Association of Consulting Actuaries · Radisson Blu Hotel, Manchester Airport 22 September 2017...
Transcript of Association of Consulting Actuaries · Radisson Blu Hotel, Manchester Airport 22 September 2017...
Radisson Blu Hotel, Manchester Airport
22 September 2017
Association of Consulting Actuaries
2017 Northern Conference
Kate Atkinson
Senior Associate
Joanna de Fonseka
Associate
Agenda
Why is data protection in the news?
Data in a pensions context
TPR view and current scheme practices
DPA principles for actuaries
IFoA 2014 Guidance on Data Controller Responsibilities
General Data Protection Regulation
Game Changers
Roadmap for Pension Schemes and Actuaries
© 2017 Baker & McKenzie LLPDocID 9451066
Data Protection
3
In the Press
Tesco would face £1.9bn fine
under the GDPR for a recent data
breach after 20,000 customers
had money stolen from their
Tesco Bank accounts
(November 2016)
Telecoms Company Talk Talk
issued with record £400,000 fine
by the ICO for security failings
that allowed a cyber hacker to
access personal data of 160,000
Talk Talk customers
(October 2016)
Japan's pension system hacked,
1.25 million cases of personal
data leaked
(2015)
ICO has found Verity Trustees Ltd to be in breach of the DPA after the Trustees reported that a
laptop containing the personal data of 110,000 scheme members was stolen from its software
provider's offices (2009)
Pensions context
© 2017 Baker & McKenzie LLPDocID 9451066
Data within the pension schemes
5
Name; D.O.B; NIC number; address;
email; dependants; bank details;
health (e.g. early retirement);
employment ; bank accounts…
Often sensitive/ confidential IT security; "click to accept" privacy
notices?
Processing of pension benefit
increase information; greater number
of parties involved than for individual
benefit requests
Pensioner and dependant data Often data for the entire membership Live by 2019 (prototype by March
2017); platform for savers to see all
their pension pots in one place
© 2017 Baker & McKenzie LLPDocID 9451066
Data Protection
6
What TPR has to say
Trustees should undoubtedly be capturing cyber security as a key risk on their risk registers
It is trustees who are the data controllers under the data protection act, so it is the trustees who must make sure they have
all the proper protocols and policies in place, and that any third parties they use also have the appropriate controls in
place…This is a really important point about holding your administrators to account
"Research shows that third party scheme administrators do less testing of internal controls compared to in-house or
combined arrangements while reporting comparatively higher incidences of fraud. Such schemes may therefore be at
greater risk"
Pensions schemes are likely to be attractive targets to cyber criminals, because they hold a lot of personal employment and
financial data
TPR's Corporate Plan 2016-2019: focus on third party providers?
Speaking at the annual Society of Pension Professionals' conference in September 2016, Lesley Titcomb urged
trust-based schemes to start thinking about data protection as a matter of priority:
© 2017 Baker & McKenzie LLPDocID 9451066
Data Protection
7
TPR publications
Pension schemes are sitting
there with an awful lot of
personal data, an awful lot of
bank details and actually it is a
big issue. We're to make sure
we deal with it before a scandal
hits
Lesley Titcomb
Compliance & Enforcement Strategy
We will publish…our enforcement successes and publicly name those
employers who do not comply with… the Data Protection Act 1998
Inducement offers
Trustees must be mindful of the data protection issues raised by
inducement offers. Trustees should also bear in mind the data
protection aspects before they agree to release members' personal
information to an employer for use in an inducement exercise
Record Keeping
Pension schemes hold significant amounts of valuable data, and large volumes are often transferred to and from the
employer(s), as well as advisers such as investment managers or the scheme actuary. Many schemes also offer members
online access to their records or use social media and other electronic means to communicate with members. As well as
ensuring members' records are complete and accurate, you need to put controls in place to ensure the security of member
data. This will help you guard against fraud and meet your obligations under data protection law
Data protection for actuaries: the current position
© 2017 Baker & McKenzie LLPDocID 9451066
Are actuaries data controllers or processors?
9
IFoA Guidance: if
Scheme Actuary is a Specialist Service Provider;
he/she is appointed in a personal capacity (Section 47); and
is responsible for handling personal data
Data Controller's obligations:
Register with ICO on an annual basis
Comply with the 8 DP principles
Key DPA 1998 Principles
"that individual is likely to be acting as a data controller distinct from the
firm"
© 2017 Baker & McKenzie LLPDocID 9451066
8 Key Principles of Data Protection
10
Data protection obligations on Actuaries
4 Data to be accurate, and kept up to date
3Data to be adequate, relevant and not
excessive
2Processing only for specified and lawful
purposes
1 Fair and lawful processing
8No transfer outside European Economic
Area (EEA) without adequate protection
7Security measures (unauthorised
processing, accidental loss or damage)
6Data to be processed in accordance with
data subject's rights
5Data to be retained no longer than
necessary
© 2017 Baker & McKenzie LLPDocID 9451066
DPA for Actuaries
11
Key arrangements
Trustees Individual Actuaries
Actuarial Firm
PA 1995
Engagement
Letter
Employment /
Partnership Agreements
© 2017 Baker & McKenzie LLPDocID 9451066
DPA for Actuaries:
12
Allocation of roles/risk
Principle Suggested/possible responsibilities
Client Scheme Actions Firm
1 Fair and lawful processing
2 Processed for limited purposes
3 Adequate, relevant and not
excessive
4 Accurate and up to date
5 Not kept for longer than is
necessary
6 Processed in line with data
subjects rights
7 Secure
8 Not transferred to extra EEA
countries without adequate
protection
To be discussed and
agreed
To be discussed and
agreed
To be discussed and
agreed
© 2017 Baker & McKenzie LLPDocID 9451066
DPA for Actuaries
13
Comfort in IFoA Guidance
"The ICO has provided a level of reassurance in terms of its enforcement policy relating to a processing activity that contravenes the DPA. Where the Scheme Actuary and his/her client and/or firm are joint data controllers, and there is a documented audit trail in place between the Scheme Actuary and his/her client and/or firm (as applicable) setting out which party is responsible for which elements of compliance with the DPA, the ICO would be likely to take into account how responsibility for compliance had been allocated. Therefore, if the contravention related to a processing activity allocated to the firm and/or the client, the ICO might not typically look to an individual Scheme Actuary in any enforcement action, except in the circumstances described in paragraph 6.2.7."
