Overreliance on third parties?
Whilst pension trustees can be skilled professionals or specialist corporate entities who lead the compliance effort and manage the legal risk of the pension scheme, more often than not, they outsource most of the operational functions to third parties.
Well-established third party administrators and actuarial service providers usually step in to provide comprehensive services for the scheme. Such providers will typically use third party business tools or outsourced functions in relation to data processing for their customers. In essence, every pension scheme has an entire supply chain of providers below it, and each link in the chain poses a certain degree of cyber and data protection risk.
Pensions trustees are responsible for data protection compliance even if they may not actually hold any personal data of members/beneficiaries. However, as functions are often entrusted to third party administrators and most of the trustee’s focus goes into complying with pensions and tax law, data protection due diligence, assessments and contracts often take a backseat. This becomes a problem when (not “if”) there is supply chain breach or a GDPR claim for compensation.
Tick box approach not enough?
The accountability principle under UK GDPR requires data controllers, such as pension trustees, to:
- identify what personal data is processed and where;
- implement appropriate policies and procedures;
- carry out certain assessments and due diligence;
- implement security measures;
- enter into appropriate contracts; and
- ensure the proper training of staff.
While implementing appropriate paperwork is one thing, compliance with UK GDPR requires a proactive and repeated approach. Without this focus, it will be more difficult to demonstrate compliance at the critical moment.
Who is at fault and who is liable?
The question of fault in the context of a personal data breach will depend on the actual circumstances. Of course, the primary fault is with the criminal who infiltrates a system without authorisation. However, if any party has failed to comply with the UK GDPR and this has contributed to the breach or made it possible in the first place, such party could be seen as the party “at fault”.
On the other hand, if all parties fully complied with the law and the personal data breach could not have been avoided, for example, due to a novel attack vector or an unavoidable human error, neither party will have liability under the GDPR. However, this is often a difficult balance, and the ICO is relatively unforgiving when it comes to any failure to implement industry standard security measures.
Regardless of fault, the pensions trustee will likely face claims for compensation from its members/beneficiaries whose data has been compromised. Again, this expense can be mitigated by maintaining a strong compliance culture and demonstrating that the personal data breach was not in any way due to the trustee’s lack of compliance. However, legal cost will be incurred in dealing with the correspondence.
Typically, if a service provider is partially at fault, one will look to the contract to find out if the trustee might recuperate its expenses. However, if the trustee did not spend time reviewing the contract at the outset or let the contract roll for a decade without reviewing if it is still fit for purpose, the discussion with the service provider might be less straightforward.
High risk of fraud
Pensions scams are a recurring problem that the Pensions Regulator (TPR) wishes to tackle. Fraudsters often take advantage of elderly pensioners who are more susceptible to fall victim of fraud.
TPR will not be pleased if that risk is exacerbated by a personal data breach. A breach will often mean that the fraudster now has more data to succeed in deceiving their victims by presenting them accurate information just as if the victim were called by a professional administrator.
Under UK GDPR, a data controller must notify individuals of any personal data breach which gives rise to high risk. Judging by its statement from 12 May 2023, TPR probably considers the Capita breach high risk as it suggested to pension trustees to “contact your members proactively”. Having said that, each pensions trustee must carry out its own assessment and while some may face high risk, other may not.
Conclusion
The data protection compliance question is one that will not go away. As the Pension Dashboard is approaching, pension trustees will likely not satisfy the requirements by merely implementing some paperwork.
This might be the right time to revise the existing framework, identify gaps and lay the compliance foundations for significant digitalisation. Perhaps running a new trustee training session might help focus minds and come up with a data protection action list.
It will be important to dust of any old service provider agreements and make sure they are still fit for purpose. A new due diligence effort should be launched to make the most from the reminder offered by the recent incident.
If your scheme is affected by a breach, you should remember that ultimately the liability is on you and you should demand your service provider to offer up all available information and stop hiding behind the veil of an ongoing investigation. The sooner you know what happened, the sooner you will be able to take appropriate remedial steps and mitigate exposure.
Data quality and data security are an inherent requirement of data protection. Perhaps the reset of the dashboards programme might be the opportunity you have been waiting for to take stock of the situation and make a compliance action plan.