UK: UK Pension Scheme Trustees criticised after details of 100,000 individuals are stolen

Originally published 8 December 2009

Keywords: UK pension scheme, trustees, data protection act, DPA,

A UK pension scheme's corporate trustee has been found to be in breach of the Data Protection Act 1998 (the "DPA") after it reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 100,000 individuals.

The laptop was stolen from the company which supplied the Trustee's computerised pensions administration system. That company had a policy of only using an anonymised data sample for 50-100 pension scheme members. But in this case, and contrary to that policy, the personal data of 100,000 individuals was downloaded onto the laptop for training purposes.

The Trustee took remedial steps to protect members, and gave a formal undertaking that it would ensure that personal data would in future be processed in accordance with the DPA. As a result, the Information Commissioner agreed not to exercise his powers to serve an enforcement notice.

This case will be a reminder for trustees that they could be "named and shamed" by the Information Commissioner's Office if they, or their third-party administrators, breach their duty to comply with the DPA in processing personal data.

The Pensions Regulator's Guidance on Internal Controls (a revised version of which was published last week for consultation) means that trustees will already be conscious of the need for internal controls to manage risk. Scheme governance extends to third party administrators, and trustees will want to ensure that their suppliers have adequate controls in place to avoid any breach of their obligations under the DPA. Mayer Brown's IP/IT department is well placed to advise trustees on the best way to manage personal data, and on the controls that trustees should put in place to avoid a breach.

Visit us at www.mayerbrown.com.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; and JSM, a Hong Kong partnership, and its associated entities in Asia. The Mayer Brown Practices are known as Mayer Brown JSM in Asia.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Copyright 2008. Mayer Brown LLP, Mayer Brown International LLP, and/or JSM. All rights reserved.