data protection – GDPR for pension schemes
by Roderick Ramage BSc(Econ), solicitor
first published by distribution to professional contacts on 16 March 2018, most recently updated 21 March 2018
This article is not advice to any person and may not be taken as a definitive statement of the law in general or in any particular case. The author does not accept any responsibility for anything that any person does or does not do as a result of reading it.
for the trustees of pension and death in service schemes
This note aims to draw the trustees’ attention to matters which they need to consider. It is short and simplified and should be read in conjunction with the guidance on the Information Commissioner’s Office’s website at https://ico.org.uk.
The EU General Data Protection Regulations (GDPR) will come into force on 25 May 2018 with no transitional period. It applies automatically in all EU member states, will remain in force if the UK leaves the European Union and will be supplemented by a new Data Protection Act replacing the Data Protection Act 1998. The main effects of the GDPR are:
(a) the existing data protection law will continue, but strengthened;
(b) individuals will have increased rights; and
(c) penalties for infringement will be increased.
who is responsible?
The GDPR defines two categories of persons responsible for compliance, who are “Controllers” and “Processors”. The trustees of a pension scheme are the controllers, who determine the purpose and means of processing personal data. The actuary and administrators are processors, as they process personal data for the trustees, as employers are likely to be, even if only to provide data about pay and contributions. The trustees must establish what data is collected, held and processed, for what purpose, by whom and how, and must establish and maintain records of its system to ensure compliance with the law.
what must trustees do?
(a) analyse what personal data they need to and actually collect, hold and process how and where the data flows and who processes it;
(b) establish who holds and processes data and establish procedures for themselves and with their processors, employers and suppliers (eg insurers) to ensure compliance with the law; and
(c) prepare a privacy statement and circulate it to scheme members and known beneficiaries.
what is personal data?
In pension schemes data subjects are the members of the scheme and their dependants, including any persons, who will or might become beneficiaries of the scheme on a member’s death. The personal data held by a pension scheme about each data subject is likely to consist of some or all the following information:
(a) full name and address;
(b) dates of birth, the start and end of marriage and other relevant relationships with dependants and death;
(c) dates of the start and end of membership of the scheme including any breaks in membership;
(d) dates of the start and end of any employments or offices on which the payment of contributions to or benefits by the scheme is conditional, including any breaks in the employments or offices;
(e) the amounts of all remuneration paid in respect of those employments or offices;
(f) the amounts of contributions paid to the scheme, the amounts of transfers made from other pension schemes to the scheme and by the scheme to other pension schemes, the amounts of benefits paid by the scheme;
(g) tax & PAYE details;
(h) bank details;
(i) the names, addresses and relationship to the data subject of every person who is dependant;
(j) expressions of wishes for the application of lump sums payable on death;
(k) rights in other pension schemes, but only so far as relevant to taxation in respect of pension benefits; and
(l) state of health, but only so far as relevant to the payment of benefits, including eligibility for insured benefits.
why personal data is held and processed?
Pension schemes need to collect and process person data in order to calculate and pay the benefits to data subjects, to make and receive transfers and to estimate the amounts of contributions to be collected in order to be able to pay and continue to pay benefits. it is necessary to retain personal data about each data subject for as long as benefits are payable and for as long as any person with a claim for benefits from the scheme would be legally capable of making a claim.
Pension scheme members and their dependants, as data subjects, have the following rights, as listed by the Information Commissioner but which will need to be explained in the privacy statement: to be informed; of access; to rectification; to erasure; to restrict processing; to data portability; to object; and not to be subject to automated decision-making including profiling.
consent or not?
Trustees must decide the ground on which they process personal data. Grounds on which processing is legitimate include:
(a) the data subject’s consent, which must be freely given, specific, informed and unambiguous and cannot be inferred, but can be withdrawn;
(b) that processing is necessary for compliance with a legal obligation; and
(c) that processing is necessary for the purposes of the legitimate interests pursued by the controller.
It is unlikely that pension scheme trustees can now rely safely on consent, because a refusal or withdrawal of consent would make it impossible to administer the scheme. Therefore, it is likely that the ground will be that processing is necessary under either of both of (b) and (c).
copyright Roderick Ramage
click below to