PMI Crest
PMI
Three top tips for managing trustees’ data responsibilities
7 May 2021

Three top tips for managing trustees’ data responsibilities

Insight Partner

Pension schemes are veritable treasure troves of personal data, holding contact details, bank account specifics, and even scanned copies of passports and utility bills. And managing that data, from a trustee perspective, has never been more complicated and fraught with risk.

Below, I pick out what I consider to be some of the biggest challenges facing trustees in this area and give some tips for managing them.

Risk 1 – Human error

Pension scheme administrators manage huge volumes of member data and queries daily. Just consider the personal data that is required when a member simply asks for their benefits to be put into payment: bank details, address, proof of ID, payment instructions, level of benefits… a worrying list.

The scope for human error is significant. Indeed, it is the most frequent cause of data breaches that we tend to see in practice: not noticing that the auto-filled email address is going to the wrong recipient; adding the wrong attachment to an email; collating two separate members’ letters in one envelope. And prolonged working from home has perhaps added more scope for mistakes: we’re unlikely to have the same facilities available to us, and it isn’t as easy to quickly sense check something with a colleague.

My top tip – training. And more training. Seek it out, record that you have done it, and refresh your knowledge and awareness regularly. Quiz your administrators and other third-party providers on what they are doing to help understand and manage data breaches and reduce the incidence of errors. If you address these risks more regularly through training, you consciously reduce the scope for error. As a bonus, documenting your training can help you respond to any complaints that may end up with the Information Commissioner’s Office (ICO).

Risk 2 – Cyber attacks

The pensions industry has reported a surge in cyber attacks over the last 18 months, with The Pensions Regulator (TPR) before that reporting a 148% increase in cyber-attacks against it between 2018 and 2019. Pension schemes are an attractive target when you consider a simple ‘package’ containing a member’s name and address can sell for up to £10 on the dark web. Add in a photocopied passport and that’s worth up to £60.

The chances are that, like me, you are not a cyber security specialist. But we can take steps to manage this risk. As well as regular training on the theory, ensure that you have robust processes in place so that you know what to do if a breach occurs in practice. My top tip on this one is review your data breaches and incident response policies, circulate them amongst your fellow trustees, and consider running a simulation to test what you would do if a sophisticated breach of your scheme data occurred.

Risk 3 – Complaints culture and Data Subject Access Requests (DSARs)

The DSAR is a powerful right and its purpose is to allow individuals to understand what information is held about them. However, increasingly we are 

seeing DSARs being used for a collateral purpose, often at the behest of a claims management company.

Complaints culture has been on the rise in the UK, and the pensions industry is not immune. On a scheme level this may show as an increase in Internal Dispute Resolution Procedure (IDRP) complaints. At industry level this is illustrated by the proliferation of complaints management companies. A key tool in their armoury is the DSAR. We have seen rising numbers of DSARs. Indeed, some of you may have already experienced a spike in claims preceded by DSAR requests, for example in the context of historic transfers out of your scheme.

And not only are they on the rise, but they are a double-edged sword: on the one hand, the content of a response to DSAR may fuel a complaint under your scheme’s IDRP and to the pensions ombudsman; on the other hand, your handling of the DSAR request itself could result in a complaint against you before the ICO.

If you are not yet convinced, consider this quote from a claims management website: “those in breach of GDPR must be held to account and the door is now open to victims to claim”. And this, from one such company’s standard DSAR request on behalf of a member: “if our request is not satisfied we will be forwarding a complaint to the Information Commissioner’s Office and seeking a judicial remedy”.

Our top tip here is to monitor DSAR volumes from third parties, and review how you respond to them. It may not always be appropriate to provide a complete copy of the member file in the first instance, for example.

Conclusion

Ultimately, we can take all the necessary precautions, deploy the best software, the best training and maintain the best control over our systems and records, but we know data breaches can still occur. Your goal, then, should be to show that you have acted reasonably in managing risks and then responding appropriately when a breach occurs or a complaint is received. If you can do that, there is less scope for the ombudsman to criticise you, and it will also stand you in good stead should a complaint reach the ICO.

How to achieve this goal? Be prepared. Know your policies. Follow your polices. Monitor DSARs. Thoroughly record any data breaches in your log, including the remedial action taken and how you will reduce the risk of similar breaches in the future. And keep records of your training sessions.

Sounds like a lot, but as a first step why not put data security on the agenda for your next meeting? That may be a better start than an unexpected knock on the door from the ICO.

Notes/Sources

This article was featured in Pensions Aspects magazine May 2021 edition.

back to Pensions Aspects Magazine

Last update: 6 May 2021

Aaron Dunning-Foreman
Aaron Dunning-Foreman
Sackers
Associate

Pensions Client Relationship Manager – Home/ Office based

Salary: £50000 - £55000 pa

Location: London, Liverpool, Glasgow, Edinburgh, West Sussex, Exeter, Manchester

Client Success Director

Salary: £65000 - £80000 pa

Location: London

Pensions Technician

Salary: £26000 - £30000 pa

Location: County Durham

You may also like:

Tips for avoiding communications traps
07 June 2021

Tips for avoiding communications traps

Many trustees and employers are on a constant quest to capture the interest of their membership, and with good reason: there’s a clear correlation between improved member engagement and better member outcomes. With greater information and understanding, members are more likely to make appropriate decisions, keep their scheme up-to-date with the information it requires, and be less likely to fall victim to a scam. But schemes must be careful about the ‘hows’ and ‘whats’, particularly in the light of a couple of recent industry publications. So, how can we make sure employees are engaged and financially literate, whilst avoiding the risks inherent in doing so?

Read more
Investment exclusions - a route through the maze
05 March 2021

Investment exclusions - a route through the maze

With the need to invest responsibly in mind, many pension trustees are asking whether part of the solution may be to set a no-go policy for some types of investment asset.

Read more