Data breaches – are trustees really in control?

Topic:

Legal & governance

Date published:

Tuesday, 7 April 2020

Author:

Kathy Trusler

Pension trustees (as data controllers) must report a personal data breach that creates risk for individuals to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it and notify affected individuals without undue delay. The trouble is trustees are totally dependent on others informing them of the breach in the first place (usually the pension scheme administrator as a data processor). Often this initial notification to the pension trustees simply isn’t happening quickly enough and it is leaving them exposed.

Are pension administrators aware of their obligations?

Trustees rely upon their pension administrator or other suppliers to have sufficient controls and trained staff in place to be able to identify a breach and then report it promptly to them, but some are not fully aware of their obligations as data processors. Despite contractual terms requiring all personal data breaches to be reported ‘without undue delay’, we’ve experienced several breaches not being reported to the pension trustees until some time after the breach had occurred.

Some of the breaches we’ve seen have been relatively minor - incorrectly addressed letters, emails sent to the wrong addressee, the administrator not checking all the paperwork thoroughly when collecting it off the printer before putting it into an envelope…

Others are more serious. One recent case related to errors on electronic files received by the pension administrator from the employer for updating addresses. There was a breakdown in the process and procedure for notifying the pension scheme of any address updates. It wasn’t known how and over how long a period of time the process breakdown occurred, as some member addresses had been updated via the automatic upload of the files.

What should trustees be doing now?

In order to meet their own reporting deadlines, pension trustees must have an ongoing dialogue with their data processors so they understand the information that must be reported to the trustees. You need to tell your data processors, such as your pension scheme administrator, what they need to report to you and when – do not be in the position of them deciding what the process and timescales should be.

Effective controls require employees of the data processor to be able to identify breaches and understand what action they must take and who they must report to. Any weak link in this process could worsen the data breach as it may become more widespread without swift action to identify and remedy it.

In order to assess a personal data breach and decide whether it creates a ‘risk’ or ‘high risk’ to individuals and needs reporting to the ICO, pension trustees need the data processor to provide them with a range of information. We have this set out in a simple to use spreadsheet format, which makes it clear to the trustees if any key information is missing.

In the early stages of a personal data breach, the information available to a scheme administrator may not always be accurate or complete. We understand this, but it isn’t a reason to delay the reporting of a breach to the pension trustees. Our breach reporting spreadsheet can easily be updated by the administrator as more information becomes available.

Having controls and processes like these in place enables us as trustees to assess and report a personal data breach on time (when needed). They may also help avoid awkward conversations with the ICO if a breach is still reported late.

If you are a pension scheme trustee and would like a copy of PSGS’ personal data breach information spreadsheet, please contact us via our online enquiry form.

Back to opinions