Data Protection Day – a Time for Reflection
Today, 28 January, is international “data protection day” (as explained on Wikipedia). Its purpose is to raise awareness and promote privacy and data protection best practice; there is no suggestion that organisations (including pension schemes) can ignore data protection the other 364 days of the year!
Here in the UK, many clients will remember the rush to get their pension schemes compliant with the EU’s General Data Protection Regulation (GDPR) back in 2018. But, like the pensions industry itself, data protection is a fast moving legal and regulatory area. Not least, the introduction of the Data Protection Act 2018; the adoption of the UK’s own version of the GDPR following Brexit; the Information Commissioner’s Office’s (ICO) new Code of Practice on data sharing; court cases impacting privacy notices and international data transfers; a growing awareness of data privacy issues meaning pension scheme members are increasingly cautious about the use of their personal data and streetwise about their rights; and the UK government is consulting on an overhaul of the data protection regime. What’s more, both the ICO and The Pensions Regulator (TPR) say data protection should be regularly reviewed, and the ICO can fine up to £17.5 million or 4% of global turnover for the most serious cases of non-compliance. So what does data protection day 2022 mean for UK pension schemes? If you have not done so already, it’s a timely reminder to review your scheme’s data protection status. Here are four key issues to follow up on.
Refresh your data protection documents
Your key compliance documents will be your data mapping records, privacy notice, data protection policy and data breach response plan. It is likely that the ICO will look at these if it investigates a breach involving your scheme. Documents put in place in 2018 are now out of date.
Protect your data sharing
Many schemes did not put in place data sharing agreements in 2018, notably with the scheme sponsor(s) or subsequently with other third parties like bulk annuity providers or master trusts. The ICO Code of Practice emphasises the importance of adopting data sharing agreements where a controller (such as a pension scheme trustee) shares personal data with another controller, and makes it clear that such arrangements should be reviewed regularly (see also 4 below).
Review your international data transfers
Your 2018 data mapping project will hopefully have captured known data flows outside of the EEA (typically via scheme advisers, service providers or corporate sponsors). This information and the ongoing actions of third parties handling personal data relating to the scheme should now be reviewed by reference to data flows outside the UK (as well as the EEA) so that they can be appropriately protected. When reviewing whether the protections currently in place meet the standards set by the relevant data protection legislation, bear in mind that the Schrems II judgment of the Court of Justice of the European Union ruled that extra assessments needed to be carried out before the most common contractual protections (binding corporate rules and standard contractual clauses) can be relied on. Note that the ICO is also consulting on new international data transfer agreements and arrangements. When these proposals come into effect, many pension scheme trustees and their providers will have to update their procedures and documentation concerning personal data transferred outside the UK (including where personal data is held within the UK but accessed from outside the UK).
Data protection “by design and default”
There is no change here – just a reminder that data protection needs to be front and centre of all scheme activity. Examples of actions that should be incorporated into pension scheme project plans, or built into regular reviews of scheme governance (but may be too easily be overlooked in practice) include:
Carrying out a data protection impact assessment before personal data relating to the scheme is used in a new way, for example, shared with an annuity provider or master trust or provided to a new service provider to assist with a project such as Guaranteed Minimum Pension equalisation.
Ensuring that where there is a change in trustee or trustee director, personal data is adequately protected and there is a secure hand over of any personal data relating to the scheme.
Providing “refresher” training on data protection to ensure that the pension scheme trustees keep pace with the changes.
Ensuring that data subject access processes are properly designed and tested (there is a big surge in these requests across the industry).
If you are reading this, especially if you are reading it on data protection day, now would be a great time to put data protection on the agenda for your next trustee meeting.