Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014
Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware of their rights Increased powers of Information Commissioner's Office ("ICO") Monetary penalties for serious breaches of Data Protection Act 1998 (the "Act") Up to 500,000 per data protection principle breached Changing guidance on data controllers Comments from the Pensions Regulator Tougher EU legislation on the way 2
UK Data Protection Regime: Key Concepts Core principles in the Act The Act controls the way in which personal data of data subjects is used by data controllers or is processed on their behalf by data processors It will cover all information about scheme members held electronically and some paper records Main sanctions for serious breaches: 'Name & shame' Undertakings Enforcement Notices Monetary penalties 3
What is Personal Data? Personal Data information that: Is about a living person Identifies a person whether by itself, or together with other information in the organisation's possession (or likely to come into its possession) Is in an electronic form or a structured manual file Sensitive Personal Data information about: Racial or ethnic origin Physical or mental health condition Religious beliefs Sexual life Political opinions Trade union membership Criminal convictions or allegations of any offence 4
Data controllers & processors Data controller The person who ultimately (alone or jointly) determines the purpose and manner in which any personal data is to be processed ie the Trustees of each pension scheme; also some service providers Data processor Any person who processes the data on behalf of a data controller eg scheme administrators, hosting providers Data processors have no direct obligations under the Act Controllers can be held liable for the actions of their data processors and any joint data controllers. Controllers are required under the Act to undertake due diligence and include key provisions in agreements with processors 5
Who are Data Controllers? Trustees Professional service providers where duties not just to Trustees ICO Guidance Actuaries Institute and Faculty of Actuaries Lawyers Accountants/auditors Not pension administrators Product providers? 6
The eight data protection principles Data controllers must ensure that all personal data is: 1) Processed fairly and lawfully 2) Processed for limited purposes 3) Adequate, relevant and not excessive 4) Accurate and up-to-date 5) Not kept for longer than necessary 6) Processed in accordance with data subjects' rights 7) Kept secure 8) Not transferred outside the EEA unless the data will be adequately protected 7
Monetary penalties Power given to ICO in 2010 If serious breach of the Act Controller knew or ought to know could cause serious detriment Overwhelming majority of monetary penalties (and the highest) for data security breaches Many fines on controllers when it was their processors at fault 8
Transferring data outside the EEA the Eighth Principle No transfer outside the EEA unless adequate protection Why does this matter? What is adequate? Approved countries US Safe Harbor EC approved Model Clauses The ICO's position 9
Contractual protections Must always have agreement when appointing processor Only completely safe course Almost unamended Model Clauses Initial processor within Europe Supplemented by: Right to require repatriation of data Specific provisions for dealing with data breach 10
Data Security Risks the Seventh Principle Principle 7 requires the taking "appropriate technical and organisational measures against unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, personal data" Highest ICO fines to date have concerned data security (or lack of it) and damage to reputation is a major risk Could be caused by: Poor access control (physical and virtual) allowing unauthorised access Forwarding papers to home account Loss of unencrypted laptop or other device, such as a memory stick Sending email to wrong email address Sending "cc" rather than "bcc" emails to members Administrator hosts data on faulty virtual servers 11
Data Security - Solutions Properly implemented data security policy Nominated individual with overall responsibility for data security Technical security applied to data held electronically eg encryption, password protection, rules about downloading to mobile devices Physical security to data in paper form and electronic devices on which data is stored Vetting and training those who have access to personal data Access limited to that which is necessary Secure disposal of hard copy data Secure deletion of electronic data Appropriate due diligence before using service providers Contracts with service providers 12
Data security the Seventh Principle When appointing processors controllers are in breach of the Act unless: Upfront and ongoing due diligence into processor's security measures Security questionnaire Written contract requiring Only to process on controller's instructions To comply with the Seventh Principle General obligation not enough 13
Data security the Seventh Principle (cont'd) Other strongly advisable contractual clauses Immediate notification of data security breach Remedial actions on security breach Audit rights Sub-contractor approval Responding to Data Subject Access Requests Indemnities for losses Restrictions on processing outside the EEA Deletion of data on termination 14
ICO's Core Security Requirements Protection in transit, at rest, in use Encryption Hard drive of laptop Memory sticks Weakest link Bring Your Own Device ICO Guidance on commonest IT security mistakes 15
Passwords Password storage Use robust hashing and salting Complexity of password At least ten digits Numbers, letters (upper and lower case), and special symbols 16
Data Security Using Secure Passwords Chara cters Numbers only Upper case or lower case letters Upper case and lower case letters Numbers, upper case and lower case letters Numbers, upper case, lower case and symbols 4 Instantly Instantly Instantly Instantly Instantly 5 Instantly Instantly Instantly 3 seconds 10 seconds 6 Instantly Instantly 8 seconds 3 minutes 13 minutes 7 Instantly Instantly 5 minutes 3 hours 17 hours 8 Instantly 13 minutes 3 hours 10 days 57 days 9 4 seconds 6 hours 4 days 1 year 12 years 10 40 seconds 6 days 169 days 106 years 928 years 12 1 hour 12 years 600 years 108k years 5m years 14 4 days 8k years 778k years 1bn years 5bn years 16 1 year 512m years 1bn years 6tn years 193tn years 18 126 years 3bn years 1tn years 23qd years 1qt years 17
Managing a significant data breach Need to move fast Actions to minimise adverse effects Notifying members the ICO the police the pensions regulator Remedial actions Best time to think about how to handle a major data loss/breach Before the event Policy on handling data breaches Importance of co-operation of service providers 18
Notifications To the ICO No obligation under the Act ICO guidance notify if: Potential detriment to affected individuals Large amount of data Particularly sensitive (even if small amount) Significant damage or distress to individuals Consequence of non-notification higher penalty Consequences of notification ICO will investigate data protection compliance Security measures Contracts 19
Notifications To individuals If notification will help them protect themselves eg against identity theft If notify individuals, notify ICO? To the Pensions Regulator if: Breach of the law Likely to be of material significance to the Pensions Regulator 20
Draft EU Data Protection Regulation Implementation unlikely before 2017 Key elements Data processors will also have direct obligations Mandatory breach notification to data protection regulator without undue delay Mandatory notification to individuals unless data unintelligible to unauthorised user Maximum fines - 100,000,000 or 5% of global turnover 21
Key takeaways Ensure security of own processing Upfront and regular audits of processor security measures Contracts providing adequate protection Policies and training Data breach response policy 22
Contact Information Caroline Egan Consultant 0121 222 3386 caroline.egan@squirepb.com 23
Worldwide Locations (including independent network firms) 24