29 March 2017 - Post by:Andrew Cork
Data protection and cybersecurity are undoubtedly hot topics in the pensions world at the moment – and will continue to be so for some time. As part of our regular training to clients, we talk a lot about the structural protection that needs to be in place, such as drafting supplier contracts correctly and monitoring providers (see Stephen Richards’ blog post ‘Data protection for pension schemes: are you compliant?’). That is the absolute minimum that trustees need to be doing – Allen & Overy’s briefing ‘Data protection and UK pension schemes’ covers these issues in more detail. But the truth is that human error or a simple mistake are often the biggest threats. A recent decision of the Information Commissioner’s Office is a timely reminder of this.
The ICO investigated and fined a family law barrister for failing to take appropriate measures against the unlawful processing of personal data. That sounds serious but, in practice, the series of events that led to the finding are the kind of thing that could happen to anyone who occasionally uses their home computer for work:
- the barrister had created documents (that included personal data) on her home computer;
- the computer was password-protected but the files were not encrypted;
- the barrister’s husband, while updating the software on the computer, uploaded the files to an online directory to ensure they were backed up and safe.
However, a handful of the documents became visible to an internet search engine, which meant that they could be found through a simple online search. On discovering this, the files were immediately removed from the online directory and the barrister’s internet service provider removed all cached information the following day.
The irony is that trying to keep the computer software (and presumably the security protection) up to date led to the inadvertent release of personal data. The ICO took the issue particularly seriously because the data included that relating to vulnerable adults and children, but I’m sure that similar issues would be raised for trustees considering serious ill-health cases or complex family circumstances as part of a death benefit decision.
I think the main message is that unless you are a cybersecurity expert, there is always going to be risk in having member personal data stored on your home computer. Trustees should be considering other ways of protecting themselves. For example:
- Should the trustees move to an online document management or board papers system that has robust security built in?
- Should all ill-health cases be anonymised before being circulated – do trustees really need to know the member’s name and NI number or just the facts of the case?
- If a home computer has to be used for some reason, do you need expert advice on encrypting files and ensuring that other family members cannot access your documents?
To read more about the practical actions that trustees can take to improve data security and reduce cybersecurity risk, see Allen & Overy’s new checklist for trustees ‘Cyber risk: practical actions to improve data security’.
Andy Cork is a senior associate at Allen & Overy LLP