Pensions risk transfer: achieving data protection compliance

The risk of significantly increased fines for non-compliance that the GDPR raises means trustees and insurers must give serious thought to data protection compliance when using member data in connection with these transactions.

In our experience, some issues have been the particular focus of attention.

Data controller / data processor distinction

Like under the previous data protection regime, the UK GDPR continues to make the distinction between data ‘controllers’ and data ‘processors’. A data controller is the organisation that determines how and why data should be used. There can be joint controllers of data where the ‘how’ and ‘why’ is determined jointly by multiple organisations. A data processor, by comparison, is the organisation that processes data on behalf of the data controller.

Whether a party is a data controller or data processor, or both, is determined by a factual analysis – the distinction matters because controllers and processors are subject to distinct obligations under the UK GDPR.

Read more on pensions risk transfer

• Pensions risk transfer: requested contractual terms
• Pensions risk transfer: trustees’ rights to use scheme assets
• Pensions risk transfer: getting governance right
• Pensions risk transfer: the value of a clear vision for full scheme buy-outs
• Pensions risk transfer: reinsurer requirements
• Pensions risk transfer: company wind-up indemnities
• Pensions risk transfer: the risks of residual risk insurance
• Pensions risk transfer: PPF+ deals
• Pensions risk transfer: discretionary pension increases
• Pensions risk transfer: GMP equalisation and bulk annuities
• Pensions risk transfer: data warranties
• Pensions risk transfer: material change
• Pensions risk transfer: insurer buy-out requirements
• Pensions risk transfer: the endgame strategy
• Pensions risk transfer: tricky benefits to insure
• Pensions risk transfer: longevity transactions hedging risk trustee considerations

Pension scheme trustees will almost inevitably be data controllers. Insurers also tend to class themselves as controllers of pension scheme data handed over to them in connection with a risk transfer transaction. For most activities undertaken by the insurer, this assessment will clearly be correct – for example, where they are calculating the premium, conducting a data cleansing exercise, providing data to a re-insurer, or implementing a medical underwriting exercise.

However, in relation to certain activities, the insurer may be in the position of processing data on behalf of the trustees – for example, if the insurer assumes responsibility for scheme payroll or administration functions in the run-up to buy-out.

Trustees and insurers need to critically evaluate the position in that scenario. This is because:

• if an insurer is a data controller, it will not necessarily need to get trustee consent to sharing the data with third parties or sub-contracting;
• the insurer will have more extensive obligations under data protection legislation if it is a data controller, although data processors will also have some direct obligations under the UK GDPR; and
• if the insurer is a data processor, the trustees’ contract with the insurer will have to include certain mandatory terms set out in the UK GDPR.

Trustees and insurers therefore need to look carefully at how the position should be reflected in risk transfer contracts and how any data protection risks should be allocated between them.

Privacy notices

Due to the nature of the relationship between trustees and insurers, another important feature of negotiations in pensions risk transfer deals is which party is responsible for issuing privacy notices.

The UK GDPR imposes obligations on data controllers to issue privacy notices – both where they obtain personal data directly from data subjects and where the data is obtained indirectly from another source. Where personal data is obtained directly from a data subject, the controller must provide the data subject with a privacy notice at the time the data is collected. Where personal data is collected indirectly, the controller must provide the data subject with a privacy notice within a reasonable time period after they have obtained the data, and, in any event, within one month.

Compliance with these obligations can be complicated in situations where there are controllers in common – that is, independent data controllers that act separately as controllers for their own business purposes. In these circumstances, insurers and trustees have had to consider who bears responsibility for issuing privacy notices. Most risk transfer contracts now include an obligation on the trustees to issue a privacy notice, which the insurer would provide, to the members if the insurer is required to provide one in order to comply with data protection laws.

Sharing data with the employer

We are also seeing an increasing trend for trustees and employers to establish joint working groups for pensions risk transfer deals. As part of this, employers, and their advisers, are asking trustees for higher volumes of scheme data, quite often at individual member level, to help them better understand the funding and accounting impact of the transaction.

Where trustees are asked to share data with the employer, they should ensure that an appropriate data sharing agreement is put in place. This will give the trustees some contractual protection in the event the employer experiences a data breach. It will also help to demonstrate that the trustees are complying with their obligations as data controllers under the GDPR.

Data transfers

Another important data protection issue is how international data transfers should be handled. This is a particular issue for insurers that wish to transfer personal data to their re-insurers for re-insurance purposes. If re-insurers are located outside of the European Economic Area, data transfers to them can only be made if there is adequate protection in place to govern how the data is handling in the jurisdiction to where the data is being exported, in accordance with data protection legislation. Insurers have considered whether their pensions risk transfer contracts allow them to pass data to their re-insurers in this way.

We are also seeing an increased focus on the initial transfer of data to insurers as part of the tendering process. A commonly held view is that, at this stage, no personal data is shared since it is anonymised, but some advisers are now challenging this assumption. This is because it is possible for anonymised data to be read in conjunction with other information that may enable the re-identification of individuals.

Employee benefit consultants, trustees and insurers should consider this point when they are putting their standard confidentiality agreements or non-disclosure agreements in place at the outset of a tender process.