Global menu

Our global pages


What trustees should do when members ask about their data – a new code of practice

  • United Kingdom
  • Pensions


At the end of October the Information Commissioner’s Office (ICO) issued its new statutory code of practice on data subject access requests (DSARs). Along with providing additional guidance and clarity, the new code of practice is particularly relevant for schemes dealing with increased data requests from members, IFAs and claims management companies in respect of past transfers.

Why is this relevant?

The ICO is the regulator that enforces data protection laws in the UK. The new code is relevant to trustees, scheme administrators, master trusts and public sector pension schemes as they are all controllers of personal data (sometimes called ‘data controllers’). The ICO expects its new code to be adhered to when data controllers handle DSARs from individuals (including scheme members).

Many trustees and administrators are seeing increased numbers of DSARs from IFAs and claims management companies who are encouraging members (whether they have transferred out or not) to approach pension schemes for their data.

What does the code say?

The code is 80 pages long. It includes a wealth of helpful new guidance and provides clarity on several points. The following are likely to be of particular interest to trustees:

Complex requests: Where necessary, controllers (e.g. trustees) can have up to 2 months extra to deal with a complex DSAR. The normal statutory deadline for dealing with such requests is one month. The burden of proof in demonstrating the complexity of the request is on the controller.

The code clarifies what can amount to a complex request. The volume of data by itself is not sufficient. Factors such as the need to obtain specialist legal advice (perhaps in relation to exemptions) can mean a request is complex. However, this would not be the case where legal advice is routinely sought. Technical difficulties in retrieving data from electronic archives and searching large volumes of unstructured manual records (only applicable to public authorities) can also make a DSAR complex.

If trustees (or administrators – with trustee permission) decide that it is necessary to extend the time limit by two months, they must let the individual know within one month of receiving their request and explain why.

Reasonable adjustments: There is a need to consider whether reasonable adjustments need to be made for members who are disabled.

Clarification: There is a key difference between asking a member to clarify a request (i.e. to be sure what data they want) and asking them if they wish to narrow its scope. An individual might be asked if they wish to narrow the scope in certain circumstances to get to the data they really want, for example during the 6 months leading up to a transfer-out. The one month deadline can be paused only in the first scenario – until clarification is given.

Training: There is a useful reminder about the need to provide general training to all staff to recognise a DSAR. Trustees should check whether the scheme administrator is doing this. For example, the administrator should ensure that staff know that oral DSARs by telephone are valid (though the administrator would need to be sure the person is who they say they are), as are DSARs by social media messaging. Trustees should also ensure that other parties who are connected to the scheme understand and recognise a DSAR, including the pensions manager or scheme secretary for example.

DSAR packs: The code stresses the need to apply exemptions to the DSAR pack before it is sent, although this can be tricky in practice. In addition, third party personal data usually has to be blanked out or removed.

What about bulk requests?

Bulk requests are multiple requests on behalf of members for large amounts of data from the same third party. They must be considered case by case. Unless the request from a member is manifestly unfounded or excessive, which is unlikely, it cannot legally be refused. Any third party’s behaviour, such as a claims management company, should not be taken into account in assessing this.

Processes should be put in place to check that the member does want the DSAR to happen. These should include checking that the third party has authorisation from the member and proof of ID.

Trustees should also remember that they must respond to a DSAR even if only to confirm no personal data is held.

In considering a complaint about a DSAR, the ICO will consider the volume of requests received by an organisation and the steps they have taken to deal with them appropriately, even when facing a high volume of similar requests. The organisation’s size and resources are also likely to be relevant factors. The ICO has discretion as to whether to take enforcement action, and indicates it would not take such action if it is clearly unreasonable to do so. Being able to demonstrate that clear, effective procedures are in place will therefore be important.

What will the position be after the end of the Brexit transition period?

The UK GDPR (in effect the GDPR with European Union terminology replaced to work for the UK) will apply with effect from 1 January 2021 when the post Brexit transition period ends. The existing data protection requirements will therefore continue unaltered.

It will remain important to deal with DSARs properly and in a timely fashion.

What next?

The end of PPI claims has meant claims management companies are looking for alternative revenue streams, including possible claims against pension schemes where members’ GDPR rights have been infringed. This together with a recent Court of Appeal decision giving a green light to class actions for compensation claims in the UK under GDPR, illustrates the importance of making sure that DSARs are dealt with properly.

There are some practical steps that trustees can take now:

  • check with scheme administrators whether they have a DSAR protocol and, if so, has it been updated to take account of the new code. Trustees should also consider whether they need to review it themselves
  • if there is no formal protocol, consider whether the code is accounted for in other ways
  • if scheme administration is in-house, ensure that the new code is taken into account when dealing with DSARs
  • be careful not to be drawn into providing more information than is actually required – particularly where a claims management company or IFA is seeking comparator transfer value calculations in respect of past transfers-out

Don’t forget in a DB scheme, the actuary may be a joint controller with the trustees. In which case, they will have joint responsibility for DSARs.