Pension schemes hold significant amounts of valuable data and large volumes are often transferred to and from the employer and advisers. As a trustee or someone running a public service scheme you need to put controls in place to ensure the security of member data.
This will help protect you against fraud and meet your duties under data protection law. It’s vital that their benefits aren’t put at risk because of poor controls on scheme data.
Measuring risk
Your internal controls for measuring and mitigating risks to the scheme should include a risk register. You should record both known and potential risks. You should measure these and use them as indicators to make risk-based decisions.
You should perform risk assessments every year to identify whether your security procedures, systems and internal controls are fit for purpose. Do they prevent and detect errors, and will they help mitigate new risks?
Risk management is an ongoing process. You should continually review exposure to new and emerging risks to data security.
General Data Protection Regulation (GDPR)
You need to make sure that member records are complete and accurate, and you put controls in place to make sure member data is secure. This is needed so you can meet your duties under GDPR.
You should work with your administrator to make sure that the right controls are in place. These may include:
- making sure you and your administrator are trained in the principles of GDPR
- ensuring you report any data breaches and you receive reports of breaches from your administrator
- taking steps to ensure the quality of data is continuously improved
- ensuring that appropriate security measures are in place for staff that can access scheme and member records
- ensuring that appropriate security measures are in place where you provide members with online access to their pension
- considering what controls you need on the use of social media
The Pensions and Lifetime Savings Association (PLSA) has produced a GDPR made simple guide to help schemes understand GDPR and its rules.
The Information Commissioner’s Office also offers information and updates on GDPR.
Cyber security
You should take steps to protect scheme members and assets from criminals. This includes protecting them against cyber risk.
Cyber risk is the risk of loss, disruption or damage to a scheme or its members due to its information technology systems and processes failing. It includes risks to information – data security – as well as assets, and both internal risks from staff, and external risks from hacking and computer misuse.
You should have an incident response plan in place to deal with incidents and enable the scheme to swiftly and safely resume operations. Make sure you also understand your third-party suppliers’ incident response processes.
You should take steps to build your ability to assess and minimise the risk of a cyber incident occurring, and to recover when an incident takes place.
Work with all relevant parties to define your approach to managing this risk. This includes in-house functions, third party service providers and employers.
You should have an effective system of governance in place to minimise potential security risks. These internal controls should be proportionate to the size, nature, scale and complexity of the scheme’s activities and the data it holds.
Procedures like this allow you to maintain accurate and up to date member data and keep it secure.
If you’ve outsourced the management of scheme data, you need to understand what systems and controls your administrator is using. You should have data security as part of the service level agreement in their contract.
For more information, see our cyber security guidance.
Business continuity planning
You should have a business continuity plan in place. This sets out the actions to take if certain events occur that affect the running of the scheme.
If your scheme is very small and administration of it isn’t complex, the business continuity plan can be very simple. However, the risks are likely to be the same as those faced by larger schemes.
Without adequate continuity planning, an employer insolvency can interrupt the ability to carry out essential functions – read the Pension Protection Fund guidance on issues you should consider as part of risk management.
If you use a third-party administrator, you should understand your provider’s business continuity arrangements. You need to be confident that they reduce any risks to member data and benefits. Their plans should cover the winding-up of their own business.
Take time to understand where the liability lies if processes are interrupted or a breach takes place.
Disaster recovery
The business continuity plan should ensure that where there’s physical damage to the administrator’s premises:
- data will continue to be available and accurate
- core scheme financial transactions can continue to be processed accurately and promptly
- computer hardware and software will be maintained
- records are secure and retrievable
- data will be regularly backed-up and tested
Make sure the administrator:
- reviews the plan at least annually to reflect any changes to staff, roles, scheme membership, service providers or systems
- tests the plan regularly to make sure it works in practice
- provides a written declaration confirming that the business continuity plan is up to date and when it was last tested