Below, I pick out what I consider to be some of the biggest challenges facing trustees in this area and give some tips for managing them.
Risk 1 – Human error
Pension scheme administrators manage huge volumes of member data and queries daily. Just consider the personal data that is required when a member simply asks for their benefits to be put into payment: bank details, address, proof of ID, payment instructions, level of benefits… a worrying list.
The scope for human error is significant. Indeed, it is the most frequent cause of data breaches that we tend to see in practice: not noticing that the auto-filled email address is going to the wrong recipient; adding the wrong attachment to an email; collating two separate members’ letters in one envelope. And prolonged working from home has perhaps added more scope for mistakes: we’re unlikely to have the same facilities available to us, and it isn’t as easy to quickly sense check something with a colleague.
My top tip – training. And more training. Seek it out, record that you have done it, and refresh your knowledge and awareness regularly. Quiz your administrators and other third-party providers on what they are doing to help understand and manage data breaches and reduce the incidence of errors. If you address these risks more regularly through training, you consciously reduce the scope for error. As a bonus, documenting your training can help you respond to any complaints that may end up with the Information Commissioner’s Office (ICO).
Risk 2 – Cyber attacks
The pensions industry has reported a surge in cyber attacks over the last 18 months, with The Pensions Regulator (TPR) before that reporting a 148% increase in cyber-attacks against it between 2018 and 2019. Pension schemes are an attractive target when you consider a simple ‘package’ containing a member’s name and address can sell for up to £10 on the dark web. Add in a photocopied passport and that’s worth up to £60.
The chances are that, like me, you are not a cyber security specialist. But we can take steps to manage this risk. As well as regular training on the theory, ensure that you have robust processes in place so that you know what to do if a breach occurs in practice. My top tip on this one is review your data breaches and incident response policies, circulate them amongst your fellow trustees, and consider running a simulation to test what you would do if a sophisticated breach of your scheme data occurred.
Risk 3 – Complaints culture and Data Subject Access Requests (DSARs)
The DSAR is a powerful right and its purpose is to allow individuals to understand what information is held about them. However, increasingly we are
seeing DSARs being used for a collateral purpose, often at the behest of a claims management company.
Complaints culture has been on the rise in the UK, and the pensions industry is not immune. On a scheme level this may show as an increase in Internal Dispute Resolution Procedure (IDRP) complaints. At industry level this is illustrated by the proliferation of complaints management companies. A key tool in their armoury is the DSAR. We have seen rising numbers of DSARs. Indeed, some of you may have already experienced a spike in claims preceded by DSAR requests, for example in the context of historic transfers out of your scheme.
And not only are they on the rise, but they are a double-edged sword: on the one hand, the content of a response to DSAR may fuel a complaint under your scheme’s IDRP and to the pensions ombudsman; on the other hand, your handling of the DSAR request itself could result in a complaint against you before the ICO.
If you are not yet convinced, consider this quote from a claims management website: “those in breach of GDPR must be held to account and the door is now open to victims to claim”. And this, from one such company’s standard DSAR request on behalf of a member: “if our request is not satisfied we will be forwarding a complaint to the Information Commissioner’s Office and seeking a judicial remedy”.
Our top tip here is to monitor DSAR volumes from third parties, and review how you respond to them. It may not always be appropriate to provide a complete copy of the member file in the first instance, for example.
Conclusion
Ultimately, we can take all the necessary precautions, deploy the best software, the best training and maintain the best control over our systems and records, but we know data breaches can still occur. Your goal, then, should be to show that you have acted reasonably in managing risks and then responding appropriately when a breach occurs or a complaint is received. If you can do that, there is less scope for the ombudsman to criticise you, and it will also stand you in good stead should a complaint reach the ICO.
How to achieve this goal? Be prepared. Know your policies. Follow your polices. Monitor DSARs. Thoroughly record any data breaches in your log, including the remedial action taken and how you will reduce the risk of similar breaches in the future. And keep records of your training sessions.
Sounds like a lot, but as a first step why not put data security on the agenda for your next meeting? That may be a better start than an unexpected knock on the door from the ICO.
Notes/Sources
This article was featured in Pensions Aspects magazine May 2021 edition.
Last update: 1 August 2024