7 cyber security recommendations for trustees
9th October, 2023
Recent high profile cyber incidents are an important reminder for trustees that pension schemes hold a lot of information that criminals would like to get their hands on. Even though most trustees delegate day-to-day running of their schemes to third party administrators, the trustees remain ultimately responsible for the security of that information.
With information security about to be given a higher profile by the Pensions Regulator in its prospective General Code, what should trustees and administrators be doing to ensure they have an effective system of governance when it comes to their members data and other sensitive or confidential scheme information?
1. Prepare, maintain and from time to time revise an Information Security Policy
The Policy should cover UK GDPR, Data Protection Act 2018 and Cyber Security. Also, appendices to the Policy can be used as a ‘home’ for ancillary documentation such as forms for data subject access requests and incident response plans (for data breaches and cyber incidents).
2. Ensure trustee knowledge and understanding (TKU) policies include cyber risks
Trustee training should include regular refreshers on data protection and cyber. New trustees must have the relevant knowledge and understanding (TKU) to perform their role within six months of appointment. Their induction should encompass information security, including their scheme’s policies and procedures.
Consideration should also be given to breach simulation exercises.
3. Ensure there is a formal Record of Processing Activity (ROPA) for the scheme based on a data mapping exercise that is reviewed regularly
ICO guidance is that ‘there is a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly’.
There is helpful guidance on the ICO website:
- Records of processing and lawful basis | ICO
- How do we document our processing activities? | ICO
- Privacy and Data Protection (legalnodes.com)
The National Cyber Security Centre (NCSC) also has its own guidance on ‘supply chain mapping’ – Mapping your supply chain – NCSC.GOV.UK
It is imperative that trustees closely monitor which service providers, including sub-contractors, process personal data relating to their pension scheme.
Remember that former third-party administrators (TPA) often hold on to scheme data for many years after the trustees of a scheme replace them with a new TPA. If the former TPA has a cyber incident that impacts on the scheme, then the trustees are still considered a controller in relation to the data that is impacted even though the former administrator is no longer an active processor for the trustees.
4. Conduct Data Protection Impact Assessments (DPIAs) as part of trustee accountability obligations and wherever processing could result in a high risk to the rights and freedoms of individuals
DPIAs are not always mandatory, but they are an essential part of trustee accountability obligations. Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals.
Moreover, by considering the risks related to their intended processing before they begin, trustees also support compliance with the general obligation under UK GDPR for ‘data protection by design and default’.
Guidance from the ICO states it is available at – What is a DPIA? | ICO
Specific examples where a DPIA should be considered are:
- Risk transfer exercise (buy-outs and buy-ins)
- Changes of administrator
Also, the Pensions Regulator (TPR) has stated in initial guidance on pension dashboards that matching, combining, or comparing data from multiple sources requires a DPIA under the UK GDPR.
Trustees may therefore need to carry out a Data Protection Impact Assessment (DPIA) before connecting with the pensions dashboards ecosystem, noting the new single connection deadline of 31 October 2026.
5. Where administration is ‘offshore’ ensure compliance with rules on transfers of data outside the UK
Trustees need to ensure compliance with transfers of data outside the UK (note that since ‘Brexit’, overseas transfers are not just an issue in relation to transfers outside the EU).
Download our checklist to consider whether trustees, as data controllers, are compliant with data protection requirements. Or if service providers are fulfilling their contractual obligations; and schemes can evidence an effective system of governance.
Transfers outside the UK should be recorded in the pension scheme’s data mapping records.
6. Put in place formal Data Sharing Agreements where information is shared with other data controllers such as scheme employers
Whilst not an explicit legal requirement, ICO guidance states that the ICO considers it “good practice” to have a data sharing agreement in place where controllers share personal data with other controllers (e.g. trustees and employers, or trustees and parties involved in buy-out transactions).
Guidance is available at – Data sharing agreements | ICO
7. Check that your service providers have the right cyber security controls
TPR expects cyber risk to be included on risk registers and reviewed at least annually. Further, trustees should ensure that, in addition to ensuring their own ‘cyber hygiene’ (something that should be covered in an Information Security Policy – for which, see above), trustees should take steps to ensure they are satisfied with the controls of their service providers. This is not a once and done exercise; trustees should obtain annual reassurance that providers have maintained relevant accreditations.
Existing policies, procedures and processes should be reviewed for the introduction of pensions dashboards (including Privacy Notices, which will need to be updated for sharing information with dashboards).
Also, trustees should ensure that they are kept up to date with changes in legislation. The Data Protection and Digital Information (No. 2) Bill has had its second reading in Parliament and is due to move to the Report Stage on a date yet to be announced. The Bill, when enacted, will make changes to the Data Protection Act 2018 and the UK General Data Protection Regulation. It is likely that trustees of pension schemes will need to update their information security policies, ancillary documentation and Privacy Notices.