11 January 2013 - Post by:Stephen Richards
My pension scheme trustee clients are often surprised at the extent of their obligations to protect member data. When data gets lost it’s not enough for trustees to say ‘it wasn’t our fault’. I make sure my trustee clients know the basics of data protection so they can avoid a penalty from the Information Commissioner if things go wrong. And things do go wrong – I had a client who had a laptop stolen containing member data. They had taken appropriate data protection measures so avoided a penalty.
The jargon that comes with data protection law can be confusing – so here are the basics:
– Data controllers must comply with certain rules and principles in the Data Protection Act 1998 and must ensure that their data processors do the same.
– Trustees are data controllers. Their third party providers, such as administrators, are data processors.
– Some of the key data protection principles include the following: keeping data secure, processing data fairly and lawfully and not transferring data outside the EEA unless certain conditions are met.
In my experience data controllers, and trustees in particular, take steps to ensure that they are keeping data secure and processing data fairly and lawfully. However, data controllers have been less successful at ensuring that their data processors do the same.
I’ll give you an example. In September the Information Commissioner fined Scottish Borders Council £250,000 for a breach of data security when a company employed by the Council to add their paper records to computer systems left former employees’ pension records in a paper recycle bank in a supermarket car park.
The Council remained legally responsible for the security of the data and had taken its eye off the ball in the outsourcing. The Council had failed to put a contract in place, hadn’t sought guarantees on the security of the data and did not make sufficient attempts to monitor how the data was being handled.
Trustees can do two main things to make sure they are complying with their data protection obligations.
- Get contracts right. I am used to seeing draft contracts from service providers which aren’t good enough when it comes to data protection. Service provider contracts often state that the provider will not breach their obligations under the Data Protection Act, but this is not good enough. Data protection obligations fall on the data controller – not the data processor. To help ensure that data is kept secure and processed fairly and lawfully a trustee should require its data processors to ensure that it will not take any action which will cause the trustees to breach their data protection obligations. There are also specific provisions which the Data Protection Act requires to be included in contracts.
- Monitor providers. It is not enough to simply place obligations on the data processor in the contract. The trustees should also make sure the data processor is complying with those obligations. For example, trustees can require regular reports on the security of the data and how it is being processed, require security breaches to be reported to them and can inspect the data processor’s measures for keeping data secure.
In short, trustees should make sure their contracts are bullet proof and keep an eye on their service providers. Oh, and avoid leaving a laptop on a train.
Stephen Richards is an associate at Allen & Overy LLP.