How to avoid a £250,000 data protection fine

Data security has become a crucially important topic, particularly with the Information Commissioner’s Office showing a willingness to punish companies and organisations that allow lapses to occur. But recent data showed almost a quarter of schemes had not audited their data controls.

Last year, the ICO fined Scottish Borders Council £250,000 after former employees’ pension records were found in an overfilled paper recycling bank in a supermarket car park.

The council had employed an outside company to digitise the records but had failed to seek appropriate guarantees on how the personal data would be kept secure, the ICO found.

The incident provided a stark warning to schemes about the importance of carrying out their data duties thoroughly.

Nathan Gunn, associate at Squire Sanders, says: “It is therefore imperative trustees and companies who operate occupational pension schemes ensure they and their advisers have appropriate systems and security in place in order to safeguard the personal data that they hold, eg encrypted or anonymised data."

Following the breach, Scottish Borders initiated an information management project to reinforce existing processes and procedures.

Tracey Logan, chief executive of the local authority, says: “This has involved reviewing and implementing improvement actions to strengthen our information governance and security arrangements – both internally and when arranging contracts and agreements with our suppliers and partners.”

As part of the project, it also launched a staff awareness campaign called Think Information in February, with the aim of supporting staff in their role of looking after data.

Managing your data risk

Some schemes could fall under a false sense of security if they have outsourced all or a large chunk of their administration to a third-party provider, and believe they do not have to worry too much about how that data is managed.

“We find that is particularly the case when schemes are outsourcing a lot of the administration to large administrators. They tend not to appreciate the full depth of the fact that they remain responsible for that data even when there is an outsourcing,” says Gayle McFarlane, associate at law firm Wragge & Co.

When outsourcing administrative processes, schemes could look at putting strong contractual and practical provisions in place to protect members.

“There is contractual stuff they need to negotiate in there, around security, but also around the ability to check provisions are being complied with, such as audit rights and that type of thing,” adds McFarlane.

Transferring data safely

There are also other important factors to consider, including the transfer of data overseas. If trustees are using a third party for administration, and that company is going to process information outside of the European Economic Area, an adequate level of protection has to be ensured.

Even schemes undertaking their administration in-house might need to think carefully about how their staff are trained, and whether they fully understand their duties.

This includes knowing what they can and cannot disclose, what computers they can use and what level of encryption needs to be in place.

While the general consensus is that awareness among trustees could be greatly improved, many employers and schemes already take their data protection duties seriously.

Jonathan Kirsop, partner at Stephenson Harwood, says one of its clients has a system in place that flags up any email attachments that are sent to personal email accounts.

“An alert gets sent to their information risk management department and they would investigate it and follow up with the individual and if necessary take disciplinary actions,” he says.

Human error is something that cannot be fully prevented, and Kirsop believes regulatory bodies do recognise this to a certain extent. But they are unlikely to show understanding if an entity does not have any due diligence processes in place at all.

“The organisational things you have in place are really important,” he adds. “These can be processes such as an incident-reporting procedure [and] training and controls as to how much data can be stored in one particular place, so that if there is a breach of any kind the damage is mitigated by minimising what is stored.”

Attitudes to data

A survey last year by data management company ITM revealed 22 per cent of pension schemes had not audited their systems' security and data protection framework, but thought it should be a mandatory part of any risk management control. 

A further 4 per cent of the 120 respondents said they had not done this because they did not think it was necessary. Data in general is one of the Pensions Regulator’s priorities, with it calling on schemes to get its data in order last year.

Schemes are expected to achieve 100 per cent accuracy in common data – such as name, address and date of birth – for member information created from the beginning of June 2010, and a 95 per cent standard for member data created before June 2010.

Encouraging a more organised mindset towards record-keeping could help highlight the importance of data security to schemes, although some may still have a long journey ahead.

“With trustees there is still quite a learning curve to go through with regards to data protection compliance,” says McFarlane. “There has got to be an education process around this to [help trustees] realise the level of responsibility that needs to be maintained.”