 By Anna Rogers is senior partner at Arc Pensions Law LLP and Alexander Dittel is partner in Technology at Wedlake Bell LLP
Trustees, with the help of their advisers, will need to deal with a real-world personal data breach and act quickly to report it to the Information Commissioner's Office (ICO), regardless of whether they are a registered fee payer. The ICO notification is not required, however, if the risk is low; for example, if there is certainty that no personal data was exfiltrated or the affected data was encrypted and inaccessible to the attacker.
One challenge trustees may seek advice on is how to balance their duties to members with the requirements of the ICO and the Pensions Regulator (TPR). These obligations pull them in different directions: the pensions mindset says “if in doubt, notify” but UK GDPR requires a notification only if there is high risk to individuals. Voluntary notifications may expose trustees to additional risk. A careful assessment of data protection and pensions realities is required.
Overreliance on third parties?
In many schemes, most operational functions are outsourced to third parties - well-established administrators, bulk insurers, and actuarial service providers. Such providers will typically use further outsource data processing for their customers to a further third party. In essence, every pension scheme will have a supply chain of providers below it.
Each link in that chain poses potential cyber and data protection risk, and certain rules are imposed in relation to outsourcing. However, many trustees focus on investment, funding, covenant, actuarial valuations and journey planning, and there is a risk that data protection takes a back seat.
This becomes a problem when there is supply chain data breach or a GDPR claim for compensation. Pension trustees remain responsible for data protection compliance even when data processing is outsourced.
Pensions schemes will generally have implemented appropriate paperwork, but compliance with UK GDPR requires a proactive and continuous approach. Without it, demonstrating compliance at the critical moment will be more difficult. A tick-box approach is not enough.
Who is at fault and who is liable?
The question of fault in the context of a data breach depends on the circumstances. Of course, the primary fault is with the criminal who infiltrates a system. However, if any party has failed to comply with GDPR, making a breach possible in the first place, such party could be considered "at fault".
Conversely, if trustees and service providers fully complied with the law and the data breach still happened, for example, due to a novel attack vector or an unavoidable human error, it might be that neither party has liability. However, this is a high bar to meet; the ICO is unforgiving when it comes to any failure.
Regardless of fault, trustees will probably face claims for compensation from members/beneficiaries whose data has been compromised. Claimants do not need to show any financial loss. Emotional or other non-financial loss could also attract compensation if proven or plausible. Typical claims are in the region of £3,000 per person and even a trivial breach could attract £250 of compensation. The expense, notwithstanding legal costs, can be mitigated by maintaining a strong compliance culture which demonstrates that the breach was not due to the trustee's (in)action.
Typically, if a service provider is partially at fault, the trustee will look to the contract to find out if its expenses might be recuperated. It is in the interest of all parties to have up-to-date agreements which clearly set out the position. Historic contracts which may have been left to roll for years without a review might no longer be fit for purpose. This could attract regulatory scrutiny.
High risk of fraud?
Pensions scams are a recurring problem that is firmly on the radar of trustees, their advisers and TPR. TPR will not be pleased if that risk is exacerbated by a data breach.
A data breach can enable the fraudster to succeed in deceiving their victims, particularly the elderly and most vulnerable. Members could be enticed by deception into a scam transfer and lose their funds, or they could fall victim to identity theft, or the administrator could be tricked into making an improper transaction.
The level of risk is relevant to the assessment of whether an obligation to notify individuals is triggered. Judging by its statement from 12 May 2023, TPR probably considered the Capita breach high risk as it suggested to pension trustees to "contact your members proactively". Each pension trustee must carry out its own assessment and while some may face high risk, others exposed to the same breach may not. Care should be taken before making any voluntary notifications. They are likely to lead to more distress and more claims, which in turn could lead to more defence costs and compensation. These expenses may not be recoverable from the service provider.
Conclusion
The data protection compliance question is one that will not go away. The Pensions Dashboard will only increase the risks.
Now is a good time for trustees to review the existing framework, identify gaps, dust off any old service provider agreements and strengthen the compliance foundations. Running a trustee training session might help focus minds and come up with a data protection action list.
|
