Trustees and sponsoring employers of occupational pension schemes are getting to grips with the requirements of the EU's General Data Protection Regulation (GDPR), which will come into force on 25 May 2018.
In addition to the key changes that are being made to data protection law by the GDPR, trustees and employers are likely to come across a range of pensions-specific issues. Consideration will need to be given to the following areas:
Pension scheme trustees have access to the personal data of scheme members and beneficiaries, and will often have paper or electronic records which include such data. Former trustees (and former trustee directors) occasionally retain those records after leaving their trustee role. Once they have ceased to be a trustee (and arguably prior to stepping down), they will no longer have any basis for holding personal data relating to members and beneficiaries and should return or destroy this data. Some trustee boards have arrangements for ensuring that the necessary actions are taken when a trustee steps down, but if not this is something you may wish to put in place.
We recommend that trustee boards assess whether it is appropriate to contact former trustees, taking into account relevant factors such as how long ago the former trustee left the position and whether it will be possible to get in touch, however the approach taken should be proportionate.
Once contact is made, we suggest that a conversation is held to establish what records the former trustee has and how this issue can be addressed – it is not sufficient to simply ask the former trustee to destroy all the records held, as destruction of personal data is itself a form of "processing" for the purposes of the GDPR. The actions to be taken will depend on the nature and format of the data held by each former trustee.
Relationship with the sponsoring employer
Some personal data will normally be shared by the trustees with the scheme's sponsoring employer or vice versa, for example, where the employer's HR team liaises with the trustees to deal with a death in service. In our experience, such data-sharing arrangements may not be formally documented.
To ensure that personal data relating to the pension scheme is treated appropriately and that the GDPR's requirements are met, we recommend putting in place a protocol, policy or agreement which formally documents the ways in which personal data will be shared between the trustees and the sponsoring employer. The level of detail and the format of the document will depend on the nature of the existing relationship and the extent to which data is shared.
On a similar but separate note, the nature of the trustees' relationship with the employer will influence the trustees' approach to complying with the GDPR. Where there is a lot of interaction, it may be appropriate for the trustees to "piggy-back" on the employer's GDPR compliance exercise, for example, using the employer's data protection policies as a starting point for the trustees' own policies. Other schemes will have employers which are more distant from the day-to-day running of the scheme, in which case the trustees are likely to have to carry out a more detailed exercise themselves. We would encourage all trustees and sponsoring employers who have not already done so to consider whether their GDPR compliance exercise would be assisted by liaising with the other party.
Sharing personal data by email
Pension scheme trustees who are not employees of the sponsoring employer are likely to use their personal email addresses in connection with their trustee role, or may even use a work email address relating to their employment with an unconnected company. Those addresses may not be sufficiently secure to ensure that scheme personal data is appropriately protected. In particular, emails sent and received by personal accounts may well be sent and/or stored outside the European Economic Area, meaning that special (more stringent) rules apply to any personal data contained in them.
Those trustees who do work for the sponsoring employer and use a work email address should take steps to ensure that other employees who are not involved in trustee work cannot access any personal data relating to the scheme (for example, by saving relevant emails into a private folder rather than one with firm-wide access).
The risk around security of data sent by email can be reduced by using a secure data-sharing site. There are plenty available; we offer a secure data site tool to clients, which can be used to store and share scheme documents and data, as well as providing a platform for discussions about scheme-related matters such as trustee decisions about exercise of discretions.
And a few more areas to consider…
As well as the pensions-specific issues discussed above, trustees and employers will need to take the same steps as all data controllers in order to ensure compliance with the GDPR. There are too many to mention here, but some of the key actions to be taken in time for 25 May are as follows:
- Ensure that all third party contracts are GDPR-proof – this includes contracts with administrators, actuaries, scheme secretaries, legal advisers, insurance companies (for example, in relation to AVC policies or buy-ins/buy-outs), investment consultants, auditors and liability management advisers.
- Provide scheme members and beneficiaries with easy access to an appropriate privacy notice – maybe by circulating a member communication with a link to the document or contact details for someone who can provide it. Note that the privacy notice should be a living document and revisions should be communicated to anyone whose personal data is held by the trustees or employer (as applicable).
- Make sure that arrangements are in place for dealing with data subject requests (known as subject access requests under the pre-GDPR data protection regime). This may be dealt with by scheme administrators or scheme secretaries, but trustees and employers will need to check what role they will have in responding to such requests and ensure that they have suitable policies and protocols.