30 October 2023
TPR's recent blog has emphasised its efforts to work more closely with pension scheme administrators – unsurprisingly so because administrators are at the heart of making sure that a pension scheme is properly run.
It is crucial that trustees ensure the document that governs that relationship – the administration agreement- is robust. The problem for many trustees is that their administration agreement will have been in place for many years and will not have been substantially reviewed, even though there may have been additional services or GDPR-related language added. Trustees now face greater legal risks than ever before; these may arise for example from increasing cyber threats or an increased governance burden, and the importance of having good scheme administration will become even more pronounced when pensions dashboards finally come online. Having appropriate administration terms in place, which properly reflect the world in which trustees operate, will help protect them from legal and reputational risks.
If there was any doubt on the matter, the forthcoming General Code makes absolutely clear that trustees are responsible for scheme administration, even though this is very often outsourced to a third-party supplier. The Pensions Regulator expects trustees to include administration as a regular item at meetings, to monitor the performance of their administrator and to receive regular reports. The Code recognises the importance of having adequate contractual terms; this is so that trustees can rely on those terms to drive improvements, to manage any change of supplier, and to hold the administrator to certain standards such as having an adequate business continuity plan.
Trustees, as data controllers, should also be aware of the importance of properly managing their administration arrangements in order to limit their risks under data protection laws. UK GDPR allows individual data subjects to bring direct claims against controllers where the data subject suffers damage as a result of something done (or not done) by a data processor. This would apply for example where a trustee engages an administrator who then loses member data with resulting damage. The controller (i.e. the trustee) will have a defence to the data subject's claim if it can prove that it is "not in any way responsible for the event giving rise to the damage". If a trustee is to rely on this exemption, it will need to be able to show that it took reasonable steps in appointing, monitoring and managing its processor. This starts with having the right contractual terms in place. The UK GDPR sets out in some detail the data processing terms that must be included and administrators should be aware of these so the process of implementing or updating terms should not be a difficult one.
So, for trustees who are negotiating a new administration agreement or considering dusting-off and updating an old one, we recommend that you think about the following:
Our recommendation to any trustees wondering if their administration agreements are fit for purpose is to take advice. It is always better to make sure your documents cover different scenarios than to try to manage issues on an ad hoc basis.
by Anna Taylor and Mark Smith