Financial ServicesProviders Company Schemes Public Sector Third Party Administrators

'Who Are You?' The GDPR, the Right to be Forgotten and pension schemes

Luke Carter

Regulatory Advisor

Examines the challenge the Right to be Forgotten provides pension schemes, with the introduction of the European Union General Data Protection Regulation (GDPR) in May 2018

4 September 2017

The Spanish Ministry of Labour and Social Affairs could never have known the turmoil that would be caused when, in 1998, they forced Mario Costeja González to sell a property to meet a social security debt. 16 years later, after a long legal fight, Mr Costeja won his fight with Google at the European Court of Justice to have the details of the sale removed from any Google search results. The Right to be Forgotten was born.

The Right to be Forgotten is one of eight rights provided for individuals in the GDPR (the full list is provided by the ICO). It gives an individual the right to request that a data controller removes all personal data that they hold on the person. There are limits to this request. Firstly, it can be only personal data that the individual has provided to the data controller. Secondly, the processing basis on which the data must have been provided is consent. Thirdly, if the data controller has an overriding statutory or regulatory requirement to hold the data, the data must be retained.

What does this mean for pension schemes? Those schemes covered by the 1996 Regulations are obliged to keep records of members for seven years. This means that they have a legal override should any former member request to be forgotten.

But what happens after the seven years is over? This is a tricky scenario and one with which lawyers are still wrestling. If a member transfers out and then successfully applies to be forgotten about, they could write to the scheme many years later asking for a pension. The member may have records showing they paid into the scheme. If the scheme cannot prove they paid a transfer value, they may have to pay a pension to the individual.

One solution would be to anonymise all the personal data about the member (name, address and so on,) but retain this under the original membership number (as this is not personal data the member gave to the scheme the scheme still has legal ownership of this) along with the details of the transfer out. This would balance out the Right to be Forgotten with the need to maintain good-quality records for auditors.

The Right to be Forgotten is a new right aimed at giving individuals control over who has their data. For pension schemes, there is normally an overriding legal reason for maintaining a person's data long after the member ceased to be part of the scheme. Once the legal reason has passed, solutions exist (for example, anonymising all personal data, but retaining the original membership number) that satisfy both the Right to be Forgotten and the need to provide good, auditable records.

Luke Carter is Regulatory Advisor at Aquila Heywood, the largest supplier of life and pensions administration software solutions in the UK.

Further Reading