The good practice note sets out the main data protection issues that pension trustees must consider when using an administrator. It warns that not only must trustees ensure that the chosen administrator can secure the information held by them, trustees must also check that the information is being held securely and is being processed according to their instructions.
A written contract between trustees and administrator is vital, says the guidance. This should clarify issues such as how the administrator should deal with access requests; what information should be returned to the trustees at the expiry of the contract; and whether and for what purposes the administrator should have access to this data after the contract ends.
“In many cases pension trustees use a pension administrator to act on their behalf,” said Phil Jones, Assistant Information Commissioner. “However, it is important that trustees remember they are ultimately responsible for the processing of the personal data involved. By highlighting examples of both good and bad practice in the good practice note, we want to promote a greater understanding of the steps trustees must take to comply with the Data Protection Act.”
Louise Townsend, a data protection law specialist with Pinsent Masons, the law firm behind OUT-LAW.COM, weclomed the guidance. "Many pensions trustees have long known that they are responsible for complying with the Data Protection Act but the guidance is helpful to raise awareness of data protection in the pensions industry," she said.
But she warned that trustees should bear in mind that data protection issues do not stop with administrators.
Townsend, co-author of Data Protection and the Pensions Industry, explained: "Compliance issues may arise in relationships with employers, actuaries, auditors, insurance companies and other third parties such as medical advisors and pension trustees should ensure that they allocate responsibility for data protection compliance."
