The Institute and Faculty of Actuaries has published guidance for actuaries and firms dealing with personal data (the “IFA Guidance”). The guidance offers some suggested best practice for scheme actuaries who, by virtue of their role, may be “specialist service providers” and also data controllers (as defined by the Data Protection Act 1998 (“DPA”)) in relation to some or all of the personal data they process. The guidance has brought back into focus the “special categories” issue – i.e. in certain circumstances specialist service providers may be data controllers in addition to or instead of being data processors.
The IFA Guidance refers to the earlier guidance of the Information Commissioner’s Office (“ICO”) (the “ICO Guidance”) and communications with the ICO which highlight that individuals appointed as occupational pension scheme actuaries by scheme trustees under section 47(1) of the Pensions Act 1995 (“Scheme Actuaries”) may be data controllers in their own right, whether as a sole data controller or a joint data controller with their employing actuarial firm or client. As a consequence, where this is the case, Scheme Actuaries: (i) must comply with the DPA as data controllers; (ii) may be personally liable for a breach of their data controller responsibilities under the DPA; and (iii) have to go through the same notification process as other data controllers. Breaches of the DPA can give rise to criminal sanctions and significant fines, so it is essential that Scheme Actuaries and their firms understand what elements of data protection compliance are their responsibility.
This will inevitably have a significant impact in terms of the additional administrative and regulatory obligations falling on the individuals appointed as Scheme Actuaries. They, scheme trustees, companies with occupational pension schemes, actuarial firms and pension scheme service providers should review the nature of their data processing. In particular, it will be important in relation to particular services or activities to ascertain who determines the purposes for which and the manner in which any personal data are, or are to be, processed, how the arrangements are documented and the adequacy of any fair processing information provided to, or consents obtained from, scheme members.
Specialist Service Providers
Due to the complexity of some business relationships, the distinction between data controller and data processor is often not clear-cut. The ICO Guidance clarifies that a service provider who processes personal data to carry out a service using his or her expert or professional skill and knowledge and, in the case of many professionals such as accountants and lawyers, in accordance with professional and ethical standards regulated by a professional body, is likely to be acting as a data controller. A “specialist service provider” typically requires specialist qualifications, licences or other authorisations in order to provide certain services and is obliged to provide those services in accordance with professional and ethical standards imposed by the body appointed to regulate the provision of those services. Specialist service providers are usually instructed because of their expert knowledge and generally have a considerable degree of flexibility and independence in determining how to provide the service. The ICO Guidance gives solicitors and accountants as non-exhaustive examples of professionals who may be data controllers in the performance of specialist services.
Although a Scheme Actuary’s client provides an initial broad instruction to the Scheme Actuary (and ultimately pays for the service), because the Scheme Actuary is required to use a considerable degree of professional skill and judgement in determining the way in which he or she is able to provide the service in accordance with his or her professional obligations, and certain of his or her activities are underpinned by statute and/or regulations, it is considered that he or she will (at least in some circumstances) most likely exercise a sufficient degree of control over the processing of personal data to be acting as a data controller.
This is distinct from the position of a “generalist service provider” who will typically provide services entirely in accordance with his or her client’s instructions and without the need to comply with any externally imposed obligations or requirements (other than compliance with the general law). The generalist service provider may provide the service in response to very broad instructions from his or her client (where the service is very straight forward) or his or her client may provide very detailed instructions as to how the service is to be carried out. In both cases the client has clear understanding as to what is involved in the provision of the service and the generalist service provider has little or no flexibility or independence in how he or she provides the service.
Practical suggestions for compliance
As an initial step, to ensure that they are aware of where their responsibilities arise, Scheme Actuaries and actuarial firms should undertake a review of the services they provide and the data they process to determine circumstances in which processing is undertaken as data controller rather than as a data processor.
The guidance confirms that where the client and the specialist service provider are joint data controllers it is entirely reasonable, where appropriate, for them to agree between themselves for one party to take primary responsibility for the practical elements of compliance with the data protection principles, such as dealing with subject access requests.
