Question:
"We are pension scheme trustees and use a third party (professional) administrator. Does that mean that we, as trustees, have no responsibility for complying with data protection law?"
Answer:
No!
A common misconception among pension scheme trustees is that once they employ a third party administrator, it is the administrator’s responsibility to deal with all aspects of pension scheme administration, including complying with data protection law requirements.
The Information Commissioner’s new Good Practice Note aims to clarify this situation and sets out the steps that trustees must take to comply with the Data Protection Act 1998 ("the Act"), which includes notification.
Notification is a straightforward process and there is an easy to follow step-by-step on-line process (http://www.informationcommissioner.gov.uk). Notification costs £35.00 and must be renewed annually.
Pension scheme trustees are ultimately responsible for the processing of personal data within their pension scheme and, as such, all processing of personal data covered by the Act should be notified to the Information Commissioner. In addition, personal data should always be processed having regard to the eight data protection principles specified under the Act.
Personal data must be kept secure at all times: this means that trustees must ensure that information passed to their administrator is kept safe. It is imperative that this be specified in a written contract (often called a data transfer agreement) between the trustees and the administrator. Written contracts should also specify that the administrator must only process personal data in accordance with the trustees’ instructions and how and within what time limits subject access requests should be dealt with.
In his Good Practice Note, the Information Commissioner gives the following tips to pension scheme trustees:
- Check notification annually.
- Have a contract with the administrator that clearly lays down what their and the trustees’ responsibilities are.
- Check how the administrator’s security is working.
- Lay down clearly how to deal with requests for information from scheme members (or their agents) and anyone else.
- Make arrangements for the return of the information when the contract ends and provide for any future access that may be necessary.
His recommendations are clear and practical and will assist trustees in their compliance with the Act.
The guidance is particularly helpful in light of the Knowledge and Understanding requirements of the Pensions Act 2004, which apply to trustees from April 2006. Trustees will require to understand, among other things, the impact of legislation, such as the Act, on the running of pension schemes and the provision of retirement benefits. Trustees should be aware that, while the requirements of the Pension Act do not apply yet, they already require to comply with the Act.
It may be appropriate to have a review of your pension scheme arrangements in relation to data protection and MacRoberts is well-placed to assist you in that process.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Readers should not act on the basis of the information in this article without taking appropriate professional advice upon their own particular circumstances.
© MacRoberts 2006
