Client feedback

When requesting information by email, I have noticed that there is 'out of hours activity' to answer me. I regard this as a stand out 'above and beyond' - impressed.
Wish I'd had the opportunity to do the Trustee training course sooner!
Stuart Atkins,
Raleigh UK Ltd
As a pensions novice, I felt that the trustee training course gave me a good grounding.
Will Court
​We are extremely pleased with the appointment we made. The way Ian reacts to us and works with us is brilliant. We are very happy.
Katherine Cross,
We chose PSGS because of the experience of the team and the feel of the relationship seemed the right fit.
Paul Staniland,
Chair of Governance Committee, Kier Group Pension Trustees
We now have a very collaborative approach between trustees and employer.
Peter Millard,
Company Secretary, TRL Limited

Subject access requests - common pitfalls & issues (& how to avoid them)

In October 2020, the Information Commissioner’s Office (ICO) issued new statutory guidance on dealing with subject access requests (SARs). This (80 page!) supplement to existing information (Right of access | ICO) is timely. Although driven by a few factors, a growth in claims firms has been a major contributor to an increase in the volume of SARs being received by pension trustees and scheme administrators.

What is a SAR?

  • Under UK General Data Protection Regulation (GDPR), individuals have a fundamental right to access & receive a copy of their personal data & other supplementary information. This right is known as a ‘subject access request’.

  • Individuals can make a SAR verbally, in writing, via social media or an online portal or through a third party, such as a claims management firm.

  • SARs can be made to the data controller (trustees, employer) or data processor (scheme administrator).

  • Trustees as data controllers are legally responsible for responding to a SAR within 30 days of a valid request (may be extended by 2 months if the request is ‘complex’).

  • A fee cannot be charged for providing the information.

  • Refusal to provide the information requested can only be made if an exemption or restriction applies or the request is ‘manifestly unfounded’ or ‘excessive’.

What data can be released?

An individual is generally only entitled to their own personal data. Before responding to a SAR, you must determine:

  • if the request is a valid one (ID verification required & authorisation provided where a third party is involved)

  • whether the information held is ‘personal data’ (identifies a living person) &, if so, who it relates to (the data subject)

What are the common pitfalls & issues?

  • Data controller isn’t promptly informed - sometimes the pension trustees only learn about the SAR either on or close to the 30-day deadline.

  • Data not documents - when full documentation is released (eg a full set of minutes) because the data subject is referenced rather than just an extract of the data relating to the member. The entitlement under GDPR is to personal data, not documents.

  • Relevant personal data – when a file of information is provided to the pension trustees for checking prior to issue but other members’ data shown within is not redacted.

  • Health data - this should not be released in response to a SAR without considering if the exemptions or restrictions under the GDPR apply. Often health data is included within a member’s file without thought - eg where a member has been refused early retirement on the grounds of ill-health and the medical details obtained and reasons for a refusal are released.

  • Misunderstanding the request #1 - where a request for personal information isn’t treated as a SAR but as a generic enquiry for scheme information & responded to accordingly. This is often true with requests from claims management firms. Our experience shows they ask for a long list of scheme & member information, which may be mistaken for a generic enquiry.

  • Misunderstanding the request #2 - where a member’s file has been released in response to a generic enquiry. A member doesn’t have to specifically state their request is a SAR but, if it is ambiguous, the pension trustees or administrator should seek clarification of what’s required.

  • Principal contact away – we’ve seen examples where a SAR is received but the recipient is away & the request isn’t passed on to be actioned. This increases the risk of not responding within 30 days.

  • Claims firms - A disgruntled member or former employee may use a claims company as the first step to find out who they can make a complaint against (trustee, administrator, actuary, employer or IFA who advised them). Take care to ensure only relevant data is provided.

The GDPR and ICO’s new guidance clarifies that controllers (not processors) are responsible for complying with SARs. Processors have their own obligations, which include helping the controller to respond.

As professional trustees, we work closely with scheme advisers to avoid these common issues by ensuring both the controller and processor are clear about their roles, responsibilities and timescales to respond. In part this comes down to training, but mostly it’s about having contractual arrangements in place that set out who will deal with a SAR and when.

Steps to avoid common pitfalls & issues

  • The processor should promptly inform the controller when a SAR is received - ideally on the same day of receipt.

  • Check the SAR is valid and the scope of data is understood. If not, seek further clarification.

  • Ensure the SAR can be responded to within 30 days and isn’t caught by any exemptions or restrictions or isn’t ‘unfounded’ or ‘excessive’.

  • Provide only the personal data requested and not documentation unless relevant.

  • Only release data or scheme information with the data controller’s agreement.

  • Make sure a SAR isn’t overlooked - set up ‘out of office’ responses to include wording advising a SAR should be forwarded to a named contact.

By following guidance and having appropriate policies and procedures in place, pension trustees and scheme advisers should be well equipped to deal with SARs and avoid these common mistakes.



Back to opinions


Hot topics

A personal journey through the menopause and what employers can do better
Image of Hot Topic author Suzi Lowther, Director of Marketing & Communications

As women, each of our menopause journeys is different. My mother-in-law apparently flew through...

Read more »

Value for members assessments - what trustees need to do
Image of Hot Topic author Kevin Clark, Director of Business Development

The new value for members (VFM) assessment is a key component of the government’s strategy to...

Read more »

More opinions »

Call: 0118 207 2900

online enquiry