PART 4 – Ho! Ho! Ho! Hope you’ve reviewed your subject access request policies in time for Christmas!
07 / 12 / 2020
To avoid Santa’s naughty list this year, scheme trustees should ensure they have a suitable data subject access request (“DSAR”) policy which reflects the updated guidance on DSARs published by the Information Commissioner’s Office (the “ICO”) on 21 October 2020.
In pension scheme scenarios, requests to access personal data often form part of wider more general requests around the benefits an individual is entitled to receive. In their simplest form, a DSAR is an individual’s right to access and receive a copy of their personal data and other supplementary information. DSARs may also be used to seek confirmation that the scheme trustees or administrators are processing their personal data, particularly, if details have been lost over time or if members are making use of a tracing service to locate historic entitlements.
DSARs come in all sorts of shapes and sizes. They can be made verbally, written and even posted on social media. No specific form is required to make a subject access request.
On receipt of a DSAR, the information requested must be provided without delay and by the standard deadline for providing the requested information namely within one calendar month of receipt of (i) the DSAR; and (ii) all other information needed to process the request (e.g. ID). A one month timescale is likely to be somewhat tight in many instances and prompt action is therefore needed to carry out the various tasks, including:
- ensure the person making the DSAR is the data subject;
- The identity of the applicant should be carefully verified;
- notify the data processors of the request and request copies of the relevant information they hold for the individual;
- identify all relevant information held by the trustees; and
- check all extracts for information which should not be issued to the applicant (e.g. any data relating to another data subject, including correspondence from another data subject).
DSARs are still relatively rare in the pensions field but, when made, can often be a precursor to pension claims, including to the Pensions Ombudsman and/or to the Courts, as illustrated by the following case:
(PO-17560) Mrs L v Aviva Pension Plan (the “Aviva Plan”)
In the 2018 Pensions Ombudsman case of Mrs L v Aviva Pension Plan, Mrs L complained that Aviva had incorrectly recorded the first line of her address. As a result, Mrs L had missed out on certain communications in relation to her pension entitlement on retirement. Mrs L was concerned that, in light of this data protection issue, Aviva may have also erred in her pension entitlement calculations, particularly, when Aviva was unable to provide certain documents that she had requested.
By way of background, Mrs L had been a member of her employer’s defined benefit pension scheme known as the Samuel Rains & Son Pension Scheme (the “Scheme”). She left her employer’s business and became a paid-up deferred member of the Scheme which was wound-up in 1999 at which time the Scheme’s liabilities were subject to a buy-out and Mrs L’s benefits were transferred to the Aviva Plan.
In 2009, Aviva migrated all the information relating to the Aviva Plan onto a new system. It was at this point in time that the incorrect address details were recorded against Mrs L’s records. Consequently, Mrs L did not receive all of the communications that were issued to her in relation to her retirement benefits payable from the Aviva Plan. As Mrs L approached retirement age, she made use of the Pensions Tracing Service to contact Aviva requesting information in relation to her retirement benefits.
Note that a request to a data controller, such as a pension scheme administrator, to confirm whether they are processing the individual’s personal data is a SAR, as is requesting details of the individual’s address that is held on the system. Personal data includes information that can identify a person from the information in question whether directly or indirectly in combination with other information.
Aviva was not able to provide Mrs L with all of the requested documents including a record of her contribution history (because no contributions had been paid) nor a deferred annuity replacement policy schedule dating back to 1985 (due to the lapse of time). Mrs L was offered £100 in recognition of Aviva’s error over using the incorrect address (which happened on more than one occasion despite having updated the records).
The Ombudsman did not uphold Mrs L’s complaint that her benefit entitlement was wrong, but did suggest that Aviva’s revised offer of £300 for the distress and inconvenience caused was reasonable and advised that if Mrs L had any further data concerns she should contact the Information Commissioner’s Office.
The moral of the story is:
- check the accuracy of member data to avoid time consuming and costly complaints, especially where any changes of systems are involved, or data has been handed over to a new service provider; and
- maintain up to date and accurate records and documentation – the better the state of the records, the more information can be provided to the member, the less likely they are to result in time consuming and costly complaints.
The ICO’s Guidance on DSARs
On 21 October 2020 the ICO issued updated guidance on DSARs. Three key areas which were updated include:
- stopping the clock for clarification – requests often do not give enough time to respond; the ICO guidance explains that in suitable cases, organisations can stop the clock whilst the requester clarifies their request;
- what is a manifestly unfounded or excessive request – the ICO says that, to combat confusion, they have provided additional guidance and broadened the definition of what would fall within this label; and
- what can be included when charging a fee for manifestly unfounded or excessive or repetitive requests – under article 12 of the GDPR, it is generally not possible to charge a fee for DSARs. However, a reasonable fee can be charged if it is deemed to be manifestly unfounded, excessive or repetitive in nature, taking into account the administrative burden.
The ICO gives the following example of when a reasonable fee can be levied:
|Example An individual repeatedly requests a personal file through the right of access. You have given them the same file before, but you decide to respond to the request because you think they may have lost the file and it is harmful for them not to have this information. You tell the individual you are charging them a fee for the repeat provision of this information, based on the cost of administration. Once you have received the fee, you provide the information within one calendar month.|
Scheme trustees should review the updated ICO guidance and, if appropriate, revise their policy accordingly. Trustees should ask their advisers to review the scheme’s GDPR policy and any privacy notices to the extent that they cover DSARs.