Search

	Recent News
	Archive

• 2012
• 2011
• 2010
• 2009
• 2008
• 2007
• 2006
• 2005
• 2004
• 2003
• 2002
• 2001

• -	December 2001
  -	November 2001
  -	October 2001
  -	September 2001
  -	August 2001
  -	July 2001
  -	June 2001
  -	May 2001
  -	April 2001
  -	March 2001
  -	February 2001
  -	January 2001

• 2000
• 1999

Home > News > 2001 > September 2001 > Data Protection Act 1998 - a reminder

Data Protection Act 1998 - a reminder

Adam Walker from Barnett Waddingham's London office reports.

The principal deadline for the implementation of regulations governed by the Data Protection Act 1998 is approaching. From 23 October 2001, further requirements will apply to all organisations which hold data about individuals ("personal data"), above and beyond the terms of the original 1984 Act which governed the disclosure, use and security of data stored on computer, and the rights of the individuals on whom data was held.

For more details on the scope of the new Act, including its relevance to paper as well as electronic records, click here for our previous article on this topic.

It was hoped that some of the areas of uncertainty (which chiefly relate to the practical aspects of implementing the terms of the Act) would be clarified over the last twelve months. Perhaps not unsurprisingly, lawyers have generally steered clear of giving absolute indications about the degree of compliance and the specific actions required of trustees. Some of this will only be clarified when the Information Commissioner first makes use of her powers.

In the meantime, the following steps be taken to ensure a reasonable level of compliance with the Act. A sincere attempt by the trustees to comply with the spirit of the Act will almost certainly provide a degree of defence if the Commissioner turns her attention towards the trustees at any time.

There is an action checklist below, but first there follows a summary of the different areas of the Act and their implementation in more detail. Any new data given to the trustees after the deadline date must be dealt with in a manner complying with the points below, and although there is a transitional period for the remainder of the scheme's data to be brought into line, some aspects of the Act (e.g. "data subject access", or the right of individuals to require disclosure of all information held in respect of them) apply in full from October 2001. The implication of this is that the trustees should try to ensure compliance for all personal data as soon as possible.

In all of the below, it is worth remembering that the spirit of the Act is to try to ensure that no-one can be potentially disadvantaged on the basis of data held in respect of them. This is why the Act requires that data is only ever used for the specific, lawful purposes for which it is intended, and that data be kept accurate, up-to-date and safe until such time as it is no longer needed.

Below is Barnett Waddingham's suggested checklist for pension scheme trustees. If there is any aspect of the checklist which you would like to explore in more detail, please contact your usual Barnett Waddingham consultant.

Areas covered by the Act

1. Notification (formerly known as registration)

   Trustees need to check that as trustees they have registered or notified and that their notification remains valid (notification now needs to be renewed annually, whereas the old registration regime entailed renewal every three years).

2. Implement a Data Protection Policy and communicate this to members

   In practice this means:

   • Have a document setting out the trustees' policy on Data Protection (if you have not already seen our draft policy document, please let us know).
   • Make sure that new joiner forms request that the new member give explicit consent to data about them being held for the purpose of administering and paying their benefits (again, if you need draft wording, please let us know). Expression of wish forms, and transfer request forms, particularly for transfers outside the European Economic Area, should also be amended.
   • Include reference to the Act in the scheme booklet.
   • Ensure that the trustees' own computer and paper-based filing systems are secure (see the section below on security for details).
   • Have written agreements in place with all "data processors" (anybody processing data on the trustees' behalf). This may include the employer's payroll department, administrators, actuaries, auditors, AVC providers and life insurers and others. This agreement needs to ensure that the data processors all provide a level of security acceptable to the trustees. The trustees should take steps to ensure that data processors are complying (e.g. by means of site visits or questionnaires). Again, we can provide suggested wording on request.

3. Security

   In practice this means that both computer and paper-based systems are sufficiently secure to prevent the data being used for unspecified purposes.

   • For computer systems, this means that firewalls and passwords should be used (remember that any computer connected to the Internet can potentially be accessed by outsiders). E-mail can be insecure and should be used with extreme caution; anything in an e-mail which facilitates specific identification of a person (e.g. a National Insurance number) brings that message within the ambit of the Act.
   • Care should be taken with paper files - locks on filing cabinets, building security measures and clean desk policies are all ways of dealing with this.
   • Security measures such as passwords for other means of transfer (e.g. sending diskettes through the post) should be considered.

4. Audit existing data

   In this context, both the trustees and all of their "data processors" need to be compliant. Obviously, pensions administrators hold large amounts of data and ensuring its compliance can seem like a difficult task. The critical points are:

   • Take steps to identify and separate from "normal" records any data which (a) the trustees do not wish to disclose or (b) is deemed either "sensitive personal data" under the Act. (This is covered below).
   • Ensure that all data processors are in a position to comply within the required timescales with a "data subject access" request by a member to see all of the information held on them. (This is covered below.)
   • Obsolete or inaccurate data should, according to the Act, be destroyed. However, there seems to be some agreement among lawyers that for pension scheme purposes (where records are needed to check that benefits were calculated correctly in the past, for example) data can be held until the death of the last potential beneficiary, and perhaps beyond in cases of dispute. The only likely exception to this is sensitive personal data (see below).

