Hot topic: GDPR – a reminder for trustees

The current global coronavirus pandemic is forcing trustees and their advisers to work remotely on a scale never seen before. All parties have had to rapidly adapt their processes in order to ensure the continuation of business as usual. Away from normal office environments, the need to protect personal data and ensure its confidentiality presents its own unique challenges.

Top tips for trustees and their advisers for ensuring continued compliance with the GDPR in the current climate include:

• Keep it safe – trustees should confirm that both they and their advisers have appropriate and adequate security in place to protect personal data whilst working from home. In addition to checking that documents can be shared safely with advisers and stored securely by all, other simple steps to protect personal data (and confidentiality generally) include locking computers when not in use, retrieving printing promptly, and shredding any documents which are no longer required.
• Keep it legal – with so many people working remotely, there may be difficulties in receiving and returning original or certified copy documents which are usually required to put member and survivor benefits into payment (eg passports, birth certificates, and marriage certificates). Administrative practices may need adapting temporarily to allow different means of proving identity and entitlement, and any data protection implications of this should be considered. Data controllers must have legal grounds for processing all personal data (usually, there will be more than one). Common grounds for pension schemes include the processing being necessary for legitimate interests pursued by the trustees, compliance with legal obligations (such as pensions and tax law), or members having given their consent to the processing of their personal data for one or more specific purposes. We generally only expect consent to be used where trustees are processing special categories of personal data (ie sensitive personal data).
• Keep to the purpose – personal data should be collected for “specified, explicit and legitimate purposes” and not further processed in a way that is incompatible with those purposes. This principle needs to be borne in mind whenever personal data is collected from members and beneficiaries. Put simply, the main purposes for which personal data is likely to be collected by a pension scheme are to enable trustees to properly administer the scheme, and to calculate and pay benefits.
• Keep sharing – administrative adjustments may result in trustees sharing information with new third parties, such as tracing agents. Whilst there are no specific requirements for documenting data sharing between separate data controllers (where each is independently responsible for compliance), entering into an agreement covering some essentials is advisable. These include the receiving data controller undertaking to abide by its obligations under the GDPR, and limiting the use and onward transmission of personal data. In contrast, agreements between a data controller and a data processor whose services they engage must meet certain minimum requirements. Additionally, if current advisers reroute or even offshore certain tasks, existing contracts should be checked and specific protections put in place where necessary.
• Keep it minimal – essentially, “data minimisation” involves trustees using and sharing only the personal data they need for the purpose(s) they have identified. Inevitably, trustees will collect and use certain personal data to administer the scheme properly. In practice, this means trustees striking a balance between gathering information to make decisions, to pay benefits, and to comply with their legal obligations generally, whilst not accumulating more than required. Bearing in mind that some information will be essential to check someone’s eligibility for a particular benefit, avoid sharing personal data with others where they do not need it to advise and copying where it is not strictly necessary.
• Keep communicating – the GDPR sets out specific requirements for sharing key information with data subjects, emphasising the need for greater transparency. Trustees should check that their privacy statement covers any new types of information requested from members or beneficiaries and, where they find themselves sharing information with a new third party for the first time, that the statement’s drafting encompasses this. If changes are needed, they should be made as soon as practicable.
• Keep responding – during such an unprecedented period of uncertainty, members and beneficiaries may naturally feel anxious and concerned. Trustees should ensure that they and their advisers are properly equipped to continue responding to queries from members and beneficiaries about their rights, including data subject access requests, within the legislative timeframes.
• Keep recording – as data controllers, trustees must maintain a record of their processing activities. The record keeping requirements are ongoing and so records should be reviewed and kept up-to-date in light of any adjustments.

What news from the ICO?

The ICO has produced guidance recognising the “unprecedented challenges” currently being faced. It acknowledges that information may need to be shared quickly and that data controllers may have to adapt the way in which they work, providing reassurance about home working (subject to appropriate security measures).

The ICO also specifically addresses concerns about possible regulatory action if data protection practices fall short of usual standards or response times to requests from individuals (eg data subject access requests) take longer. Acknowledging that resources (whether finances or people) might currently be diverted elsewhere, the ICO will not penalise organisations that “need to prioritise other areas or adapt their usual approach during this extraordinary period”. Whilst it cannot extend statutory timescales, helpfully, it will use its communication channels to inform people that they may experience understandable delays when making information rights requests.