The recent cyber-attack which affected the NHS created significant problems for a number of NHS Trusts and patients and also caused widespread disruption to many other organisations in 150 countries. The cyber-attack was a ransomware attack, where files on a computer are encrypted, leaving data inaccessible until a sum of money is paid to the perpetrators.
This is only one of many cyber-attacks we have seen in recent years. For example, telecoms company TalkTalk had its systems compromised by hackers in 2015 when the personal data of over 150,000 customers was accessed. TalkTalk was fined £400,000 by the Information Commissioner's Office (ICO) for security failings that allowed the attack to occur.
In June 2017, the Pensions Regulator (TPR) admitted that it has been subject to a partially successful ransomware attack during the past three financial years. However, it has also blocked over 40,000 other attempts.
TPR has identified cybercrime as a key emerging risk area for pension schemes. In this article we recap on trustees' responsibilities in relation to protecting scheme data and anticipate the introduction of new data protection requirements in April 2018.
Trustees' responsibilities
As part of the role of a pension scheme trustee is to handle the personal data of members of the scheme, trustees are classed as data controllers under the Data Protection Act 1998 (DPA) and will generally need to have registered with the ICO to this effect. The personal data of members is essential in the running of a scheme and in calculating and paying benefits so collecting and storing data cannot be avoided, however trustees must ensure that they comply with the eight key principles outlined in the DPA to protect members and their personal information.
These key principles state that personal data must be:
- Fairly and lawfully processed
This usually involves members giving their consent for their personal data to be used. The processing of this data must be necessary for the performance of a contract, compliance with a legal obligation, or necessary for the data controller or third party to whom it is disclosed.
- Processed for a specified and lawful purpose
Members must be told about how their data is going to be processed and what the data will be used for. It is the scheme trustees who are responsible for communicating this information clearly to members.
- Adequate, relevant and not excessive in relation to the purpose for which it is processed
Trustees must make sure that when asking for members' data only information that is necessary for the purpose should be collected. Periodic data audits should also be carried out to ensure that no irrelevant personal data is being held.
- Accurate and up to date
Trustees must ensure that all data being held about members is accurate and up to date. This links to the trustees' responsibility to continually maintain the quality of scheme record-keeping in line with TPR's guidance and expectations.
- Not kept for longer than necessary
This ties in with the third principle above - trustees must periodically consider whether particular records need to be retained for the purposes of the scheme whilst observing any legal data protection timescales.
- Processed in line with the rights of the individual
Under the DPA, individuals have certain rights in relation to their personal data including the right to access this data and the right to prevent it being used in certain ways (such as for marketing purposes). Trustees must ensure that the wishes of the individuals to whom the data relates are fulfilled in line with their rights under the Act.
- Kept secure
Trustees must make sure that appropriate measures and internal controls are put in place to keep member data secure and these should be reviewed periodically to ensure they meet the required standards. Where a data controller decides to appoint a data processor (for example, the trustees appoint a scheme administrator) they should check that a similar obligation is placed on the data processor.
- Not be transferred outside the EEA unless this information is adequately protected
Personal data of members may only be transferred outside the European Economic Area (EEA) where the receiving country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.
TPR's expectations
TPR stresses the importance of holding complete and accurate member data securely. TPR's record-keeping guidance requires trustees to regularly check scheme data to ensure that the correct data is stored. If member data essential to the running of the scheme is missing or of poor quality, trustees have to put in place an improvement plan. From next year, some schemes will need to report their record-keeping scores to TPR via their scheme return.
The Regulator also expects trustees to review how data is being stored and whether a better method is available (such as converting paper records into electronic records). Trustees must also be confident that the correct internal controls are in place to ensure the security of member data, including controls to protect against cybersecurity threats. For example, administrators should:
- demonstrate the measures they have in place to avoid any security breaches, including cyber-attacks, and data losses;
- have a plan for dealing with security breaches/data losses; and
- keep the trustees informed of any breaches/losses that occur.
The European General Data Protection Regulation
New data protection regulations will come into force on 25 May 2018. The General Data Protection Regulation (GDPR) will repeal and update the EU Data Protection Directive. The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Many of the GDPR’s main concepts and principles are much the same as those in the current DPA but there are new elements and significant enhancements. These include, for example, enhanced rights for individuals, the consent of the individual will involve affirmative action, data security breaches will have to be notified without undue delay and there will be significantly increased maximum fines for breaches.
Whilst there is limited scope for flexibility in applying the GDPR, it does contain derogations where the Government can exercise discretion over how the provisions apply. The Government issued a consultation on these derogations which closed on 10 May 2017.
In our next newsletter, when we hope to have more detail, we will look at what the GDPR will mean for pension schemes and the actions that trustees should be taking in readiness for its introduction.
