The impact of the Data Protection Act 1998 on pension schemes

United Kingdom
Keith Webster considers the impact on pension schemes of the Data Protection Act 1998

A new Data Protection Act recently received Royal Assent. The UK government has until 24th October 1998 to comply with the requirements of the EC Data Protection Directive. However, it has announced that it will not be able to comply with the Directive by then, and the Act is not expected to come into force until early next year. Ultimately, the Act will completely replace the 1984 Data Protection Act.

Three years' grace

Given the speed with which this new law is being prepared, it is just as well that data held in relation to pension schemes is exempt from the new Act's provisions until 24th October 2001. This transitional exemption covers all information which is held solely for the purpose of calculating remuneration or pensions in respect of service in any employment. Clearly the data activities of the trustees of an occupational pension scheme and of an employer's pensions department will come within this exemption.

Who and what is affected?

One of the main aims of the EC Directive is to extend the data protection regime to manual records. The new Act does this. In fact, the definition of data is now so wide as to include almost any information held by pension schemes, in whatever format. The Act places obligations on a "data controller", which is defined as any person or body which determines the purpose for which data is held or the manner in which it is to be processed. The definition of data processing is extended so that most actions taken in relation to data are likely to come within the framework of the Act. Therefore, pension scheme trustees will come within the provisions of the new Act where they may previously have avoided the 1984 Act.

The eight principles

As with the 1984 Act, the new law is based upon a number of data protection principles. Six of the eight principles are broadly similar to those contained in the 1984 Act. They require that data must not be kept longer than necessary, must be accurate and not excessive and must only be processed fairly and for a specified lawful purpose. Of the two additions, the first new principle relates to the transfer of data to countries outside the European Economic Area. This is unlikely to concern pension schemes. However, the second new principle will place an additional burden upon pension schemes.

This principle requires the data controller to ensure that appropriate technical and organisational measures are taken to avoid unauthorised or unlawful processing of data and to avoid the accidental loss of or damage to that data. Keeping physical records secure will pose different problems from computer records. Trustees will have to ensure not only that they themselves have adequate procedures to prevent a breach of the Act, but also that the employer and the scheme administrator are fully compliant.

In order to ensure the effectiveness of this new principle, the Act requires that, where the data controller, (i.e. the trustees) uses another person to process that data, there must be a written contract governing the relationship between them. This contract must state that instructions in relation to the data may only be given by the controller and it must expressly require the data processor to comply with the provisions of the Act. This requirement is unlikely to cause a problem where trustees use an external administrator and a provision of services contract is already in place. However, it must be complied with even where administrative services are provided internally. The trustees and the employer will have to enter into a contract detailing their relationship and setting out the services to be provided by the employer. This is likely to place a rather formal emphasis on what has traditionally been an informal relationship of convenience.

Registrar by a new name

The old system of requiring data users to register with the Data Protection Registrar is to be replaced. In future, all data controllers must notify the new Data Protection Commissioner of certain specified information before any processing commences. Failure to do so is a criminal offence. The information to be notified, which includes what data is held for what purpose and who will receive it, is far from oppressive and this requirement is unlikely to cause problems. However, trustees, employers and administrators will all have to comply with this notification requirement. The trustees will not be able to rely on the compliance of their advisors or the employer. It is expected that the Commissioner will issue guidelines in due course detailing the practical requirements of this new provision.

Easy compliance?

Despite the length of the new Act, compliance with it is unlikely to cause many problems. Trustees of pension schemes will have to provide the required information to the Commissioner and ensure that they have a written contract with their data processor. Other than these simple requirements, the burden of compliance in practice is likely to rest with scheme administrators who, it is to be hoped, will already have adequate protection procedures in place.