Matthew Swynnerton gives his take on the dangers posed by the Data Protection Act 1998 on pension scheme trustees

Pension scheme trustees were handed something extra to consider when dealing with their data earlier this year. On 6 April 2010, the Information Commissioner was granted new powers to impose monetary penalties on data controllers for serious cases of non-compliance with the Data Protection Act 1998 (DPA).

The DPA sets out the eight data protection principles which everyone processing personal data must comply with. Although the data protection principles should be followed by everyone processing personal data, it is data controllers who are subject to the compliance regime under the DPA.

In the pension scheme context, it will normally be the scheme trustees who are the data controllers. They are the ones who determine why and how personal data is to be processed. Data processors are appointed by the data controllers to process personal data on their behalf, and in this context it is normally the administrators who act as data processors. In addition to following the data protection principles, most pension scheme trustees must register with, or notify, the Commissioner and failure to do so if required is a criminal offence.

The nature of the information that trustees would hold means that such information is likely to qualify as 'personal data'. This is data which is capable of identifying that individual either alone or together with other data which is held, or likely to be held, by the data controller.

The Commissioner has various powers to ensure compliance with the DPA, including the issuing of enforcement and other notices and the carrying out of an assessment. Failure to comply with a notice issued by the Commissioner is a criminal offence.

Verity Trustees Limited
In late 2009 the Commissioner found Verity Trustees Limited to have been in breach of the DPA following the theft from the trustees' administrator of a laptop containing personal details of some 110,000 individuals. The data had been downloaded by a member of staff at the administrator for training purposes in breach of the administrator's policy of using small samples of anonymised data.

The trustees were the data controllers and liable to sanctions under the DPA. In the circumstances, and in view of remedial steps taken by the trustees, the Commissioner agreed not to serve an enforcement notice and the trustees issued a formal undertaking to ensure that personal data would be processed in accordance with the principles.

The new monetary penalty notices
New provisions of the DPA give the Commissioner the power to serve a monetary penalty notice on a data controller. A monetary penalty requires a data controller to pay a fine of an amount to be determined by the Commissioner of no more than £500,000.

A monetary penalty may be imposed if: the data controller has seriously contravened the data protection principles; the breach was of a kind likely to cause substantial damage or substantial distress; and the contravention was deliberate or the data controller knew or ought to have known that there was a risk that such a contravention would occur and failed to take reasonable steps to prevent it.

Before a monetary penalty notice is served on a data controller, the Commissioner must first issue a notice of intent setting out the grounds for issuance and the proposed penalty. The data controller may then make representations to the Commissioner before a final decision is made.

Guidance has been issued by the Commissioner which explains that this new power will be used both as a sanction and as a deterrent against non-compliance. The guidance recognises that a monetary penalty notice will only be appropriate in the most serious situations, and that in practice the Commissioner will use the power as a sanction against a data controller who deliberately or negligently disregards the law.

Action points
Trustees should be aware of the sanctions for breach of their obligations under the DPA, and must have appropriate monitoring systems in place in respect of third party administrators and anyone else handling personal data. Consideration should be given to managing the risk of non-compliance and to administration and other third party agreements to ensure that suitable steps are being taken. In particular, the agreement should cover liability for paying any monetary penalty.

Matthew Swynnerton is a partner at DLA Piper

Share Story: