data protection – GDPR for pension schemes
by
Roderick Ramage BSc(Econ), solicitor
first
published by distribution to professional contacts on 16 March 2018, most
recently updated 21 March 2018
DISCLAIMER
This article is not advice to any
person and may not be taken as a definitive statement of the law in general or
in any particular case. The author does not accept any
responsibility for anything that any person does or does not do as a result of reading it.
guidance note
for the trustees of pension and death in service schemes
This note aims to draw the trustees’ attention to matters
which they need to consider. It is short
and simplified and should be read in conjunction with the guidance on the
Information Commissioner’s Office’s website at https://ico.org.uk.
introduction
The EU General Data Protection Regulations (GDPR) will
come into force on 25 May 2018 with no transitional period. It applies automatically in all EU member
states, will remain in force if the UK leaves the European Union and will be
supplemented by a new Data Protection Act replacing the Data Protection Act
1998. The main effects of the GDPR are:
(a)
the existing data protection law will continue, but strengthened;
(b)
individuals will have increased rights; and
(c)
penalties for infringement will be increased.
who is responsible?
The GDPR defines two categories of persons responsible
for compliance, who are “Controllers” and “Processors”. The trustees of a pension scheme are the
controllers, who determine the purpose and means of processing personal
data. The actuary and administrators are
processors, as they process personal data for the trustees, as employers are
likely to be, even if only to provide data about pay and contributions. The trustees must establish what data is
collected, held and processed, for what purpose, by whom and how, and must
establish and maintain records of its system to ensure compliance with the
law.
what must trustees
do?
Trustees must:
(a)
analyse what personal data they need to and actually
collect, hold and process how and where the data flows and who processes
it;
(b)
establish who holds and processes data and establish procedures for
themselves and with their processors, employers and suppliers (eg insurers) to
ensure compliance with the law; and
(c)
prepare a privacy statement and circulate it to scheme members and
known beneficiaries.
what is personal
data?
In pension schemes data subjects are the members of the
scheme and their dependants, including any persons, who will or might become beneficiaries
of the scheme on a member’s death. The
personal data held by a pension scheme about each data subject is likely to
consist of some or all the following information:
(a)
full name and address;
(b)
dates of birth, the start and end of marriage and other relevant
relationships with dependants and death;
(c)
dates of the start and end of membership of the scheme including
any breaks in membership;
(d)
dates of the start and end of any employments or offices on which
the payment of contributions to or benefits by the scheme is conditional,
including any breaks in the employments or offices;
(e)
the amounts of all remuneration paid in respect of those
employments or offices;
(f)
the amounts of contributions paid to the scheme, the amounts of
transfers made from other pension schemes to the scheme and by the scheme to
other pension schemes, the amounts of benefits paid by the scheme;
(g)
tax & PAYE details;
(h)
bank details;
(i)
the names, addresses and relationship to the data subject of every
person who is dependant;
(j)
expressions of wishes for the application of lump sums payable on
death;
(k)
rights in other pension schemes, but only so far as relevant to
taxation in respect of pension benefits; and
(l)
state of health, but only so far as relevant to the payment of
benefits, including eligibility for insured benefits.
why personal data
is held and processed?
Pension schemes need to collect and process person data in order to calculate and pay the benefits to data subjects,
to make and receive transfers and to estimate the amounts of contributions to
be collected in order to be able to pay and continue to pay benefits. it is necessary to retain personal data about
each data subject for as long as benefits are payable and for as long as any
person with a claim for benefits from the scheme would be legally capable of
making a claim.
member’s rights
Pension scheme members and their dependants, as data
subjects, have the following rights, as listed by the Information Commissioner
but which will need to be explained in the privacy statement: to be informed; of access; to rectification; to
erasure; to restrict processing; to data portability; to object; and not to be
subject to automated decision-making including profiling.
consent or not?
Trustees must decide the ground on which they process
personal data. Grounds on which processing
is legitimate include:
(a)
the data subject’s consent, which must be freely given, specific,
informed and unambiguous and cannot be inferred, but can be withdrawn;
(b)
that processing is necessary for compliance with a legal
obligation; and
(c)
that processing is necessary for the purposes of the legitimate
interests pursued by the controller.
It is unlikely that pension scheme trustees can now rely
safely on consent, because a refusal or withdrawal of
consent would make it impossible to administer the scheme. Therefore, it is likely that the ground will
be that processing is necessary under either of both of (b) and (c).
END 16/03/18
copyright Roderick Ramage
click below to
return to list of pension law articles