Susan - I am, for my sins, a commercial pensions lawyer with a fairly good
working knowledge of DPA - I have spent a good deal of the last couple of
years helping pension schemes get ready for the 1998 Act.
A few thoughts on your e-mail:
1. In the occupational pension scheme context (which I suspect is where
you're coming from), the trustees will normally be the data controller of
personal data relevant to the scheme (e.g. members' details). The trustees
will therefore need to have a separate registration / notification, and put
in place their own compliance (as distinct from that of the employer).
2. Any third parties to whom processing - such as pensions admin - is
outsourced will, in my view, therefore be data processors to the trustees.
(As businesses and employers, they will of course also be data controllers
in their own right, but this will not be relevant to your scheme.) The main
DP concern of trustees in outsourcing their pensions admin (apart from all
the usual commercial / price issues) will therefore be compliance with the
seventh principle.
3. I think explicit consent for the transfer to the new administrators may
only be needed in relation to fairly recent sensitive personal data. In
relation to "normal" personal data, my view is that it is possible to infer
consent to processing from the mere fact of an individual's membership of a
pension scheme: the trustees cannot process his benefits and look after his
interests unless it is implicitly accepted by all parties that this entails
the trustees processing his personal data. Even if implied consent doesn't
work, discussions with the IC's Office indicate that pension scheme trustees
may well be able to use the legitimate interests and legal obligation
conditions in Sch 2 to legitimise their processing of normal personal data.
4. Sensitive personal data is a particular problem for pension schemes (e.g.
details of a member's ill health record for an early retirement application
or an application to join the scheme late; details of the member's sexual
relationships in his expression of wish form). However, it may well not be
necessary for the trustees to obtain explicit consent to process sensitive
personal data being processed immediately before 1 March 2000 (see the
Processing of Sensitive Data Regs 2000, regs. 5 and 6).
5. I am not entirely sure what an "Occupational Health provider" provides.
However, if this can be brought within the definition of an occupational
pension scheme, or can be described as an insurance arrangement, then it may
also have the benefit of the historic sensitive personal data exemptions in
4 above.
6. In relation to sensitive personal data for which explicit consent has not
been obtained, and where the exemptions for historical pensions / insurance
sensitive data do not apply (see 4 above), then I agree you have a problem
(as does everyone else). Explicit consent must entail a positive expression
of assent from the individual , and cannot be inferred. In the circumstances
you describe, however, I wonder whether you / your trustees have some
"commercial leverage" based on the fact that the individual(s) in question
presumably want their claim for benefits (based, I assume, on an inability
to work in some way) to be considered. IF it were pointed out to them that,
if they did not give explicit consent, their claims could not be properly
considered, would they not be likely to give it?
Hope this helps.
Francois Barker
Solicitor
Hammond Suddards Edge
Tel: 0121 222 3000
-----Original Message-----
From: Susan Snell [mailto:[log in to unmask]]
Sent: 02 August 2001 4:21 PM
To: [log in to unmask]
Subject: re pensions
Perhaps other members of the list serve who have already coped with
implementing changes to HR procedures due to the DPA may be able to comment
on these scenarios:
Following central government guidance, our pensions administration is to be
delivered by an outside agency. Our procedures for new recruits are being
changed to include suitable wording to allow us to forward details to this
new data controller (who have already registered full notifications with
the OIC - I checked).
We need to obtain explicit consent to transfer electronic and manual data
to the new service provider from existing employees - do the new pension
providers also have to obtain permission from staff to process their data?
Apparently, this service provider 'has had access to our data for several
years (a decision made by Cabinet Office)'. Can anyone throw any light on
this?
Secondly, we are about to change our Occupational Health provider - I have
found the guidelines available from the Faculty of Occupational Medicine
and the draft OIC Code of Practice on employer/employee relationships most
helpful.
Although obtaining explicit consent from new recruits to forward data to
and receive information back from the medical provider about their fitness
to work in a range of situations may be relatively straightforward, it will
be necessary to obtain consent from existing staff explaining how any data
will be used and in what situations.
Has anyone had to cope with the scenario where an existing employee refuses
permission to process data? We could be in a position where they could be
making their condition progressively worse whilst we as their employer
could not exercise our 'duty of care' in establishing the cause of the
illness and attempting to make improvements in work patterns/conditions to
alleviate the situation.
Any comments/suggestions welcome,
rgds,
Susan Snell
Archivist
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#~#
IMPORTANT - this e-mail and the information that it contains may be
confidential, legally privileged and protected by law. Access by the
intended recipient only is authorised. Any liability (in negligence or
otherwise) arising from any third party acting, or refraining from acting,
on any information contained in this e-mail is hereby excluded. If you are
not the intended recipient, please notify the sender immediately and do not
disclose the contents to any other person, use it for any purpose, or store
or copy the information in any medium. Copyright in this e-mail and
attachments created by us belongs to Hammond Suddards Edge: the author also
asserts the right to be identified as such and object to any misuse. Should
you communicate with anyone at Hammond Suddards Edge by e-mail, you consent
to us monitoring and reading any such correspondence.
Hammond Suddards Edge is regulated by the Law Society in the conduct of
investment business. The partners in the firm are solicitors or registered
foreign lawyers and a list of their names can be inspected at 7 Devonshire
Square, Cutlers Garden, London EC2M 4YH; 2 Park Lane, Leeds LS3 1ES; at our
other offices in Lloyds of London, Manchester, Birmingham, Bradford,
Brussels, Berlin and Munich; and at http://www.hammondsuddardsedge.com
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|