Client feedback


Fiona brings perspective from other schemes and therefore a wider knowledge.
​I enjoy working with PSGS and we have a very positive relationship. I was new to pensions and found them very helpful.
Bruce Allison,
RTUK
Kathy, may l take this opportunity to thank you for your assistance. There were many times l thought l was losing my mind during my efforts with Aviva. You were a pillar of support for me and you saw my case through to the very end. I cannot thank you enough but thank you again. It is through people like you who strive for professional fairness as well as thoroughness, HCA has such a good reputation.
Ethel Chimutwe,
HCA International Ltd Staff Retirement Benefits Scheme
​I would recommend them to anyone - I have dealt with a number of other independent trustee firms and would rate PSGS as the best. We are very happy with Mark and the service we get.
Julia Morton,
Camellia plc
Thanks for all your help!
Where PSGS are appointed to act in conjunction with an existing body of trustees, we have found that they are quickly able to fit in well and gain the trust and respect of their co-trustees.
Duncan Buchanan,
Partner at Hogan Lovells

Data breaches – are trustees really in control?

Pension trustees (as data controllers) must report a personal data breach that creates risk for individuals to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it and notify affected individuals without undue delay. The trouble is trustees are totally dependent on others informing them of the breach in the first place (usually the pension scheme administrator as a data processor). Often this initial notification to the pension trustees simply isn’t happening quickly enough and it is leaving them exposed.

Are pension administrators aware of their obligations?

Trustees rely upon their pension administrator or other suppliers to have sufficient controls and trained staff in place to be able to identify a breach and then report it promptly to them, but some are not fully aware of their obligations as data processors. Despite contractual terms requiring all personal data breaches to be reported ‘without undue delay’, we’ve experienced several breaches not being reported to the pension trustees until some time after the breach had occurred.

Some of the breaches we’ve seen have been relatively minor - incorrectly addressed letters, emails sent to the wrong addressee, the administrator not checking all the paperwork thoroughly when collecting it off the printer before putting it into an envelope…

Others are more serious. One recent case related to errors on electronic files received by the pension administrator from the employer for updating addresses. There was a breakdown in the process and procedure for notifying the pension scheme of any address updates. It wasn’t known how and over how long a period of time the process breakdown occurred, as some member addresses had been updated via the automatic upload of the files.

What should trustees be doing now?

In order to meet their own reporting deadlines, pension trustees must have an ongoing dialogue with their data processors so they understand the information that must be reported to the trustees. You need to tell your data processors, such as your pension scheme administrator, what they need to report to you and when – do not be in the position of them deciding what the process and timescales should be.

Effective controls require employees of the data processor to be able to identify breaches and understand what action they must take and who they must report to. Any weak link in this process could worsen the data breach as it may become more widespread without swift action to identify and remedy it.

In order to assess a personal data breach and decide whether it creates a ‘risk’ or ‘high risk’ to individuals and needs reporting to the ICO, pension trustees need the data processor to provide them with a range of information. We have this set out in a simple to use spreadsheet format, which makes it clear to the trustees if any key information is missing.

In the early stages of a personal data breach, the information available to a scheme administrator may not always be accurate or complete. We understand this, but it isn’t a reason to delay the reporting of a breach to the pension trustees. Our breach reporting spreadsheet can easily be updated by the administrator as more information becomes available.

Having controls and processes like these in place enables us as trustees to assess and report a personal data breach on time (when needed). They may also help avoid awkward conversations with the ICO if a breach is still reported late.

If you are a pension scheme trustee and would like a copy of PSGS’ personal data breach information spreadsheet, please contact us via our online enquiry form.

 

 

Back to opinions

 

Hot topics


PSGS & 20-20 Trustees merge to form Vidett
Hot Topic

Punter Southall Governance Services (PSGS) & 20-20 Trustees (20-20) have today announced they...

Read more »


Don’t be surprised that your gilt funds are being treated like an emerging market
Image of Hot Topic author Sophia Harrison, Client Director

You may have seen or heard about the article in the Financial Times about how Insight...

Read more »


More opinions »


Call: 0118 207 2900

online enquiry