Pensions auto-enrolment: don't forget data protection!

Pensions auto-enrolment: don't forget data protection!


Author: Aisling Duffy

Employers preparing for the phasing in of the new pensions auto-enrolment regime should not overlook their data protection obligations

Background: the new pension regime

From October 2012 a new pensions regime will start to be phased in which will eventually require all employers in the UK to automatically enrol eligible staff into some sort of pension scheme and, importantly, for the first time, to pay minimum contributions.

Employers will have to automatically enrol eligible staff in either the Government's scheme - the National Employment Savings Trust ("NEST") or an alternative scheme which meets the qualifying conditions as laid down in the legislation; this could be an existing occupational or personal pension scheme.

Eligible staff will be able to opt-out if they wish but employers will have a duty to re-enrol individuals who have opted-out every three years.

The aim of the legislation is to encourage those who have not traditionally contributed to a pension to build up provision for their old age. It is therefore expected that many more staff than at present will become members of pension schemes and this will involve a significant increase in administration and record keeping for employers.

Record keeping

The auto-enrolment regime will be overseen by the Pensions Regulator and will place new legal requirements on employers, trustees, managers and providers of pension schemes to keep certain records.

While efficient record keeping has always been a vital part of running a pension scheme effectively, the records that an employer will have to keep in respect of auto-enrolment will enable them to prove to the Regulator that they have complied with their new duties and could also help avoid potential disputes with employees.

Once an employer comes within the auto-enrolment regime they will have to:

  • preserve the relevant records; and
  • produce those records to the Regulator if requested.

While business or pension administration may be outsourced to a third party, it remains the legal responsibility of employers and trustees to ensure records are preserved and if requested, produced to the Regulator: employers/trustees will be liable for any breaches by a third party provider. Employers and pension schemes should ensure that their service agreements with any such providers contain sufficient contractual protection in this regard.

Inevitably these records will consist of information about individuals and so the data will be protected, and the employers will have to ensure they are complying with their obligations, under the Data Protection Act 1998 (the "Act").

Data protection

The Act covers both "personal data": broadly, information that identifies a living individual and "sensitive personal data": personal data which consists of information about a subject's,

  • racial or ethnic origins,
  • political opinions,
  • religious or similar beliefs,
  • trade union membership,
  • physical or mental health,
  • sexual life; and
  • criminal convictions.

It is not hard to see that in the course of administering workforce pension benefits an employer is likely to have access to information which could include both personal and sensitive personal data.

For example, asking a worker to nominate a beneficiary could reveal details about their sexual life and an application for an early retirement pension on ill-health grounds will certainly involve processing information about a workers' physical or mental health.

The Act requires that such data is processed in accordance with the eight data protection principles. The data must be:

  1. fairly and lawfully processed;
  2. processed only for one or more specified purposes;
  3. adequate, relevant and not excessive in relation to the purpose for which the data is collected;
  4. kept accurate and up to date;
  5. not kept for longer than necessary for the purpose;
  6. processed in accordance with the rights of data subjects;
  7. subject to appropriate, technical and organisational measures to avoid accidental loss or destruction of data or unlawful processing;
  8. not transferred outside the European Economic Area unless an adequate level of protection for personal data is in place.

There is significant overlap and tension between ensuring compliance with the data protection principles and the pension regulatory requirements.

For example, the Pensions Regulator guidance explains that most records relating to auto-enrolment must be kept for a minimum of six years and those relating to opting-out must be kept for a minimum of four years. Does that mean the data should only be retained for that six (or four) year period to comply with the fifth data protection principle or could it be kept for longer?

As regards the first data protection principle (fair and lawful processing), employers should consider including a clause in contracts of employment confirming the individual's express consent to the transfer of their enrolment and other pension related information to third parties such as pension scheme administrators or NEST (where relevant).

Good practice

The Information Commissioner has issued guidance on processing employment records in its Employment Practices Code. In respect of pension schemes the advice currently states that:

  • personal information required by a third party to administer a pension scheme should not be accessed for general employment purposes.
  • Information acquired by internal trustees or administrators must not be used in their capacity as employer.
  • Information exchanged with a scheme provider should be kept to the minimum necessary.

If information about a member's sickness or injury is being processed for example, in relation to a claim for an early retirement pension this will be sensitive personal data and additional conditions will apply, for example, by getting the individual's express consent.


It remains to be seen whether the Information Commissioner's Guidance will be updated to take specific account of the new auto-enrolment obligations but, the general principles of good practice are likely to remain the same.

However, employers and pension schemes should review their employment and scheme documentation to ensure that they are complying with the requirements of the new pensions auto-enrolment regime in a way which is compatible with existing data protection legislation and best practice.

Further information

The Information Commissioner has extensive guidance on its website. The best place to start is the Employment Practices Code.

Extensive guidance is also available from the Pensions Regulator's website including detailed guidance on the records that employers must keep under the auto-enrolment regime.

How can we help?

We have a dedicated data protection team who can answer assist with all your data protection questions. Please contact [email protected] who will be happy to help.