Data protection has become an increasingly important issue in pensions, brought into the spotlight again in light of recent high-profile data breaches, including an attack on Capita. Ensuring that personal information is secure and that privacy rights are protected is not only important for individual members, but also for the long-term health and reputation of pension schemes. We explore the importance of data protection in pensions, the legal obligations of pension schemes and some tips for compliance.

The Capita Attack

The attack on Capita was made public in March 2023 with data appearing on the dark web containing sensitive information such as home addresses and passport images. Capita is the largest UK outsourcing company and administers pension fund payments for more than 4 million individuals. Whilst the full extent of the attack is not clear, the Pensions Regulator has reportedly written to hundreds of pensions schemes which use Capita for administration urging pension trustees to determine whether there is a risk that their scheme's data could have been caught up in the breach. Pension funds have also warned savers to stay vigilant and watch out for hackers who might try to exploit any stolen data. The incident highlights the importance of adhering to General Data Protection Regulation (GDPR) to ensure that personal data is protected when transferred to third-party service providers.

Legal Obligations of Pension Schemes

Pension schemes in the UK have a range of legal obligations when it comes to data protection. In addition to compliance with specific law regulating data protection, trustees of pension schemes also have a fiduciary duty to act in the best interests of their members - which includes protecting their personal information from harm.

The Data Protection Act 2018 (DPA) and GDPR set out specific requirements for the handling of personal data. Under these laws, pension schemes and trustees must ensure that personal data is processed lawfully, fairly, and transparently. This includes obtaining explicit consent from members before collecting or using their personal information. The DPA and GDPR also require pension schemes and trustees to put appropriate technical and organisational measures in place to secure of personal data.

The Risks of Non-Compliance

Non-compliance with data protection laws can pose significant risks for pension schemes in the UK. These risks include financial penalties, legal action, and damage to reputation and member trust. The Information Commissioner's Office (ICO) has the power to impose significant fines for serious breaches, they can fine up to £17,500,000 or 4% of annual turnover, whichever is higher (although, we understand it is not likely that a pension employer group's turnover would be deemed relevant for trustee breaches). Pension schemes could also be held liable for damages if members suffer harm. This could result in significant costs, including legal fees and potential damages.

A data breach or other violation of data protection laws may also lead to negative media coverage and public scrutiny, which can damage a pension scheme's reputation and erode members' trust. Loss of trust can have long-lasting effects on a pension scheme's sustainability, as members may be less likely to contribute to the scheme or may choose to withdraw their funds.

Tips for Compliance

To ensure compliance with data protection laws, pension schemes and trustees should take a proactive approach to data protection. Schemes should implement appropriate security measures and monitor data processors. Trustees should receive formal training on data protection and conduct regular risk assessments. They should also take steps to protect personal data, such as not using personal email addresses for trustee business, encrypting data on mobile devices, and checking email addresses before sending. There should also be a clear procedure for reporting data breaches to the governing body, regulators, and the ICO. By prioritising data protection and staying up-to-date with relevant laws and regulations, pension schemes and trustees can protect their members' privacy rights and ensure the long-term sustainability of their schemes.

Conclusion

Data protection is an essential part of pension scheme management and must be taken seriously by all stakeholders. Pension schemes have a duty to ensure that personal information is kept secure and that members are informed in the event of a data breach. By complying with GDPR and other data protection laws, pension schemes can protect the privacy rights of their members, avoid reputational damage, and ensure the long-term sustainability of their schemes.

If you would like to discuss anything raised by this blog, please get in touch with a member of the team.

To learn about the latest developments in data protection law, view the latest update from our IP, technology, and data protection team here  .

Contributors

Maureen Burns

Senior Associate

Juliet Bayne

Partner

Sarah Keir

Solicitor