Ensuring vigilance on pension data transfers
Pension schemes that transfer personal data outside the European Economic Area (EEA), through the use of ‘Standard Contractual Clauses’ (SCCs), should have updated their contracts by 21 March 2024 to permit those transfers to continue. Otherwise, there could be a risk of breaching data protection rules.
As a reminder, the UK General Data Protection Regulation (GDPR) Act of 2018 controls how peoples’ personal information is used by organisations, businesses or the Government. It also includes restrictions on international data transfers (known as ‘restricted transfers’), including transfers occurring within the EEA. In short, personal data cannot be transferred outside the UK without appropriate measures to ensure that that data is ‘adequately protected.’ The measures deemed appropriate by the UK GDPR rules include:
- adequacy decisions
- binding corporate rules
- approved code of conduct
- standard contractual clauses.
The Information Commissioner’s Office (ICO) is the UK’s public body – sponsored by the Government’s Department for Science, Innovation and Technology – that upholds information rights in the public interest; promoting openness by public bodies and data privacy for individuals. In March 2022, the ICO introduced two new types of standard contractual clauses; the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum (Addendum) which replaced the old European Commission’s Standard Contractual Clauses used by UK data exporters to transfer personal data outside the UK. Note: If relying on new EU SCCs (issued 04 June 2021) then implementing the IDTA Addendum ensures these remain valid for UK restricted transfers.
The new contractual clauses were to be used for data transfer agreements entered into after 21 September 2022. The ICO granted a grace period until 21 March 2024 for UK entities to update their existing data transfer arrangements to use either the IDTA or Addendum to the new EU SCCs. These ensure the right data protection safeguards are in place for data transfers.
However, before entering into any standard contractual clauses, the data exporter making the restricted transfer must carry out a Transfer Risk Assessment (TRA) to ensure the personal data of individuals in the transfer remain appropriately protected when with the receiving data importer in the destination country. The ICO published guidance and a TRA tool to support organisations in meeting this requirement.
How does this affect UK pension schemes?
Where pension schemes have contracts in place with an element (or potential element) of data being transferred internationally, contracts should be updated to reflect the legal changes that have taken place since Brexit, including updated guidance from the ICO, by 21 March 2024. What this means in practice is that any data transfer arrangements using old EU SCCs must be updated with either the IDTA or Addendum to the new EU SCCs to still comply with UK GDPR.
As a trustee of a pension scheme, the 21 March deadline should be a concern for you, particularly in relation to service providers which may or may not transfer some of the personal data of your members abroad. For example, if your scheme has been using Standard Contractual Clauses to permit restricted transfers, trustees have a responsibility to check whether the wording of these has been updated using one of the two new documents.
Where your scheme data is being transferred abroad (whether that transfer is being made by the scheme itself or its service providers), schemes should have already taken steps to begin the transition to the new set of standard terms.
What are the consequences for not acting?
If action is not taken, there is likely to be a technical breach of UK GDPR. Failing to update existing arrangements by the end of the grace period and continuing to transfer personal data to third countries using the old EU SCCs, will result in a breach of the UK GDPR. It is worth bearing in mind that the ICO can impose fines on businesses and organisations of up to £17.5m or 4% of the total annual worldwide turnover (whichever was higher in the last financial year) for non-compliance with its GDPR-related mandates.
Actions for pension schemes
Where pension scheme data is being transferred abroad (whether that transfer is being made by the scheme itself or its service providers), trustees should take steps to comply with the transition to the new set of standard terms and undertake any TRAs if they haven’t already taken action.
Where SCCs are being used in transfer agreements between the administrator and a third party, pension scheme trustees should confirm with the administrator that either the new IDTA or Addendum is being used and TRAs have been completed. To avoid risking a potential technical GDPR breach, trustees should also make sure that any SCCs used by the pension scheme or the administrator/other third parties have been updated.