Pension scheme trustees and employers need to understand exactly what their obligations are in relation to scheme members' personal data.
Registration
Since employers and trustees hold personal data, they must usually register with the Information Commissioner, who ensures compliance with the Data Protection Act. Personal data includes all data that identifies a particular individual.
Members' agreement
Scheme members must be told why you need to collect personal data and what you intend to do with it. Application forms are an opportunity for you to ask members to agree to your use of their personal data. You should regularly review all forms to see that they provide adequate information about data protection. This is particularly important if you intend to pass members' personal data on to a third party.
You will need to be particularly careful with sensitive personal data, such as data about health or race. You must usually obtain members' consent every time you collect sensitive data. The consent should usually be in writing. If not, you should at least record that the member consented to the collection of the data.
If you intend to provide any personal data to a third party, such as scheme administrators, then you must have a written contract to make it clear who is liable for compliance with data protection laws. Trustees and employers may be held liable if the third party fails to comply with the law. You will need to deal with additional requirements if any data is to be passed outside the European Economic Area.
Trustees do not have an automatic right to transfer personal data to employers and vice versa. If an employer wishes to contact members about enhanced transfer values, for example, the trustees will need to check what information they can pass on.
Security
Check that you have appropriate security standards in place. You should only give authorised people access to personal data, and consider using encryption software. It may not be appropriate to send, for example, an application form for an ill-health early retirement pension to a trustee's home email address.
Requests from members
You should set out procedures for dealing with requests from members about their personal data, and establish an action plan to follow if there is a breach of personal data.
Sanctions
The Information Commissioner has a number of different sanctions available for data protection offences, ranging from fines to criminal prosecutions. The maximum fine is £500,000. Further information is available on the Information Commissioner's website.