Eversheds Sutherland’s Lorna Doggett and Helen Tabiner detail how outsourcing data administration for pensions dashboards outside the UK is riddled with a series of compliance issues due to new legislation.
The Department for Work and Pensions published its response to its main dashboards consultation, issued in January, on July 14.
That consultation response confirmed DWP’s ambitious staging timetable, with only modest changes for the first two staging cohorts and for public service schemes.
The department also confirmed that it does not intend to expand the narrow criteria for allowing applications to defer a scheme’s staging deadline.
Trustees should not lose sight of some of the potential privacy pitfalls, in particular when revising or entering into new contracts with their third-party providers
Schemes will need to outsource dashboards work
Preparing for connecting to the dashboards will require significant trustee resources and time. The tight timeframes and limited opportunities for extensions mean there is a lot of pressure on schemes and their third-party providers to be ready for staging dates.
The complexity of the dashboards’ requirements and the data handling and searching that will need to be done means that we expect the majority of schemes, including those with in-house administration functions, to outsource much of this work.
Worryingly, a recent survey conducted by the Pensions Regulator found that only 86 per cent of scheme administrators have heard of the dashboards (lower in relation to small administrators), and only 73 per cent were aware of the requirement to provide members with data through them.
These are alarming statistics for trustees, given the impending deadlines and their ultimate accountability for ensuring that their scheme is connected to the dashboards on time and remains dashboard-compliant after that.
While scheme administrators and integrated service providers start to focus on preparing for dashboards, trustees should not lose sight of some of the potential privacy pitfalls, in particular when revising or entering into new contracts with their third-party providers.
Outsourcing causes data compliance issues
If those providers process data outside the UK there will be extra compliance issues, as follows.
Currently, schemes need to ensure that members’ personal data transferred outside the UK will be kept properly secure and protected in the country to which it is transferred.
Since the European Economic Area has similar data protection laws to the UK, transfers to the EEA can happen without the need for a contractual transfer mechanism — however, some General Data Protection Regulation terms are still needed because the data is going to a processor or a controller (a separate point). For other countries, transfer mechanisms have always been needed.
From September 21 onwards, schemes starting new, or materially changed transfers of data overseas — other than to an EEA country or those on the data protection adequacy list — will be required to use the new international transfer mechanisms published by the Information Commissioner’s Office.
The new mechanisms are a new international data transfer agreement and an addendum to the European Commission’s 2021 version of the standard contractual clauses for international data transfers.
If old overseas transfer terms continue to be used for these new transfers, this will breach UK data laws, which will carry the risk of ICO enforcement as well as compensation claims from members.
Schemes need to update data transfer terms
Although schemes which already transfer data overseas do not strictly need to change their terms to reflect the new transfer mechanisms until March 21 2024 — when they become mandatory for all transfers out of UK/under UK GDPR — it is recommended that schemes should look to update their overseas transfer terms sooner rather than later to reflect current standards of data protection law.
Additionally, in 2020, the European Court decided that a risk assessment needs to be carried out before the transfer of data, to assess whether the transfer mechanism still protects the data when considered with the laws of the country and the ability for state authorities to obtain data.
This assessment is required even when the new mechanisms are used. If the risk assessment concludes that the receiving country does not provide essentially equivalent protection, the trustees must consider supplemental measures, such as encryption.
The ICO has devised a tool to help with risk assessments, but these are not straightforward and many are struggling to get to grips with them.
Where risk assessments are not properly carried out, risk for trustees could materialise if, for example, a trigger event causes the ICO (or TPR) to ask what protections there were for data, or a data breach/cyber attack leads to ICO reporting and investigation.
Lorna Doggett is a legal director and Helen Tabiner is a principal associate at Eversheds Sutherland
