What’s on your data to-do list? Top priorities for 2021

Pension funds are full of the two things most attractive to hackers: data and money. But it's not just hackers that you need to focus on when it comes to pensions data.

Brief summary

This speedbrief looks at some data-related priorities that trustees and employers should have on their to-do list for 2021, including:

• cyber security
• getting ready for the dashboards
• data sharing
• subject-access requests
• overseas data transfers

Brief actions

Data-related actions for 2021 include:

• think about cyber security – can the employer help, should you do cyber war-gaming and develop a cyber policy?
• address the new Information Commissioner's Office (ICO) codes of practice – do you need a data sharing agreement for controller to controller data transfers? Are you prepared for many member data subject access requests (DSARs)?
• understand if scheme data moves from the UK to other countries and document this appropriately
• are your GDPR documents still up to date? For example, do they reflect who data is now shared with?
• consider whether any training is needed in relation to data protection, by whom and who should attend?
• consider if member data can be easily retrieved to comply with dashboard obligations and, if not, what needs to be put into an action plan to cover the next two years?

Some more detail

Cyber security

To paraphrase former FBI director James Coney: there are two kinds of pension scheme: those that have been hacked, and those who don’t yet know they’ve been hacked.

Schemes should keep their data secure by having appropriate cyber security procedures and monitoring in place. A pension scheme is a tempting target and a cyber breach is a bigger risk than trustees and employers might think. Since the start of UK lockdown, attacks targeting home workers have increased from 12% of malicious email traffic to over 60%.

The Pensions Regulator has issued guidance on cyber security for trustees which highlights the need for them to be aware of their “responsibilities in respect of cyber resilience” and to “receive regular training and have access to skills and expertise to understand and manage cyber risk”. PASA has also issued guidance to help administrators deal with cybercrime. Employers may be able to help with this through their own cyber security arrangements.

Trustees and employers need to have a plan in place setting out what they would do in the event of a cyber breach, and they should ideally be “wargaming” tackling practical cyber breaches. These steps will help to ensure that, if a cyber breach occurs, it can be properly and promptly dealt with. Trustees should make sure they document any steps they take to help prove they have complied with their obligations.

The dashboards

The Pension Schemes Act 2021 will require a lot of data to be given to the pensions dashboards about the benefits that schemes hold for members. Schemes may be able to voluntarily supply information to the dashboards from next year, with phased compliance starting in 2023 (possibly with the largest DC schemes going first).

The details will be set out in regulations, but the information that schemes might have to provide could include details about:

• the administration and finances of the scheme
• the rights and obligations under the scheme
• the pensions and other benefits the scheme provides
• information about an individual’s benefits under the scheme

In December 2020, the Pensions Dashboards Programme issued a data standards guide setting out the information that schemes will be given to find a person’s pension entitlement and the basic information that they will need to provide. This was followed by guidance from PASA setting out key actions that schemes can take and suggested timescales.

Trustees need to understand if they are in a position to supply relevant data to the dashboards and whether they could easily identify if the scheme has benefits for someone. Are improvements needed to existing data and will documents like privacy notices need to be updated to allow data to be given to the dashboards? The PASA guidance says that there is no benefit for schemes in waiting to do this given the amount of time that data issues can take to resolve.

Data sharing

In December 2020, the ICO issued a data sharing code of practice. It sets out the ICO’s expectations where data controllers, including trustees, are sharing personal data with other controllers. This would, for example, include sharing data with other schemes or insurers (eg on a bulk transfer or buy-in / out), or with sponsoring employers.

Trustees should consider using data sharing agreements and, if sharing is happening continuously rather than as a one-off, the agreement and its description of the data being shared should be kept under review.

Trustees and administrators should also check that any recipient of personal data has at least the same standards of security as they do.

Subject access requests

The ICO has also issued a code of practice on DSARs. This provides guidance on what to do where members (or third parties claiming to represent them) ask about the personal data that trustees hold about them. This is becoming more important, as claims management companies are making many requests on behalf of members to find out if they have claims against the scheme.

It’s worth checking that the trustees (as well as administrators) know how to recognise DSARs – they may not be obvious. For example, they may be made verbally or using social media. Trustees should consider if a DSAR protocol would be useful.

Overseas data transfers

Trustees need to understand if their scheme data is moving between the UK and other countries and what agreements govern these transfers.

Where data flows through the EEA to the UK, there is a post-Brexit transition period where it can continue to move uninterrupted. This will last for up to 6 months from 1 January 2021.

The European Commission has recently indicated that it considers that the UK provides an equivalent level of protection to the one guaranteed under EU law. If this decision is formally approved, personal data will be able to continue to move from the EU to the UK without additional security.

If data flows from the UK to non-EEA countries, trustees need to carry out risk assessments and ensure adequate protection mechanisms are in place unless the transfer is to a country recognised as having adequate data protection laws. This also applies to the US, since the “Privacy Shield” was declared invalid last year.