
“Are administrators able to wipe mislaid devices and has the information been encrypted? There are so many questions that trustees need to be asking."
Are [trustees] informed every time a laptop with their scheme information is mislaid? If data is accessed on a mobile device, how are they protected?
Monica Cope, Veratta
Under the act, trustees are defined as data controllers and are responsible for ensuring all data handling is compliant.
That responsibility extends across all third-party data processors including administrators, providers and employer sponsors.
Failure to effectively pass down these obligations through third-party contracts could leave trustees vulnerable to the serious consequences of a data breach.
Wendy Hunter, partner at law firm Squire Patton Boggs, said: “Trustees have to have a written contract with whomsoever they give access to data.
“There’s a difference between having a written contract that covers the minimum you can say and having a contract that makes it easier to operate.”
Hunter said trustees should ensure due diligence across all contracts even in scenarios where schemes use in-house administrators.
“Best practice… is to recognise that these individuals are providing a service on behalf of the employer and, therefore, there ought to be a contract in place setting out how that’s going to be done, including how the data is going to be kept secure.”
Members must consent to the release of personal data to third parties, which can present a significant task to larger schemes with a high number of pensioner members.
Lesley Browning, partner at law firm Norton Rose Fulbright, said: “In a big scheme it’s often very difficult to tell what members have consented to, because the applications that they joined the scheme with were… signed years previously and are probably disparate.”
Prepping for an exercise
In terms of how member data is shared with employers, Katy Harries, associate at law firm Sackers, said trustees would need to be prepared to put additional contracts in place, particularly in the event of a pension increase exchange exercise or merger by the employer.
“You would need to let the members know that you are going to share the data or anonymise data where you can,” said Harries. “Quite often you do need to have extra steps in place.”
Trustees also need to keep abreast of changes to the data act.
Keith Webster, partner at law firm CMS, said many schemes’ fair processing notices could be out of date due to a recent change to legislation by the Information Commissioner.
Schemes would have first sent fair processing notices out in 1998 or 1999 when the Data Protection Act came into force. He said it was unlikely these would have been reviewed since then.
“The information commissioner is trying to extend the view as to who is a data controller, and in particular saying scheme actuaries are data controllers as well as trustees,” said Webster.
“Those notices may not have been wide enough to cover the use of the data by the scheme actuary,” he added.
