Ian Chapman-Curry
Legal Director
PSL legal director
Article
8
In the final part of our General Data Protection Regulation (GDPR) and pensions series, we look at when and how trustees will have to communicate the GDPR changes with their members.
{^widget|(widget_displayname)Video|(image_guid)0e502820-04ca-4904-bb36-27eed2f52336|(name)GWLG.Video|(videoid)Ha64PxHYh7w|(width)|(height)^}
Data controllers are required to share certain information with individuals whose personal data they process. The GDPR specifies what should be included in this information and how it should be written.
In the pensions context, this will mean trustees issuing information to members and other beneficiaries. These statements are also known as privacy notices or a fair use notices.
The GDPR sets out the information that must be contained in a privacy notice. This includes general information such as the name and contact details of the data controller along with more detailed information such as the purpose and legal grounds for processing.
The GDPR is keen to ensure that privacy notices are as user friendly and accessible as possible. Trustees will need to issue privacy notices in plain English and ensure that they are intelligible.
Privacy notices have to be issued to data subjects. This means that they have to be actively sent rather than passively displayed. In practice, for schemes that do not primarily communicate online, this is likely to mean sending a letter or email rather than displaying a notice.
Under the GDPR, data controllers are required to provide certain information to individuals whose personal data they process. This information is often referred to as a privacy notice, but may also be called a fair use notice, a data protection notice or a data protection statement.
The GDPR does not specify a particular form for privacy notices. The information can be provided in a variety of ways and doesn't have to be set out in a single document or on a single webpage. The Information Commissioner's Office (ICO) has confirmed that privacy notices can be provided:
The ICO has stated that it is good practice to use the same medium that you use to collect personal information to deliver privacy notices. For many pension schemes, this may suggest a printed notice issued to individuals in the post represents good practice.
In order to comply with the GDPR, privacy notices should set out:
If the individual has provided their personal data to the data controller (e.g. a pension scheme member has filled in a form and given this to the trustee), the privacy notice should:
If the individual did not provide their personal data (e.g. it came from another source, such as the member's employer), the privacy notice should:
Pension schemes have a large amount of personal data that can come from different sources. Trustees may decide to cover all of the required elements so that the privacy notice will apply whether the information came from the individual or from another source.
As well as specifying what needs to be in a privacy notice, the GDPR sets out how they should be written. In order to comply with the GDPR, privacy notices should be:
There isn't a single right answer that applies to all data controllers - it will depend on:
Privacy notices require a lot of information and it might therefore be more efficient to draft them towards the end of a data protection compliance project. If you already have a privacy notice in place, you'll need to review it in order to confirm that it meets all the requirements set out in the GDPR.
As part of their data mapping process, trustees should have identified any third parties who are joint controllers in respect of the scheme's personal data. Trustees should consider whether these third parties need to be included in the scheme's privacy notice.
Many pension scheme trustees will issue privacy notices by sending a letter or email to members. If there is already a communication being planned, can the privacy notice be included as part of that communication?
Privacy notices may need to be updated in the future. If the trustee has indicated that future updates will be made to an online privacy notice, it will be a lot easier for updates to be made to the online version rather than sending hard copy versions.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.