“Provided insight into what other schemes do - useful intelligence. High quality.”
“Alex has helped in our dealings with other advisers using his experience of other schemes.”
“Gillian has gone above and beyond what we would normally expect of our secretarial support on many occasions and her deep knowledge on all issues have been invaluable.”
“Excellent and comprehensive training course. I will definitely refer to what I've learned and received. ”
“Gillian and Curtis provide an excellent service to the trustees. They are approachable and possess a huge amount of knowledge. Everything appears to work smoothly which I am sure is due to the immense amount of work they do in the background to ensure all paperwork is available and up to date.”
“We don't have any worries - PSGS are always there for us and plan ahead with advisers and agendas. ”
Pension trustees (as data controllers) must report a personal data breach that creates risk for individuals to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it and notify affected individuals without undue delay. The trouble is trustees are totally dependent on others informing them of the breach in the first place (usually the pension scheme administrator as a data processor). Often this initial notification to the pension trustees simply isn’t happening quickly enough and it is leaving them exposed.
Are pension administrators aware of their obligations?
Trustees rely upon their pension administrator or other suppliers to have sufficient controls and trained staff in place to be able to identify a breach and then report it promptly to them, but some are not fully aware of their obligations as data processors. Despite contractual terms requiring all personal data breaches to be reported ‘without undue delay’, we’ve experienced several breaches not being reported to the pension trustees until some time after the breach had occurred.
Some of the breaches we’ve seen have been relatively minor - incorrectly addressed letters, emails sent to the wrong addressee, the administrator not checking all the paperwork thoroughly when collecting it off the printer before putting it into an envelope…
Others are more serious. One recent case related to errors on electronic files received by the pension administrator from the employer for updating addresses. There was a breakdown in the process and procedure for notifying the pension scheme of any address updates. It wasn’t known how and over how long a period of time the process breakdown occurred, as some member addresses had been updated via the automatic upload of the files.
What should trustees be doing now?
In order to meet their own reporting deadlines, pension trustees must have an ongoing dialogue with their data processors so they understand the information that must be reported to the trustees. You need to tell your data processors, such as your pension scheme administrator, what they need to report to you and when – do not be in the position of them deciding what the process and timescales should be.
Effective controls require employees of the data processor to be able to identify breaches and understand what action they must take and who they must report to. Any weak link in this process could worsen the data breach as it may become more widespread without swift action to identify and remedy it.
In order to assess a personal data breach and decide whether it creates a ‘risk’ or ‘high risk’ to individuals and needs reporting to the ICO, pension trustees need the data processor to provide them with a range of information. We have this set out in a simple to use spreadsheet format, which makes it clear to the trustees if any key information is missing.
In the early stages of a personal data breach, the information available to a scheme administrator may not always be accurate or complete. We understand this, but it isn’t a reason to delay the reporting of a breach to the pension trustees. Our breach reporting spreadsheet can easily be updated by the administrator as more information becomes available.
Having controls and processes like these in place enables us as trustees to assess and report a personal data breach on time (when needed). They may also help avoid awkward conversations with the ICO if a breach is still reported late.
If you are a pension scheme trustee and would like a copy of PSGS’ personal data breach information spreadsheet, please contact us via our online enquiry form.
Pension schemes can be complex and funding negotiations tricky, especially where corporate...
In this IPE article, Sophia Harrison comments on how fiduciary managers had to handle the...