From a simple admin error to a data security problem

Topic:

Legal & governance

Date published:

Wednesday, 2 August 2017

Author:

Julie Karavis

One of my pension scheme clients was recently advised by their administrator of an error that had occurred with the issuing of payslips. This could easily affect any pension trustee board and it is important - it directly relates to data security.

How sure can you be?

It was only when they heard about this problem that the pension trustees became aware that the scheme administrator outsourced the issuing of payslips. The trustees also realised they could not be certain whether any of their scheme advisers used other providers in delivering services to the pension scheme.

With no direct agreement in place, trustees may not be aware of what information is going to external companies and have no knowledge of their processes and security protections. In this case, the trustee board agreed they needed to have a better understanding of all the providers being used.

It started with a slip…

The issue that started this was a straightforward administrative error. The payslip for a member of pension scheme A was inserted into the envelope of a member of pension scheme B, together with that individual’s own payslip. In theory, this shouldn’t have been able to happen as they are members of different schemes. In practice, it did happen.

There was no data security breach for my client - scheme B - it just raised the question of who handles data that the pension trustees are unaware of. The trustees have asked the administrator (and their other scheme advisers) to draft a schedule detailing who they provide data to and why so they can collate a complete list and fully understand where services are outsourced and/or where data is provided to other parties.

Of course, we advised the trustees of scheme A about what had happened. For them, the data breach could be much more serious.

Back to opinions