New data protection laws mean that employers and pension scheme Trustees need to have a formal agreement in place to swap personal data.
The legal landscape for data protection laws in Europe changed significantly on 25 May 2018, when the General Data Protection Regulation (GDPR) came into force. The running of pension schemes is fraught with the collection and handling of personal data, so Trustees, Employers, Administrators, Actuaries and others are all caught by the GDPR.
By now, Trustees should have carried out an assessment of the personal data they hold. Following this, they should have issued privacy notices to members and put in place suitable data protection policies, which they are familiar with and are adhering to. In addition, Trustees should be aware of their obligations under the GDPR and what to do in the event of a data breach.
Pension schemes will also have spent a considerable amount of time ensuring that their agreements with third party data processors or joint controllers are up to date and GDPR compliant. But one critical piece of work that may not have been considered for pension schemes is whether a data sharing agreement between the Trustees and the Employer(s) is also required.
The GDPR requires that data controllers have adequate protection in place for the personal data in their possession. Both the Trustees and the Employer are considered data controllers for the purposes of the GDPR so it's important to have a data sharing agreement in place between the Trustees and Employer(s) if personal data is shared between them. This would be particularly important where there is on-going data sharing, for instance where the pension scheme is open to new members and so the Employer is regularly passing HR records to the Trustees for new joiners.
A typical data sharing agreement contains clauses that help Trustees and Employers comply with data protection laws in relation to the processing of any personal data in their possession. These agreements also define the sharing and processing roles of the respective parties under data protection laws and if the Information Commissioner's Office ever investigates, this agreement helps demonstrate compliance with the GDPR.
Follow us @TLTData
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...