Ready, steady, dash(boards) – key actions for trustees

With the start of the staged timetable for connection to the pensions dashboard ecosystem upon us, we take a look at the steps trustees should be taking now to ensure that the process ends up being a leisurely jog (rather than a frantic sprint).

Overview of pensions dashboards

The purpose of pensions dashboards is to enable individuals to access their pensions information securely online, making it easier for them to understand their pensions and prepare for financial security in later life. For those who have participated in multiple arrangements during their lifetime, with some limitations dashboards will allow them to see all of their pension savings in one place.

The Money and Pensions Service (MaPS) will operate a non-commercial dashboard, with commercial providers also free to develop their own dashboards. All dashboards will connect to a single digital ecosystem.

For trustees the advent of pensions dashboards will mean having to comply with new legal obligations, including the initial connection to the ecosystem and subsequently dealing with the secure flow of data once dashboards go live for end users.

Key actions for trustees

Understanding your legal obligations

Timing of connection

The legal obligation to connect to the pensions dashboards ecosystem applies for all schemes with 100 or more "relevant members" (broadly active and deferred members) measured at the scheme year end falling between April 2023 and March 2024.

All schemes in scope must connect to the ecosystem by the statutory deadline of 31 October 2026, although the DWP has separately published a staging timetable setting out the expected "connect by" date depending on the scheme type and size. This staging timetable runs from 30 April 2025 to 30 September 2026.

You can check the staging date for your scheme here.

Data flows

Following the initial connection of schemes to the dashboards ecosystem, there will be a separate go-live date (to be decided by the Secretary of State) when the dashboard services will become publicly accessible.

Individuals will be able to log on and request their pensions information by entering prescribed details. Each scheme connected to the ecosystem will need to have its own "matching criteria" (in line with the legislative requirements and guidance) to identify positive, possible and negative matches.

Where positive matches are made, there will be a legal obligation to provide "view data" to the end user via the dashboard. This will include:

• "Value data" - broadly the accrued benefits and estimated benefits at retirement (with the specific requirements based on the type of scheme the trustees operate), and
• "Contextual information" including the date benefits are payable from, whether more than one retirement date is used to calculate benefits, spouse / civil partner pensions and whether benefits increase or decrease in payment.

Where possible matches are made, further identity verification will need to be undertaken by the scheme's administrator.

For trustees it will be important to ensure that the selection of the "matching criteria" is in line with the legal requirements and published guidance so as to maximise the number of correct positive matches, while minimising the risk of false negatives and potential data breaches with incorrect information being provided to the wrong person.

Equally important will be the quality of the "view data" provided to the end user and ensuring that this reflects the benefits specified under the scheme rules.

Scope of members caught

Data will only need to be provided to the pensions dashboards in relation to positive matches for "relevant members". Broadly this covers active and deferred members of a scheme, but there are some nuances within the legislation for certain members who have flexibly accessed some of their benefits.

Trustees will need to exercise care and if necessary take legal advice to ensure that member data is not inadvertently excluded (or included).

Engagement with your scheme administrator

The role of the scheme administrator will be crucial to the success of the dashboard system, with trustees reliant on the scheme administrator for the IT infrastructure to connect (and maintain connection) with the ecosystem and its software and security protocols to securely transfer the relevant data.

Most scheme administrators will use an integrated service provider (ISP) to manage the find and view requests from end users. The ISP will be a sub-processor for data protection purposes.

Trustees will need to ensure that their contractual provisions with the scheme administrator are not only updated to cover dashboard-related services, but that these services are conducted in line with the relevant legislation, guidance and dashboard standards. Care will need to be taken to ensure that appropriate contractual provisions are in place on data security, incident handling, business continuity and disaster recovery, monitoring, auditing and testing.

Trustees should also seek assurances from the scheme administrator as to the due diligence undertaken on the ISP (including its internal controls and data security measures in place) and ask to see the administrator's Data Protection Impact Assessment (DPIA) for dashboards.

Data readiness

Trustees will need to ensure the quality of the scheme data and its digital accessibility is aligned with the published dashboard data standards.

As part of this trustees may wish to undertake data improvement work, including conducting a benefit audit to check that current administrative practice reflects the rules governing the scheme in respect of:

• The contextual information that needs to be provided to end users
• Any complexity around different tranches of benefits (e.g. those with multiple Normal Retirement Dates), and
• Any complex cases (e.g. bridging pensions, offsets or where benefits are subject to an underpin).

Data protection

Alongside ensuring that they have appropriate contractual provisions in place on data security with their scheme administrator, trustees should:

• Prepare their own DPIA on dashboards, covering the main processing activities (including categories of data being processed and why) and assessing necessity and proportionality, confidentiality, integrity and key risks
• Update their privacy notice and related GDPR policies and their cyber security policy and incident response plan, and
• Update their risk register to factor in their risk assessment of dashboards.

Regulatory reporting, record keeping and maintenance

Trustees will need to understand both the reporting requirements (including coverage, service availability and view responses) from a regulatory perspective and the record keeping obligations (in relation to connection to the ecosystem, details of the matching criteria and capturing complaints). They will need to work with their scheme administrators to ensure that the correct reporting data is captured, reported and retained for the relevant period (broadly six years).

Trustees are also under an obligation to ensure that the scheme remains connected to the dashboard ecosystem in accordance with MaPS' code of connection. Appropriate measures will therefore need to be put in place with the scheme administrator to ensure continued compliance and functionality.

Member communications and engagement

Trustees should inform scheme members about dashboards, including:

• Which members will be able to view their details for the scheme (remembering that pensioners are not within scope)
• How dashboards may benefit members, and
• Any relevant limitations / caveats around the information provided.

Trustees may wish to update standard member communications (such as retirement approach letters and retirement quote letters) to include dashboard references where appropriate.

Trustees should also be prepared to receive significantly more requests from members when dashboards go live. In particular it is anticipated that a greater number of transfer quotations and requests may be received as a result of dashboards (with members potentially looking to consolidate their pension savings). Trustees should ensure that they have robust processes in place to deal with such an influx of requests.

Concluding comments

Trustees should be actively engaging with their scheme administrators to ensure that the correct steps are being taken now to comply with the dashboard requirements. 

From a legal perspective it is imperative that trustees understand their legal obligations, contractual provisions are updated accordingly and steps are taken to ensure that the correct data is transmitted securely (with trustees assessing and recording the risks associated with this and taking appropriate action to mitigate such risks).

If you would like assistance in relation to your pension scheme's compliance with pensions dashboards or if you wish to discuss your scheme more generally please get in touch with your regular Pensions team contact.