Skip Navigation LinksHome > News > 2000 > March 2000 > Data Protection Act 1998 and UK Pension Schemes

Data Protection Act 1998 and UK Pension Schemes

The Data Protection Act 1998 extends many of the requirements of the original 1984 Act which governed the disclosure, use and security of data stored on computer, and the rights of the individuals on whom data was held. In this article Adam Walker gives an outline of the likely impact of the new 1998 Act on the work of trustees and the work that Barnett Waddingham do as advisors.

At present, it is not entirely certain whether all of the measures outlined here will be necessary, nor whether they will require more or less stringent application. Until the secondary legislation associated with the new Act is finalised, along with the Data Protection Commissioner's Code of Practice, the exact requirements will remain unknown. However, some of the requirements of the Act are already in force, and so we think that in this case it is better to be safe rather than sorry. As new information becomes available then we hope to able to refine our advice.

Ideally a number of issues should have been addressed before 1 March 2000, but there was a lack of advance warning caused by various delays. First, the legislation was delayed (in some cases not even making it onto the statute book by the original March deadline), and second, advice from legal firms was delayed by the late appearance of draft legislation.

We believe that pension plan trustees should be addressing a number of issues, which are set out as action points at the end of this article. All of the recommended measures represent good practice in our opinion and it would be prudent to act sooner rather than later. First, however, there follows an explanation of the main impact of the 1998 Act.

Implications of the 1998 Act

The biggest change created by the new Act is to extend the 1984 Act's requirements to all personal data including paper files. This refers to all personal data managed by the "Data Controller" (i.e. the trustees) and any "Data Processors" (i.e. anyone appointed by trustees to process the data on their behalf, such as administrators). Under the 1998 Act, all personal data must be held with good reason, with the consent of the member, and be used only for specific purposes to which members have given their consent.

There are four additional complications. First, there are especially stringent new requirements relating to sensitive personal data. The definition of sensitive personal data is quite wide-ranging, but for trustees the only area of relevance is likely to be health information held for the purpose of considering whether ill-health benefits should be granted. To hold or use such data requires explicit consent from the member, i.e. written consent specifying the purpose for which it is to be used. For convenience, this consent may be combined with any consent or instructions you are obtaining from the member in respect of the Access to Medical Reports Act 1988 and Access to Health Records Act 1990, if appropriate.

The second problem area concerns other personal data. Broadly, member consent is required for trustees to process any personal data. For new members, procedures to obtain consent should be put in place. Where the trustees have been processing data for the same purposes since at least 24 October 1998, it is generally possible to infer member consent, so long as members are informed at the next opportunity of their rights under the new Act. This is so that they have the opportunity to object to how their personal data is being processed. This could be done in the next benefit statement or as an insert in a pay packet.

The third area is what is known under the Act as subject access. This is the right of all members of the Scheme to examine their personal data on payment of a small fee (£10). Members also have the right to demand that out-of-date or unnecessary information be removed from their files. The trustees need to ensure that their Data Processors (e.g. administrators, actuaries, etc.) are ready to comply with this requirement, which we believe should be done via a written agreement. The "access" is to data only so far as we are aware, and does not mean access to files that have been created using the data.

The final problem area is disclosing data to other parties. When information is supplied to other parties with whom the trustees have no written Data Protection agreement, we highly recommend that data be supplied on a no-names, no NI number basis, so that the individuals concerned cannot be identified from the data supplied. Examples of this perhaps include supplying data to insurers for life cover quotes, or to the employer where the sale of a business is being considered.

Action points

  1. Register under the Data Protection Act. Please check whether you as trustees are registered with the Data Protection Registrar under the 1984 Act. If not, then register immediately via the steps below. The reason for registering is that in due course all Data Controllers (including you as trustees) will have to go through an updated registration process called "notification".
  2. Minute the trustees' intention to comply with the new Act. This should be a formal record of the fact that the trustees have considered the implications of the Act and intend to comply with it.
  3. Formulate a trustees' policy on the Act.
  4. Put written agreements in place with Data Processors. This should include a clause concerning data security, confirming that the trustees are satisfied all reasonable steps are being taken to ensure that members' paper and computer-based records stay secure.
  5. Sensitive personal data. Make a list of all ill-health retirement cases. If the trustees have any grounds to suspect that any of the individuals involved might object to their health data being retained by the trustees, they should take steps to obtain consent from the member concerned to retain this data.
  6. Change (or supply addenda to) the following administration documents:
    • Transfer request forms
    • Ill-health information request forms
    • New joiner forms
    • Expression of wish forms
    ...at the next available opportunity
  7. Amend the Scheme booklet to make reference to the Act, and include a comment on the Act in the annual report and accounts.
  8. Inform members and pensioners in the next mailing of the fact that their personal data is being processed, and that the trustees will infer that members consent to this unless members inform them otherwise.

Adam Walker, March 2000.