Issue - meetings

51.       

52.       

52.1.      The Board considered a report on the work being undertaken to prepare the ESPF for the new data protection legislation due to come into force in May 2018.

52.2.      The Chair requested that breaches of data protection regulations by the ESPF should be reported to the Board along with breaches of pension regulations.

52.3.      Heidi Judd (HJ), Information Manager, said that the new data protection legislation is unlikely to have a major effect on the underlying business of pension administration as there is an existing statutory power to hold personal data in order to perform the necessary functions of administering pensions. There will, however, be a need to verify that no unnecessary data is being held.

52.4.      JB added that the Orbis is clarifying whether there is a statutory basis to continue the monthly mortality screening of pension records against the General Register of Deaths in the UK. There is a legitimate reason to carry out this process – in order to stop over payment of pensions and avoid causing distress to next of kin – and it would be an onerous task to write to the 22k ESPF members in order to receive positive consent.

52.5.      The Board RESOLVED to note the report.

1.1.        The Board considered a report on the General Data Protection Regulation (GDPR).

1.2.        BR asked whether there was any indication what the financial and workforce implications would be of the GDPR on the Pension Administration Team. 

1.3.        Jason Bailey (JB), Pension Services Manager, said that a future report was planned for the Board and Committee to provide assurance that the Pension Administration Team will be in compliance with the GDPR by May 2018. Guidance on the GDPR is still being drafted and when it is published, the ESPF policies will need to be checked against it. The current pension service is in compliance with current requirements, for example, around data protection measures and obtaining members’ consent. It will need to be established to what extent practices need to change around seeking explicit consent, for example, around data sharing with other authorities where at the moment a scheme member only needs to be informed. If this requires a change in the process of data sharing then it will have resource implications. 

1.4.        Ian Gutsell (IG), Chief Finance Officer, confirmed that the ESPF’s practices for safeguarding member data comply with previous good governance requirements but would need to be checked against the new regulations. He said that the issue of stricter requirements around consent to transfer data to other organisations is likely to be the main area of concern.

1.5.        JB said that the Local Government Association (LGA) has commissioned a piece legal advice on the issue nationally to determine the implications. 

1.6.        Wendy Neller (WN), Pension Strategy and Governance Manager, summarised that the new regulations placed additional responsibilities on data processors (those carrying out processing on the data controller’s (administering authority’s) behalf). The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. There is a 12-step GDPR checklist supplied by the Information Commissioner’s Officer (ICO) to highlight steps to take to prepare for the regulations that apply from 25 May 2018.

1.7.        The Board RESOLVED to note the report.