ITS's Janet Branagh argues fines of as much as £500,000 and even potential imprisonment should focus scheme trustees' minds on how to make sure their member data are properly protected, in the latest edition of Informed Comment.
They are the data controller for the scheme and ultimately responsible for its compliance with the relevant data protection legislation. Breaches of that legislation could result in a fine of up to £500,000, imprisonment or both.
The Information Commissioner has teeth, and has demonstrated that it will use them
There are many advisers, guides and articles that advise trustees on what the relevant principles are, and many trustees believe in all good faith that they are compliant with those principles.
New administration contracts are negotiated to include detailed data protection requirements, and specific questions are asked of incoming administrators during beauty parades.
But what about the provisions in existing contracts that have been in place for years, that were set up when data protection was not so well codified or understood, and which no one sees the need to disturb?
What of the contracts that administrators have in place with their own third-party suppliers who will handle data, perhaps offshore, on the trustees’ behalf and which the trustee is not a party to? In many instances an administrator will only be a data processor with lower data protection obligations than the trustee.
The reality is that trustees rarely handle member data themselves as a matter of course – aside from on specific member issues – generally leaving this task to their administrators.
This is a sensible approach in theory, as administrators are set up to deal with data in bulk and therefore should be aware of the data protection laws and have systems and controls in place to ensure they comply with those requirements.
Administrators in turn should ensure their own third-party providers have sufficient data protection safeguards in place, and that these safeguards are contractual.
Monitoring third-party providers
With the contractual terms and systems and controls in place, the challenge is then to ensure they are used. Schemes should always ensure their advisers’ obligation to comply with the data protection requirements applies on an ongoing basis – generally a contractual issue – and that the requirements are complied with.
This should be relatively straightforward for the bulk processes that happen as a matter of course during the normal operation of the scheme, but what about the one-off requests?
The calculation is sent off speedily, but includes personal data. While the member and the trustee are appreciative of the fast turnaround time, unless strong process disciplines are in place, and data security is an intrinsic part of the ethos of an organisation, situations such as this have the greatest potential for it all to go wrong and for data security to be forgotten.
The consequences for trustees who fail to meet the data security requirements can be onerous and not just financially – members are unlikely to be impressed with data security breaches.
The Information Commissioner has teeth, and has demonstrated by taking action against pension scheme trustees in breach of data protection laws that it will use them.
In addition, requirements are currently being tightened at European level, and this will eventually filter down to UK legislation. What meets the rules now may not do so over the next few years. It is therefore imperative that trustees keep a watching brief on the changes.
Data security is crucial. It needs to be embedded in a scheme’s culture, not a box-ticking exercise that is not understood or taken seriously.
Checking the data protections requirements in advisers’ contracts are adequate, reasonable and operated on an ongoing basis is a strong starting point.
But beyond this, trustees should also ensure advisers and their suppliers have a culture of caring about data protection that permeates the whole organisation, and apply data security measures at all times.
This would put trustees in a strong position to confirm they are not shirking their responsibilities, and most importantly they will be able to assure the member confidently that their personal data is secure.
Janet Branagh is a trust officer at Independent Trustee Services
