DPIA… or not to DPIA – Is a DPIA needed before connecting to a pensions dashboard?

DPIA… or not to DPIA – Is a DPIA needed before connecting to a pensions dashboard?

That is the question… being asked by UK pension scheme trustees as they need to consider whether a data protection impact assessment (DPIA) is required before connecting their pension schemes to the ‘pensions dashboards’ ecosystem, with mandatory connection dates coming thick and fast from here on in.  

While privacy considerations for pensions dashboards will be of most relevance to pensions trustees, balancing UK General Data Protection Regulation (GDPR) compliance with new mandatory data sharing rules is becoming increasingly important for a wider pool of controllers given the UK Government’s focus on opening up data, as reflected by the provisions on “smart data” sharing schemes in the Data (Use and Access) Bill (see our previous blog).  

Why are pension schemes connecting to dashboards?

Pensions dashboards will be free online portals for individuals to see all their UK pensions from multiple sources in one place, including their UK state pension. The intent is to enable people to reconnect with all their pensions and change how they engage with them.  

Connecting to dashboards is mandatory in most cases under the UK Pension Dashboard Regulations 2022. Detailed rules and controls on the practical operation of dashboards and the underlying digital architecture, such as data standards and technical standards, also apply. 

There is currently no ‘go live’ date for when the public will be able to access pension dashboards but the Government will give at least 6 months’ notice of this.

What data is being shared? 

Once an individual logs in to a dashboard (either a commercial one, or the Government’s dashboard run by the Money and Pensions Service), the dashboard will send a request for information about the individual’s pensions to all connected pension schemes. If a scheme matches that individual to one of its members, the scheme must provide information to the dashboard about the scheme and the individual’s pension benefits in a standard format, for the user to view. 

If no match is found, the scheme must delete the individual’s personal data sent to it as part of the dashboard generated information request. A user’s pension benefits data is temporarily cached for the purpose of viewing on the dashboard, but will not be stored on the dashboard once the user logs-off.  

This will lead to a lot of personal data flowing from pension scheme trustees, or their third party administrators, and the dashboards’ digital architecture. Despite the sharing being legally mandated, pension scheme trustees still need to comply with their responsibilities in relation to their members’ personal data as controllers under the GDPR. 

What is the legal test for a DPIA being required?

Under Article 35 of the GDPR, a DPIA is required if “[…] a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. 

Both the European Data Protection Board (EDPB) and the Information Commissioner's Office  (ICO) have set out criteria to consider when assessing if processing meets this test. Many of these are clearly not relevant to pensions such as processing biometric data, targeting children or tracking a person’s location. However, some may apply, most obviously those on large scale data processing and matching or combining datasets. However, the ICO hasn’t expressed a specific view on DPIAs in respect of pensions dashboards, nor is the Pensions Regulator’s initial guidance fully definitive. 

So, to DPIA or not to DPIA?

The ICO is clear in its Data Sharing Code of Practice that it considers it good practice to carry out a DPIA before any major project which requires the processing of personal data, even if there’s no specific indicator of likely high risk.

Given this, and since a DPIA is a risk management tool, preparing one is therefore a useful and prudent opportunity for trustees to assess what they’re doing with data, and identify risks and mitigations. 

For further information, please see our post on our separate pensions blog, Pensions Pointers.