Overseas data transfers - updates for pension schemes

Summary

There are some changes to transfers of personal data overseas coming up that trustees and administrators need to be aware of:

• There’s a big repapering exercise on the horizon with a March 2024 deadline for updating contractual terms governing existing data transfers out of the UK to ‘third countries’ (countries outside the UK and EEA which don’t have an adequate level of protection for personal data). This will affect trustees and administrators who transfer or otherwise process member data overseas
• There’s a September 2022 deadline for using new provisions on overseas data transfers for new data transfers (i.e. a transfer of member personal data under a new transfer arrangement or transfers of member personal data under an existing transfer arrangement which has materially changed, e.g. a change in the type of processing or categories of data transferred). It’s best to use those new mechanisms for transfers starting up or changing between now and then
• There are far better protections for data controllers in the new transfer instruments than in the old ones which are currently used for existing transfers
• It’s a good idea to get ahead of things not leave it until the deadlines

What’s this about?

Where a scheme transfers a member’s personal data outside of the UK, trustees as data controllers need to make sure that that data will be kept properly secure and protected in the country it is transferred to. This is an obligation for the data exporter (e.g. the trustee as controller and the scheme administrator as processor if they are giving the data to a sub-contractor) who is transferring the personal data outside of the UK, it’s not an obligation on the overseas receiver (most likely a processor) of the data.

Because the European Economic Area has similar data protection laws to the UK, it is accepted that data transferred there will be kept secure and protected. There are also other countries on a data protection adequacy list where the UK is similarly satisfied that local law will ensure that data is secure and protected. Where personal data is transferred to other countries, generally trustees ensure that it is kept secure and protected by including contractual provisions which require the recipient of the data to take appropriate steps to look after it.

The legal requirements around using terms in contracts to ensure that data is kept secure are changing. The Information Commissioner’s Office (ICO) published new international transfer mechanisms on 21 March 2022 in the form of a new international data transfer agreement (IDTA) and an addendum to the European Commission’s 2021 version of the standard contractual clauses for international data transfers (International Addendum).

New and amended data transfers

If a scheme makes a new overseas transfer of member (or other) personal data from the UK to another country (other than EEA countries or those on the data protection adequacy list) on or after 21 September 2022, that transfer will infringe UK GDPR unless one of the new transfer mechanisms are used. If old overseas transfer terms continue to be used, data will have been unlawfully exported outside the UK and there will be a risk of ICO enforcement as well as compensation claims from members. Even if a transfer of data is made by an administrator or other service provider, there will still be a risk to the trustees as data controller.

A new transfer for these purposes would be something like a new agreement with a scheme administrator who is outsourcing some of their tasks to India, requiring data to be transferred there. It would also cover an existing transfer which changes, e.g. if new data types, categories of people, recipients or additional countries are added for the data flow going out of the UK.

Technically the ‘old’ mechanisms (i.e. the versions of the standard contractual clauses we’ve all been using for many years) can still be used for transfers out of the UK until 21 September 2022 but as, strictly speaking, they are now out of date (given the new material published by the ICO in March), parties should consider updating their overseas transfer terms as soon as possible.

Existing transfers

If trustees, their administrators or other service providers are making overseas transfers of data out of the UK already, those don’t strictly need to be repapered to reflect the new transfer mechanisms until 21 March 2024 unless something changes in the meantime. However, as the existing terms do not reflect current standards of data protection law, it is a good idea to revisit them earlier if there is a convenient moment to do so.

From 21 March 2024, the new transfer mechanisms must be used for all transfers out of UK/under UK GDPR whether they are new, altered or existing.

Additional risk assessments that might be needed

In 2020, the European Court decided in Schrems II that a data controller must take additional steps to assess whether the laws of the country they are sending data to will protect it adequately. In other words, data controllers can’t simply assume that the person receiving the data there will comply with their obligations in the contract (i.e. the transfer mechanism) to keep data secure.

Controllers such as trustees, are therefore required to assess - before a transfer - whether the laws of the country to which personal data is being transferred provide data subjects with protections that are “essentially equivalent” to those provided by the UK. This assessment is required even when an updated transfer mechanism (i.e. the new IDTA and International Addendum published by the ICO) is used in the agreement. If controllers find in their assessment that the third country does not provide essentially equivalent protection, they must consider supplemental measures.

The ICO has devised a risk assessment tool for conducting these risk assessments where they are required. It is being updated following a consultation process earlier this year.

Risk assessments aren’t straightforward. Most controllers are still struggling to get to grips with them. Generally, where a scheme administrator is making overseas data transfers it should be determining whether risk assessments are needed and carrying them out if required. Trustees might want to ask the scheme administrator for details to check what they are doing although they remain responsible for carrying them out as data controller.

Where risk assessments are not properly carried out, there could be a risk for trustees as the controller. For example, if there’s a personal data breach / cyber-attack involving the data overseas, which is reported back to the trustees in the usual way by their processor, then the trustees may have to report this to the ICO and the ICO may decide to investigate.

Next steps?

• Keep an eye out for requests for consent to transfers (i.e. new transfers). Some processors will need this under their contracts with schemes. Ask appropriate questions about the new mechanisms and whether they will be in place.
• Talk to the scheme administrator to check they’re aware of the changes to mechanisms for transferring data overseas. If they aren’t they’ll infringe UK GDPR and also the contract with the scheme but as mentioned it’s the trustees as controller who’d have more risk.
• Ask the administrator (and any other service providers) what their plans are for repapering to the new mechanisms – if overseas transfers are happening. Some schemes won’t be making any overseas transfers at all but that’s quite rare because of how scheme administrators work.
• Think about risk assessments and get legal advice particularly if the transfer is material e.g. a large amount of scheme data / some sensitive data about health or beneficiaries who are minors.
• Don’t forget to update the scheme’s UK GDPR data record document (it should include a section about international transfers and the mechanisms used). Also update privacy notices and data protection policies.