6.2.7 " … not absolve the Scheme Actuary of his/her statutory obligations … he/she would still be deemed to be non-compliant … if, on the facts, the data protection compliance issue arose in relation to the Scheme Actuary's area of responsibility"
Scheme actuaries may be Joint Data Controllers with the Trustee and/or the Actuarial Firm.
Key issue for Actuaries:
Allocate – and contractually document – responsibility for (and liability protection in respect of) each data protection obligation as between:
i. Trustees and Scheme Actuary (engagement letters); and
ii. Scheme Actuary and their Firm (employment/partnership agreement).
The GDPR
© 2017 Baker & McKenzie LLPDocID 9451066
GDPR
15
13 Game Changers
© 2017 Baker & McKenzie LLPDocID 9451066
Game Changers Changes created by GDPR
Data Protection Officer
DPO required for public authorities or private companies by the nature & scope of
their processing activities (eg, large-scale, systematic monitoring, large-scale
processing of sensitive data)
Data Breach ReportingReport within 72hrs where breach is likely to result in a high risk for rights and
freedoms of data subjects
ConsentNo longer able to rely on implied consent. New rules for consent re children under 16
online
Data MappingImportance of keeping records of processing activities to produce on request to
Supervisory Authorities
Cross-Border Data Transfers BCRs and Model Clauses ok for now. Seals & certifications recommended
Data Processor Obligations
Direct compliance obligations on processors (e.g. includes implementing technical
and organisational measures, notifying the controller without undue delay of
breaches and appointing a DPO (if required))
Rights of Data Subjects Rights extended (eg, data portability, right of deletion, right to be forgotten, limitations
on profiling)
EU GDPR
16
13 Key Game Changers
1
2
3
4
5
6
7
© 2017 Baker & McKenzie LLPDocID 9451066
EU GDPR
17
13 Key Game Changers
Game Changers Changes created by GDPR
One Stop Shop & Consistency
No longer responsible to multiple data protection authorities. The "One Stop Shop"
means companies will deal with one lead Supervisory Authority in their main country
of establishment or where centre of administration is based. Mutual co-operation
mechanism
Enforcement and SanctionsStronger penalties for non-compliance; maximum fines up to EUR 20,000,000 or 4%
of annual worldwide turnover (whichever is higher) for most serious infringements
Data Privacy Impact
Assessments
Data protection impact assessment should be performed to identify/address privacy
risks before implementing new systems and technologies
Privacy by Design
Technical and organisational measures must be applied (such as data minimisation /
pseudonymisation) to ensure data appropriately protected, depending on risk
Profiling Restrictions
Individuals have certain rights to object to profiling, to be told about it in privacy
notices, and to not be subject to automated decisions based solely on it (if such
profiling “significantly affects the individual”)
Accountability Must be able to demonstrate compliance with data protection principles
8
9
10
11
12
13
Implications for Trustees
© 2017 Baker & McKenzie LLPDocID 9451066
What does this mean in the pensions context?
19
Pension schemes have large amounts of member data – some of which is sensitive
Handling this data has become increasingly complex
The increased complexity means that complying with the GDPR will require careful planning
Ensuring data is properly handled prevents (i) reputational damage (ii) potential GDPR penalties; and
(iii) members seeking to recover damages for injury or distress
Trustees also should ensure security of member data due to their overriding fiduciary obligations
© 2017 Baker & McKenzie LLPDocID 9451066
What practical steps can be taken?
20
A comprehensive compliance plan will be required
understand what data is currently held, what data may be required in the future and to whom data
is currently provided or may need to be provided in the future
where are consent notices currently given? What approach is needed if we move to a positive
consent environment?
consider whether compliance audits are in place and adequate - if not, what would these look like
and how would they be managed?
what provisions are in existing contracts and arrangements with service providers – do these
need to be updated?
First steps:
Implications for Actuaries
© 2017 Baker & McKenzie LLPDocID 9451066
Implications for Actuaries
22
The GDPR will impose new or enhanced obligations upon actuaries.
Key risk areas that need to be addressed or reviewed by actuaries in light of the GDPR concern:
Consent of scheme members
Rights of scheme members
Privacy notices to scheme members
Data protection obligations of data processors such as vendors
Transfers of personal data outside the European Economic Area
Notification of data breaches to the ICO and to data subjects in certain circumstances
Data protection by design and default
Accountability
Contractual relationship with trustee and actuarial firm and responsibilities vis-à-vis data subjects
For further details, please see page 2 of the Handout.
Baker & McKenzie International is a global law firm with member law firms around the world. In accordance with the
common terminology used in professional service organizations, reference to a "partner" means a person who is a
partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This
may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar
outcome.
© 2017 Baker & McKenzie LLP
www.bakermckenzie.com