“I wanted to look at the effectiveness of our trustee board, so Gillian, our PSGS scheme secretary, provided their trustee self-assessment tool to help me gather thoughts and opinions from others on the board. The tool was extremely easy to use and asked all the right questions to help me collect the information I needed as Trustee Chair. It is a great example of the way PSGS shares knowledge with their clients and makes dealing with key governance issues easy. As well as enabling me to meet one of the Regulator’s 21st century trusteeship requirements, using the tool has flagged trustee training needs and ways we could improve trustee meetings further. ”
“As a pensions novice, I felt that the trustee training course gave me a good grounding.”
“Where PSGS are appointed to act in conjunction with an existing body of trustees, we have found that they are quickly able to fit in well and gain the trust and respect of their co-trustees. ”
“Wish I'd had the opportunity to do the Trustee training course sooner! ”
“Very broad, comprehensive trustee training course covering a wide range of topics. Excellent!”
“So much more proactive than the previous company. On the ball - thinking in advance of things needing doing - very proactive.”
Pension trustees (as data controllers) must report a personal data breach that creates risk for individuals to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it and notify affected individuals without undue delay. The trouble is trustees are totally dependent on others informing them of the breach in the first place (usually the pension scheme administrator as a data processor). Often this initial notification to the pension trustees simply isn’t happening quickly enough and it is leaving them exposed.
Are pension administrators aware of their obligations?
Trustees rely upon their pension administrator or other suppliers to have sufficient controls and trained staff in place to be able to identify a breach and then report it promptly to them, but some are not fully aware of their obligations as data processors. Despite contractual terms requiring all personal data breaches to be reported ‘without undue delay’, we’ve experienced several breaches not being reported to the pension trustees until some time after the breach had occurred.
Some of the breaches we’ve seen have been relatively minor - incorrectly addressed letters, emails sent to the wrong addressee, the administrator not checking all the paperwork thoroughly when collecting it off the printer before putting it into an envelope…
Others are more serious. One recent case related to errors on electronic files received by the pension administrator from the employer for updating addresses. There was a breakdown in the process and procedure for notifying the pension scheme of any address updates. It wasn’t known how and over how long a period of time the process breakdown occurred, as some member addresses had been updated via the automatic upload of the files.
What should trustees be doing now?
In order to meet their own reporting deadlines, pension trustees must have an ongoing dialogue with their data processors so they understand the information that must be reported to the trustees. You need to tell your data processors, such as your pension scheme administrator, what they need to report to you and when – do not be in the position of them deciding what the process and timescales should be.
Effective controls require employees of the data processor to be able to identify breaches and understand what action they must take and who they must report to. Any weak link in this process could worsen the data breach as it may become more widespread without swift action to identify and remedy it.
In order to assess a personal data breach and decide whether it creates a ‘risk’ or ‘high risk’ to individuals and needs reporting to the ICO, pension trustees need the data processor to provide them with a range of information. We have this set out in a simple to use spreadsheet format, which makes it clear to the trustees if any key information is missing.
In the early stages of a personal data breach, the information available to a scheme administrator may not always be accurate or complete. We understand this, but it isn’t a reason to delay the reporting of a breach to the pension trustees. Our breach reporting spreadsheet can easily be updated by the administrator as more information becomes available.
Having controls and processes like these in place enables us as trustees to assess and report a personal data breach on time (when needed). They may also help avoid awkward conversations with the ICO if a breach is still reported late.
If you are a pension scheme trustee and would like a copy of PSGS’ personal data breach information spreadsheet, please contact us via our online enquiry form.
26 May 2020
In a nutshell, the future of defined contribution (DC) pension master trusts is they will be bigger and better, but there’s a risk they’ll become...
20 May 2020
With many new challenges to face thanks to the Covid-19 pandemic, it’s easy to think an employer’s defined benefit (DB) pension scheme would fall...
14 May 2020
Top tips for pensions communications often suggest using a mix of media and varying design layouts as different people respond to different things...