5. Data which the trustees do not want to disclose

   There may be some information that the trustees do not wish to have disclosed, such as details of the decision-making process in granting discretionary benefits. Although the safest route may be to avoid minuting details of this type of decision process, and simply to note that the trustees have "considered" the specific relevant details, this type of information on individuals may nevertheless arise.

   If so, it is probably best to keep such information separate from what the Act calls "relevant filing systems". The law has not clarified what this term means, but keeping such information in a format where there is, for example, no indexing which would allow a file to be opened and information on a specific individual to be immediately detected, might fit the bill (for example, keeping a separate file for such information, with no index). In practice the amount of such information is hopefully likely to be small.

   Another area concerns expression of wish forms for death benefits. Because these forms contain the names of non-members, those non-members could ask the trustees for disclosure of all information held on them in "relevant filing systems" (perhaps in connection with divorce cases, for example). Some lawyers have suggested that holding expression of wish forms in sealed envelopes with only the member's name on may be a way around this.

6. Data subject access

   Trustees need to be able to provide members within 40 days with copies of all data held on them by the trustees and any data processors. This requires:

   • All processors to ensure that filing systems are adequate to make timely retrieval of data possible.
   • All processors to ensure that all data on a given individual can be provided in such a way that no-one else's rights are infringed (i.e. without giving the data subject a schedule with lots of other members' names on it too).

7. Sensitive personal data

   This covers information on mental or physical health, sexuality, religion and trade union membership. For example, this may be an issue for ill-health retirement cases. All data obtained after 24 October 1998 must be dealt with in accordance with the Act. This requires:

   • Obtain the explicit consent of the member before obtaining any sensitive personal data.
   • File sensitive personal data separately from all other data. This is so that it can be easily identified.
   • Periodically, the trustees must re-obtain explicit consent from the member to hold the data. The member can require this data to be updated or destroyed.
   • It is not yet clear how the conflict between adequate record-keeping and the rights given to members to have this data destroyed will work out in practice. Hopefully we should receive some clarification on this in due course.

8. Bulk data transactions

   • Insurance proposals, bulk transfers and corporate restructuring are some of the events which may require data to be supplied to parties who are not normally data processors. The best way of dealing with this is to make the data anonymous (i.e. provide data with no NI numbers and no names). Failing this, it may be necessary to:
   • Ensure that the purpose for which the data is being transferred is not contrary to the specified purposes for which the data was given, or likely to offend against the member's rights. For example, getting an insurance quote to enable members' benefits to be appropriately dealt with may be fine, but supplying information for a corporate takeover which may potentially involve members' job losses may not. The wording of the consent obtained by members may be crucial here, and legal advice may be necessary. It is worth noting that these transactions often have very short timescales and the trustees may be asked to provide data in short order by the employer - so the trustees need to have considered their options on this.
   • Ensure that the country of destination for the data has an adequate data protection regime (the Data Protection Commission can provide help on this).

---

DATA PROTECTION ACT 1998

Checklist and points for action before 23 October 2001:

Step	Question	Action
1.	Have the trustees registered under DPA 1984 or notified under DPA 1998 and is the registration or notification still valid ?	Use the search facility on the Data Protection Commissioner's website at www.dpr.gov.uk to check that the registration or notification is current. If not, notify online now.
2.	Have the trustees implemented a data protection policy?	Produce policy document. Amend booklet. Amend new joiner form. Amend transfer-out forms. Amend expression of wish form. Ensure trustees' compliance with the policy for their own records (including a review of systems and security).
3.	Have the trustees ensured that their data processors comply with the policy?	Have written agreements with all data processors, e.g. actuary, administrator, life insurers, AVC providers. Review systems and security of data processors. Implement procedures for ensuring periodic review of data processors' compliance.
4.	Have the trustees audited existing data?	Separate out any data that the trustees do not want to disclose.
5.	Are the trustees ready to disclose data to members within 40 days on receipt of a request and the subject access fee of £10?	Check that all data processors are in a position to identify this so that data can be obtained when requested.
6.	Have the trustees obtained specific consent from individuals where sensitive personal data (e.g. medical information) is held?	Separate out all sensitive personal data. Check whether specific consent was obtained for any new sensitive personal data obtained after 24 October 1998. If not, obtain consent. Ensure that specific consent is requested in any future cases. Implement procedures for periodic review and re-requesting of consent for all cases where sensitive personal data is held.
7.	Have the trustees considered the possibility of future bulk data requirements?	If corporate re-structuring is a possibility at some future date, perhaps obtain legal advice on wording of joiner consents? Formulate policy on making data anonymous where possible for bulk data transfers, and communicate this to data processors.

If there is any aspect of the checklist which you would like to explore in more detail, please contact your usual Barnett Waddingham consultant.

Adam Walker, September 2001.

• Home
• |
• About Us
• |
• Services
• |
• Careers
• |
• News
• |
• Literature
• |
• Glossary
• |
• BWebstream
• |
• Contact Us
• |
• Legal Notice
• |
• Site Map