Spence advises on steps to avoid a data protection fine

Will Davison

or Subscribe to Feed

Spence & Partners, the UK pensions actuaries and administration specialists, today advised that more schemes should be auditing their data controls to avoid data protection fines and suggested a number of steps that schemes should consider to ensure better information security:

  • A strict data policy needs to be implemented and maintained;
  • The easiest things can be overlooked and it is important to take a common sense approach. Data should not just be discarded in bins. Make sure there are confidential waste bins and that a specialist firm is employed to dispose of the waste;
  • Carry out spot checks on staff to ensure compliance with policies in place;
  • Consider having independent audits in accordance with recognised accreditations e.g. ISO 27001 or AAF;
  • Data security is not a tick box exercise – more probing questions should be asked; and
  • Train staff and make sure that they understand how important data security is and the procedures that need to be followed.

Mark Johnson, Head of Data Audit and Analysis at Spence, commented: “It is vital that schemes don’t just pay lip service to data protection. With the Information Commissioner’s office able to impose fines of up to £500,000 for serious breaches, data protection should be given a higher profile. There are still a significant number of schemes who have not audited their systems’ security and data protection framework.”

“Whether you are an in house administration team or outsourcing to a third party provider, trustees must ensure that they put measures and protocols in place to protect members and safeguard scheme data. As a third party administrator, we recognise the importance in this area by obtaining both ISO27001 and AAF accreditations.”