The DPA imposes eight principles that must be complied with by trustees (as Data Controllers) when processing personal data. The DPA sets out in detail further considerations and requirements relevant to each principle. For the purposes of this note we consider in more detail principle 7, which is of key consideration to pension scheme trustees, and recent developments to principle 8.
Personal data must be processed fairly and lawfully. Additional requirements need to be satisfied in respect of sensitive personal data for the processing of such data to be considered fair and lawful (see principle 7).
Personal data shall be obtained only for one or more specific and lawful purposes and shall not be processed in any manner incompatible with such purpose or purposes.
The personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
Personal data shall be accurate, and where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or purposes.
Personal data shall be processed in accordance with the rights of the data subject under the DPA. The DPA includes a number of rights which apply to the data subject whose personal data is being processed. This includes the right, in certain circumstances, to be supplied with certain information regarding the processing of personal data, such as the purpose for which data is being processed and the recipient of that data.
Appropriate technical and organisational measures should be taken against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Pension scheme trustees who use external pension scheme administrators to run the pension scheme will remain responsible for ensuring that adequate security measures are taken in respect of the personal data. As a result, trustees should ensure that they comply with certain obligations when:
- choosing an administrator; and
- documenting the arrangements with the administrator.
When choosing a third party administrator to process personal data, trustees should ensure that the administrator provides sufficient guarantees in respect of the security measures governing the processing of the relevant data and that the security measures the administrator will implement in respect of the personal data are adequately documented. The trustees should ensure that the written contract they have with the administrator contains robust obligations on the administrator in respect of the personal data, including:
- an obligation that the administrator is only to act on instructions from the trustees;
- that it is to comply with obligations equivalent to those imposed on the trustees by the seventh principle of the DPA; and
- and that it is to implement and comply with an agreed security schedule that details the required security measures (this security schedule should be appended to the contract).
Similar considerations are likely to apply in the context of liability management exercises where the trustees may need to share information with employers.
If sensitive personal data is involved, trustees may well also need to obtain express consent from members.
Personal data shall not be transferred outside the European Economic Area unless the country to which it is transferred ensures an adequate level of protection for the rights and freedoms of the individuals who are the subjects of the relevant personal data.
Data Processors operating in the US used to be able to sign up to the safe harbour framework which allowed the companies to self-certify their adherence to a number of ‘Safe Harbor Principles’ which largely mirrored the EU’s own data protection principles. This automatically authorised these companies to accept data transfers from the EU. However, in Maximillian Schrems v Data Protection Commissioner Case C-362/14 the CJEU held that the US safe harbour rules no longer met EU standards (the DPA stemming from the principles enshrined in EU law). The ruling could have wide-reaching implications for pension schemes and it could, in particular, impact pension schemes with:
- US members;
- US parent companies or US group companies who manage the administration for all group pension arrangements; and
- third party administrators with servers in the US.
Pension scheme trustees should therefore review their agreements with scheme administrators to see if those agreements rely on the US safe harbour framework. For trustees relying on the US safe harbour framework, a replacement system of adequate protection (currently either EU model clause or binding corporate rules) will need to be considered and put in place promptly as enforcement action is planned to commence from the end of January 2016 against any entities who do not have adequate protection in place.
Please contact us if you require assistance in putting these alternative arrangements in place.