Data breach – essential steps to protect pensions information and data
The recent cyber-attack suffered by Capita may have affected up to 350 UK Pension Funds and tens of thousands of pension scheme members. News is still emerging about the breach, but it appears that personal details of some pension plan members may have been accessed including, names, addresses, dates of birth and national insurance numbers.
Capita is working with the Information Commissioners Office (ICO) and the Pensions Regulator (tpr) on the matter. It is the administrator for a range of pension plans including that of Royal Mail staff. Whilst information about the attack is still emerging, it does appear that there were two separate incidents of hacking by a criminal gang, using ‘ransomware’.
This incident and others of data hacking of payroll systems for large employers are an important reminder to all of organisations to check how secure data is.
Pension plans are subject to the same law on data protection – chiefly under a UK GDPR. Pension plans are however repositories of lots of information about members and their family, dependants etc. Much of this information which needs to be held to provide pension, life assurance etc will include data protected by GDPR. The trustees and other fiduciaries in almost all cases will be classed as data controllers. This will give them primary legal responsibility for ensuring that data is held only when required, that it is safely used and retained. A review of the procedure is needed as well to ensure that data is no longer required for the legal purpose of calculating pensions etc is not retained and can be wiped or otherwise removed. As stated, pension plans are not subject to separate law on data protection but do face challenges unique to continued pension provision.
We set out below a hopefully useful guide to the key steps involved in a pension data protection audit check.
Recommended Checks
Policy
You should have a policy for data storage, processing and management of data. This will include but won’t necessarily be limited to a written Privacy Policy document. This is a statement of the use you are making of member data and is disclosable to members and others for whom you hold data at any time. Your overall policy should described the legal purpose under which you are permitted to hold and process data and at least provide an overview of the controls, checks and audit arrangements for ensuring that all legal processes under the GDPR are met.
Service Providers
Even small pension plans typically have an array of different supplier contracts covering the various functions carried out by third party firms including actuarial, administration, investment etc. It is important to ensure that each service agreement states clearly the legal purpose under which information and data will be held and transferred, the arrangements for ensuring that the provider only holds the data it needs for that purpose for the extent of the legal responsibility of the supplier and the review and audit processes to ensure that all takes place in a legally compliant manner. The trustees will want to review these in terms in light of the recent data hacking incidents focusing in particular on:
- What regular reporting will take place on data protection audit and systems audit checks?
- What responsibility is there for the service provider to tell the trustees if a breach or other incident occurs. What level of care and skill does the service provider need to ensure it is maintained?
- How is the service provider ensuring that it only holds the data it needs?
- Is there a concern that overlapping responsibilities of more than on service provider mean that there is a potential liability gap particularly where data is passed between services providers?
You may need to check these agreements at short notice so need to ensure that a comprehensive set of agreements including your policy documents are readily to hand.
What Happens If That…
A usual exercise is to check your processes in the event that a data breach occurs or a subject access request is made. Any person (whether a pension scheme member or not) for whom you hold data can request information on the data you hold and the purpose why you hold it, if a data breach occurs, as a data controller you must report this to ICO within 72 hours of discovery.
Most pension plans are subject to the jurisdiction of TPR and any breach or potential breach of legislation including GDPR is reportable to TPR. Useful also to check on arrangements for ‘friendly access’ to data. An employer for instance will have its own data protection responsibilities but one would normally want to coordinate in relation to pension data with the trustees. An employer will be able to access and hold certain pensions data (such as for instance, information on pensionable pay for a member of staff) but will not necessarily be legally entitled to hold other information such as staff retirement plans, health etc but this other information might be legitimately held by the trustees or fiduciary running the plan.
It is important that any transfer of data or other access between employer and trustees is clearly covered by a written legally binding agreement (notwithstanding the two bodies are connected) and the data involved is audited to ensure that legislation is duly complied with in the process.
A further scenario planning exercise under this heading might be a question of how quickly the trustees could meet and in what forum in the event for instance of a data breach and at what stage would members and others be informed of any data breach.
A Reminder on Penalties
A data incident can obviously lead to reputational damage and costs of investigating and rectifying any incident. ICO can impose on a monetary penalty of up to £17.5m or 4% of worldwide turnover for the previous financial year relevant to that organisation across the tpr as powers to investigate and impose penalties to.
What Next?
Option 1 Own Review Use a simple guide to carry out your own review. Many organisations will choose to carry out their own review.
We hope the points made in this note provide a useful guide to this exercise.
We are on hand to assist with any issues or gaps which are found as a result of your own review.
Option 2 Pensions Data Compliance Audit We will carry out a data compliance check of:
- Policy terms
- Service provider agreements
- Dated body (chiefly employer) access and agreements
- Scenario plans providing a check list of steps in the event of data breach and data access request cost £2,000 plus VAT, this includes a report on findings and any recommendations for actions.
Option 3 Combined Review
The above pensions exercise can be combined with a deep dive review of the underlying data systems and processes carried out with the pension team by our Cyber Security Team. Part of the problem in relation to data security is that a degree of technical expertise is needed to assess the IT systems which are used to manage data. Reports on the Capita breach for instance, references made to ‘Amazon Data Bucket’ used and whether this was probably secure. The language used can be quite opaque and technical leaving trustees and others not clear whether they are really equipped to ask the right questions. A related issue is that technology including that used by cyber hackers is continually developing and so what appears a robust IT system in one year might subsequently turn out to prove less reliable. We can work with our cyber security team to check not just the pension documents and arrangements which you have but also the viability and security of the underlying IT systems being used cost £5,00 plus VAT.
Irwin Mitchell is a large and multi-faceted law firm. There are also a large number of support services to our various activities across multi-party litigation, investment, trustee services etc. In short we have to be set up to handle ‘big data’ projects and processes. To support and manage this we have a inhouse specialist Cyber Security Team. The Team are able to carry out a technical cyber security review for all of our systems and for clients.