Auto Enrolment and Data Protection
As previously reported; 1st October 2012 saw the commencement of ‘Auto-enrolment’ in the United Kingdom. Auto-enrolment requires employers to register all employees into a relevant pension scheme, unless the employee chooses to opt-out of the scheme. The implementation of the scheme will take place over several years, with the largest employers in the country going first and gradually working down to the smallest employees, with an expected completion date in 2017.
However, the scheme has already highlighted the related issue of Data Protection; with a Scottish Borders Council having recently been fined £250,000 for breaches under the Act, specifically related to the failure of a third-party to properly dispose of the Council’s pension records. In this case, the third party were engaged by the Council to digitise their pension records and having done this, the third-party company then disposed of the paper records in a recycling bin, which were then found by a member of the public. These files were found to contain employee national insurance numbers, bank details and dates of birth and the situation was further compounded when it was discovered that there was no written contract in place between the Council and the third-party supplier. The failings in this case, highlighted by the Information Commissioner were that the Council had not: -
Selected a data processor who provided sufficient guarantees for its data security measures and compliance with them
Had in place a written contract
Checked whether the supplier had secure data destruction facilities
Required the secure disposal of files or the supply of suitable certificates of destruction
Had regular monitoring in place.
This case highlights the need for employers to ensure that they take due care in their preparation for auto-enrolment, not to breach any of the eight Data Protection Principles and ultimately, the Act itself. By way of a quick refresher; the Data Protection Act requires that anyone who handles personal data complies with the eight data protection principles, the first of which is the need to keep personal and ‘sensitive personal’ (i.e. NI Numbers, ethnicity, health issues and bank details) secure.
Under the Act; ‘Data Controllers’ are required to comply with the Act whilst ‘Data Processers’, who may be appointed on behalf of the Data Controller to provide services connected with the management, handling and storage of the Data Controllers data, have no direct obligations under the Act. There is therefore a requirement under the law for certain terms to protect and safeguard personal data, to be included within a written contract between the Data Controller and the Data Processor. As the Data Controller is ultimately the ‘person’ who will be accountable for any breaches, it is essential that they take appropriate steps to protect themselves and their data when engaging others to provide services which gives them access to that data.
Why is this relevant to Auto-enrolment?
In order to comply with their obligations under auto-enrolment, it seems likely that many employers (who will be the Data Controllers) will engage the services of others to administer the scheme on their behalf e.g. Pension Providers, Pension Scheme Trustees, Administrators and Payroll Providers, all of whom will become ‘Data Processors’ on behalf of the employer. The employer will be wholly responsible for what those parties do with their data and therefore the employer must ensure that they have robust procedures in place to ensure compliance with the Data Protection Act; the employer will need to ensure that a written contract is in place which properly addresses data protection and that they [the employer] are regularly monitoring the third-party supplier’s compliance with the legislation.
Currently, the maximum fines imposed are up to £500,000, but this may shortly be increased to 2% of global turnover. As a consequence, there is a clear need for employers to address this as they prepare for auto-enrolment.