Volume 2017 | Issue 62
Download this FYI as a printable PDF
One of the rights of individuals under the General Data Protection Regulation (GDPR) is to be given information about the processing of their personal data, commonly referred to as a privacy notice.
This is the third in a series of six briefing notes about the GDPR that takes effect in the UK from 25 May 2018.
Transparent Information
The information that the data controller provides to the individual must be concise, transparent, intelligible and easily accessible, using clear and plain language. It shall be provided in writing, or by other means (e.g. orally on the telephone or by electronic means, such as via email or on a website).
What information must be given?
Information (where applicable) to be given at the time personal data is obtained from the individual |
Identity and contact details of the controller, their representative(s) and data protection officer. |
Purposes of the processing and the legal basis for processing. |
Legitimate interests of the controller or third party (where this is the legal basis for processing). |
Recipients or categories of recipients of the personal data. |
Details of transfers to countries outside the European Economic Area and the safeguards in place. |
Retention period or criteria used to determine that period. |
In relation to the personal data, the following rights: access; rectification; erasure; restrict processing; data portability. |
Right to withdraw consent at any time (where this is the legal basis for processing). |
Right to lodge a complaint with the Information Commissioner’s Office. |
Whether the provision of personal data is a statutory or contractual requirement or obligation and possible consequences of failure to provide such data. |
Existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences. |
Where the controller intends to further process the personal data for another purpose (not disclosed) the controller must provide the individual with any relevant additional information before that further processing takes place. |
Data collected by a third party
Where the data is collected by a third party rather than given by the individual, in addition to the information shown in the table above, the controller must give the individual information about the categories of personal data and the source of the personal data and whether it came from publicly accessible sources. Also, in these circumstances, the information has to be given to the individual within a reasonable period of having obtained the data (within one month). If the data is being used to communicate with the individual, it must be given when the first communication takes place or, if disclosure to another recipient is envisaged, before the data is disclosed.
Impact on Pension Schemes
Privacy notices are usually given to members on joining the pension scheme, either within the application form or the booklet. Where employees are automatically enrolled or opt in to the pension scheme, an application form cannot be used, so it’s likely that the information would be found in the booklet.
There are also other times where personal data, possibly within the special categories of personal data (see the table below; for example, sexual orientation) is collected from members, beneficiaries or potential beneficiaries. For instance, when a member completes an expression of wish form (and the form is not kept in a sealed envelope until the member’s death); when a pension or lump sum is due to be paid to a beneficiary following the death of a member (e.g. bank details, evidence of birth); when the trustees are seeking relevant information to determine to whom to distribute death benefits. This latter instance may also result in personal data, possibly within the special categories of personal data (e.g. sexual orientation), being provided by third parties about potential beneficiaries.
The pensions industry has asked the Information Commissioner’s Office (ICO) for guidance on how to treat personal data used in consideration of death benefit cases.
As a privacy notice has to give information about the purpose for the processing it’s likely that the original privacy notice will not give enough detail to cover liability management exercises, such as pension increase exchanges or buy-ins or buy-outs. Therefore, where such an exercise is being considered a privacy notice may need to be given to affected members at the outset. Alternatively, it may be possible for the trustees to pseudonymise the data (see the table below).
Recommended Actions for Employers and Trustees
- Review existing privacy notices to check they cover all the relevant points.
- Or, alternatively, produce one or more new GDPR-compliant privacy notices and issue to all members (and beneficiaries).
- Consider issuing the notice with the next communication (e.g. annual newsletter, summary funding statement, pension increase update notice for pensioners).
- Consider privacy notices where liability management exercises are being envisaged.
Further Reading
- Information Commissioner’s Office (ICO): Overview of the GDPR
- ICO: Privacy notices code of practice
- FYI: Preparing for the GDPR
- FYI: GDPR and Pension Schemes: Controllers and Processors
- FYI: GDPR and Pension Schemes: Lawful Basis for Processing
- FYI: GDPR and Pension Schemes: Rights of Individuals
- FYI: GDPR and Pension Schemes: Personal Data Breaches and Penalties
- FYI: GDPR and Pension Schemes: Transfers Outside the European Union
Types of Personal Data
Personal data | Special categories of personal data (‘sensitive data’) | Pseudonymous data |
This is any information relating to a living individual who can be identified (directly or indirectly) by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The definition is more expansive than that under the Data Protection Act 1998, reflecting changes in technology (e.g. an IP address is deemed to be personal data). |
This replaces the current definition of sensitive personal data, but is essentially the same. It would include:
The GDPR generally prohibits processing of this personal data without the individual’s explicit consent. |
This is a new category of data. The personal data is processed in such a manner that it cannot be attributed to a specific individual without the use of additional information. The additional information must be kept separately and subject to technical and organisational measures to ensure the data is not attributed to an identified or identifiable person. |