The good practice note sets out the main data protection issues
that pension trustees must consider when using an administrator. It
warns that not only must trustees ensure that the chosen
administrator can secure the information held by them, trustees
must also check that the information is being held securely
and is being processed according to their
instructions.
A written contract between trustees and administrator is
vital, says the guidance. This should clarify issues such
as how the administrator should deal with access requests; what
information should be returned to the trustees at the expiry of the
contract; and whether and for what purposes the administrator
should have access to this data after the contract ends.
“In many cases pension trustees use a pension administrator to
act on their behalf,” said Phil Jones, Assistant Information
Commissioner. “However, it is important that trustees remember they
are ultimately responsible for the processing of the personal data
involved. By highlighting examples of both good and bad practice in
the good practice note, we want to promote a greater understanding
of the steps trustees must take to comply with the Data Protection
Act.”
Louise Townsend, a data protection law specialist with Pinsent
Masons, the law firm behind OUT-LAW.COM, weclomed the guidance.
"Many pensions trustees have long known that they are responsible
for complying with the Data Protection Act but the guidance is
helpful to raise awareness of data protection in the pensions
industry," she said.
But she warned that trustees should bear in mind that data
protection issues do not stop with administrators.
Townsend, co-author of
Data Protection and the Pensions Industry, explained:
"Compliance issues may arise in relationships with employers,
actuaries, auditors, insurance companies and other third parties
such as medical advisors and pension trustees should ensure that
they allocate responsibility for data protection compliance."
