17 mai 2022
The pensions dashboard programme is being implemented with the aim of enabling future retirees to access information about all their retirement savings in one place, so making it easier for them to plan for retirement. The Money and Pensions Service (MaPS) has been leading a project to create a "dashboards ecosystem" in which savers can request their information and view any matching responses from pension schemes and also from the Department of Work and Pensions in relation to state pensions.
This will be a significant change for those running pension schemes. At present, they are accustomed to receiving requests from members for information about their benefits on an ad-hoc basis, particularly as they approach retirement. But once the dashboards programme is implemented, they are likely to receive considerably more requests from scheme members at different points in their working lives, and to have to provide the relevant data within fairly short timescales.
The increase in this sort of activity will necessarily mean an increase in the amount and type of personal data processed by pension schemes, bringing with it issues under the UK GDPR. For most schemes, the management of scheme data and administration of the scheme is undertaken on behalf of the scheme trustees by a third-party administrator. Administrators will need to ensure their systems are ready to interface with the dashboards ecosystem so individual schemes can meet their disclosure obligations; failure to do so may open them up to liability and reputational risks but they must also take care to ensure that privacy requirements are not overlooked in favour of focusing on other obligations.
While MaPS is creating a pension dashboard which individuals can use to access their pensions information, commercial providers are likely to have scope to create their own dashboards. These will need to meet the standards proposed by MaPS in order to be allowed to operate within the dashboard ecosystem, and will also need to be FCA authorised to provide this service.
Indicative draft regulations were published for consultation earlier this year. These draft regulations include proposed timescales which describe, broadly, three stages:
First: the largest schemes with 1000 or more relevant members will be required to connect by dates between 30 June 2023 and 30 September 2024, depending on the type of scheme and the number of relevant members (broadly, those who are not yet receiving a pension).
Second: medium sized schemes with between 100 and 999 relevant members are to connect by dates between 31 October 2024 and 31 October 2025, again depending on the type of scheme and number of relevant members.
Third: small schemes, with fewer than 100 relevant members are not yet required to connect, but the government expects that they will be required to connect from 2026.
In practice, most schemes will be required to connect during the month before their staging date. However, the biggest master trust schemes will have a "connection window" of three months ending with their staging deadline of 30 June 2023.
There will be some flexibility for schemes in that they will be able to connect early (this may be of help for third party administrators looking to phase the connection dates of their clients) and also an ability to defer connection for a period in limited circumstances, such as where a change in administrator is planned.
However, some industry commenters have suggested the above timetable is too ambitious. The concern is to ensure a good user experience that complies with privacy and other consumer regulations but the risk is that schemes may not be ready to provide full or accurate data within the relevant timescales by the proposed dates, and also that a user logging on in the early days of the dashboard will not necessarily be able to receive a return of all of their records because of the staggered implementation dates applying to schemes. This could mean a deferral of staging dates or, potentially, a grace period around connection dates to allow schemes some flexibility in their approach.
Under the UK GDPR, trustees as data controllers are required to identify and document the basis on which they will lawfully process any personal data. For most schemes, much of their processing activity will likely be done on the basis that it is in the legitimate interests of the trustees; that is, the trustees need to process personal data in order to properly run the scheme and their right to do so is not outweighed by any conflicting rights of scheme members. However, there are circumstances in which another lawful basis for processing may apply and, in particular, a different basis may be more appropriate where trustees are disclosing scheme data to the dashboards. The recent consultation on the dashboard regulations suggests that compliance with a "legal obligation" may be an appropriate basis for disclosure, which seems sensible.
Trustees will need to make their own assessment, record their reasons for selecting a particular basis, and disclose the basis they have chosen by updating their privacy notice, which they must take reasonable steps to bring to the attention of their data subjects (ie the members). Trustees must ensure that privacy notices provided to members are clear and easy to read and cover all of the requirements of the UK GDPR. In particular, they must:
Alongside privacy notices to individuals logging onto their service, dashboard operators will also need to ensure user consent is gained for any cookies or similar technologies used to improve user experience or dashboard design.
The DWP has proposed that trustees or managers of schemes should set their own criteria for determining whether they hold information on a particular individual that should be disclosed. But it is recognised that this could present some challenges – if the matching criteria are set too widely they may end up disclosing information in breach of data protection obligations – too narrow and they may not comply with their dashboard disclosure obligations. So there will need to be some careful thought around these issues.
The Information Commissioner’s Office indicates that a data privacy impact assessment (DPIA) should take place before any processing which is likely to result in a high risk to individuals begins, and that it is "good practice" to perform a DPIA before any major project which requires the processing of personal data. Trustees should therefore consider whether to perform a DPIA before connecting to the dashboards, even if they conclude one is not strictly necessary.
If the scheme has opted to rely on legitimate interests as a basis for some or all of the data processing needed to connect with a dashboard, then a legitimate interests assessment (an LIA) should be conducted as well. LIAs help to stress test reliance on the legitimate interests processing basis to ensure it is the most appropriate option in each case. Data controllers must not just comply with UK GDPR, they must also be able to demonstrate compliance, so carrying out a DPIA is useful evidence of the trustees' approach, particularly in the event of a breach. Similarly, records of processing activities (ROPAs) are commonly required for many types of data processing and both schemes and dashboard operators are likely to be required to create them to cover dashboard use and connection.
Pensions related data shared with the dashboards will not necessarily include personal data that is considered legally sensitive (“special category data”), but if it does, additional protections will apply. Even where the data is not special category data, members are likely to expect financial information to be treated as highly confidential. This means cybersecurity will need to be robust.
The ICO will be prepared to investigate any concerns raised by individuals and also has the power to initiate audits without consent, so trustees should ensure they embrace the principles of privacy by design and default when connecting to dashboards to ensure there is no conflict between their compliance with pensions regulation and privacy obligations.
The government is analysing feedback to its consultation on the design of the pensions dashboards. With the emphasis on the parties involved determining their roles and data protection obligations in the process, it will be important to keep a watching brief on any developments, and how they might affect compliance obligations.
par plusieurs auteurs
par plusieurs auteurs