Both joint data controllers are legally responsible for compliance with the data protection principles. However, where they have made reasonable arrangements as to their respective defined responsibilities, if one of them fails in its obligations the ICO has confirmed that it would usually only seek to take enforcement action against the party that is in breach of its agreed obligations. This is particularly important for Scheme Actuaries who, being individuals, may not have the means to achieve compliance with requirements such as the implementation of the required security measures.
In practical terms this means that the arrangements between Scheme Actuaries, their employing actuarial firms and the scheme trustees need to carefully document their respective responsibilities for compliance, and to ensure that an appropriate fair processing notice reflecting the arrangements is received by scheme members. If sensitive personal data will be processed by the actuarial firm or Scheme Actuary as data controller, further consideration will need to be given to their obligations under the DPA in that regard – for example as to whether explicit informed written consent needs to be given by scheme members.
Consequences of non-compliance
The IFA Guidance states that the ICO has indicated that where there is an appropriate written agreement in place between a Scheme Actuary and his or her employing actuarial firm and/or client, the ICO would not usually look to enforce against an individual Scheme Actuary unless the breach related to an area that the Scheme Actuary was responsible for.
The consequences of breaching the DPA can be serious: monetary penalty notices can be up to £500,000 for significant breaches; and a failure to complete the proper notification can lead to a criminal fine of up to £5,000 in the Magistrates’ Court or an unlimited fine in the Crown Court. Furthermore, data subjects have a right under the DPA to claim compensation for damage.
A contrasting position
A recent case in the High Court (Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch), 8 August 2013) involving liquidators indicates that the courts will look at the specific role a service provider or office holder is playing to ascertain whether they are acting as a data controller or data processor in respect of a particular data set.
The case concerned a company providing personal loans. The liquidators of the company had retained historic personal data in respect of the company’s redeemed loans after the company entered creditors’ voluntary liquidation. The company had continued to receive data subject access requests and the liquidators sought clarification from the court as to whether they were data controllers in respect of the data processed by the company, and whether they could refuse to comply with the requests or dispose of the data.
The court held that there are certain duties imposed on liquidators by statute which they perform in their capacity as the appointed liquidator rather than as agent on behalf of the company in liquidation (for example when reviewing proofs of debts advanced by potential creditors of the company). In these instances the liquidator is taking the relevant processing decisions as principal and therefore will be acting as a data controller.
The data in question was collected by the company at a time when it was carrying on business, and was held by it and was under its control at the time it went into liquidation. The court held that the company, as it was established in the UK and the data was processed in the context of that establishment, was a data controller in respect of the data. In exercising any rights in respect of the data in question, the liquidators (like the directors of the company prior to the commencement of the company’s liquidation) were acting as agents on behalf of the company. It was the company who determined the purposes for which and the manner in which that data was to be processed. The court therefore concluded that the liquidators would not be acting as data controllers in respect of the data processed by or on behalf of the company in respect of the redeemed loans.
Additionally, the court held that in order for the company to be in compliance with the fifth principle of the DPA (data “not to be kept any longer than necessary”) the liquidators, as agents of the company, should dispose of the data as soon as possible as retention was no longer needed to administer the loans. The two qualifications to this were that the liquidators should: (i) on behalf of the company retain enough data to respond to the data subject access requests made to the company before the disposal of the data; and (ii) retain sufficient data to enable them to deal with any claims arising from the liquidation.
The case indicates that the courts will look at the role that service providers and office holders are actually playing when assessing the controller/processor distinction. There will be some instances where, in the course of performing their statutory duties, Scheme Actuaries may be acting as data controllers. They (and/or their firms) may also be “specialist service providers” and therefore data controllers as envisaged by the ICO’s guidance in relation to certain other data they process. In other instances they may be acting as data processors in relation to particular data and merely processing data on behalf of the scheme trustees. The roles being performed and the degree of control of the purposes for which and the manner in which the data is (or is to be) processed will therefore need to be carefully assessed before coming to a conclusion on this point.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.