In the final part of our General Data Protection Regulation (GDPR) and pensions series, we look at when and how trustees will have to communicate the GDPR changes with their members.
Download as a podcast.
Download as a PDF.
Communicating with members
Data controllers are required to share certain information with individuals whose personal data they process. The GDPR specifies what should be included in this information and how it should be written.
1. Data controllers have to provide information to data subjects
In the pensions context, this will mean trustees issuing information to members and other beneficiaries. These statements are also known as privacy notices or a fair use notices.
2. Privacy notices must cover specified information
The GDPR sets out the information that must be contained in a privacy notice. This includes general information such as the name and contact details of the data controller along with more detailed information such as the purpose and legal grounds for processing.
3. The style of privacy notices is also specified
The GDPR is keen to ensure that privacy notices are as user friendly and accessible as possible. Trustees will need to issue privacy notices in plain English and ensure that they are intelligible.
4. Privacy notices have to be issued
Privacy notices have to be issued to data subjects. This means that they have to be actively sent rather than passively displayed. In practice, for schemes that do not primarily communicate online, this is likely to mean sending a letter or email rather than displaying a notice.
What are privacy notices?
Under the GDPR, data controllers are required to provide certain information to individuals whose personal data they process. This information is often referred to as a privacy notice, but may also be called a fair use notice, a data protection notice or a data protection statement.
What form can privacy notices take?
The GDPR does not specify a particular form for privacy notices. The information can be provided in a variety of ways and doesn't have to be set out in a single document or on a single webpage. The Information Commissioner's Office (ICO) has confirmed that privacy notices can be provided:
- orally (e.g. recorded telephone messages or a script that is read out as part of accessing a telephone-based service);
- in writing (e.g. as a printed letter or statement or as a section in a larger document (for example, a section of a member booklet)); and
- electronically (e.g. in text messages, on websites, in emails and in mobile apps).
The ICO has stated that it is good practice to use the same medium that you use to collect personal information to deliver privacy notices. For many pension schemes, this may suggest a printed notice issued to individuals in the post represents good practice.
What should privacy notices include?
In order to comply with the GDPR, privacy notices should set out:
- the identity and contact details of the data controller and, if applicable, the identity and contact details of the data protection officer;
- the legal grounds for the data controller to process the personal data. If one of the legal grounds is that processing is necessary to pursue the data controller's (or a third party's) legitimate interests, the privacy notice should also explain what the legitimate interests are;
- whether the personal data is shared with a third party (this should include details of transfers of personal data outside of the European Union);
- how long the personal data is kept for (or the criteria for determining how long the personal data is kept for);
- each of the data subject rights, including the right to withdraw consent (if applicable) and the data subject's ability to lodge complaints with the ICO; and
- the existence of automated decision making, including profiling.
If the individual has provided their personal data to the data controller (e.g. a pension scheme member has filled in a form and given this to the trustee), the privacy notice should:
- explain whether the personal data is required as part of a statutory or contractual requirement; and
- set out the possible consequences of failing to provide the personal data.
If the individual did not provide their personal data (e.g. it came from another source, such as the member's employer), the privacy notice should:
- explain how the data controller obtained the personal data; and
- set out the categories of personal data that the data controller processes.
Pension schemes have a large amount of personal data that can come from different sources. Trustees may decide to cover all of the required elements so that the privacy notice will apply whether the information came from the individual or from another source.
How should privacy notices be written?
As well as specifying what needs to be in a privacy notice, the GDPR sets out how they should be written. In order to comply with the GDPR, privacy notices should be:
- Easily accessible;
- Clear and plain language; and
- Free of charge
Do trustees have to send privacy notices to members?
There isn't a single right answer that applies to all data controllers - it will depend on:
- how the Trustee usually communicates with its members - if it already has an online platform that handles member queries, the answer will be different to a client that relies on paper-based communication;
- the characteristics of the membership - are the members all online? Do they all have email addresses? Do most of the member still work for the employer?; and
- what the Trustee has already done in respect of privacy statements (including if they have specified that future updates will be provided via an online privacy notice)
What are the main things that pension scheme trustees will have to do next?
1. Draft or review your privacy notice
Privacy notices require a lot of information and it might therefore be more efficient to draft them towards the end of a data protection compliance project. If you already have a privacy notice in place, you'll need to review it in order to confirm that it meets all the requirements set out in the GDPR.
2. Determine whether any third parties will be covered by your privacy notice
As part of their data mapping process, trustees should have identified any third parties who are joint controllers in respect of the scheme's personal data. Trustees should consider whether these third parties need to be included in the scheme's privacy notice.
3. Decide when you will send your privacy notice and how you will send it
Many pension scheme trustees will issue privacy notices by sending a letter or email to members. If there is already a communication being planned, can the privacy notice be included as part of that communication?
4. Determine how you will update the privacy notice if there are material changes
Privacy notices may need to be updated in the future. If the trustee has indicated that future updates will be made to an online privacy notice, it will be a lot easier for updates to be made to the online version rather than sending hard copy versions.