Columnists

Data protection strategies for pension schemes

idea-pic

Data protection concept.

Summary

  • Pension scheme trustees qualify as data controllers under the Data Protection Act simply because they ultimately determine the manner and purpose in which scheme members’ data is processed either by themselves or their agents.
  • Although pension scheme trustees as data controllers should be questioning their compliance levels, there is more to it than sheer obedience.
  • There are several endorsed approaches to safeguard sensitive data from cybercrime and also reduce data breaches.

Pension schemes are veritable treasure troves of sensitive personal information relating to their members and beneficiaries. Managing such data has never been more complicated and fraught with risk, especially in the wake of the Data Protection Act.

Kenya Data Protection Act was assented to the law on November 8, 2019, making it the primary law on data protection in the country.

The law, which is among the first in the continent to provide a comprehensive legal framework on data handling, gave effect to privacy as a fundamental human right as enshrined under Article 31(c) and (d) of the Constitution.

Pension scheme trustees qualify as data controllers under the Data Protection Act simply because they ultimately determine the manner and purpose in which scheme members’ data is processed either by themselves or their agents.

Although pension scheme trustees as data controllers should be questioning their compliance levels, there is more to it than sheer obedience.

The activity should not be viewed merely as a tick-box exercise, but rather as an opportunity for the trustees to look at how the quality of data in their possession can impact their mandates as trustees. Here are three guidelines for trustees to manage data responsibilities:

Training of stakeholders: Pension schemes like businesses often need to be prepared for disasters either natural or artificial and should ensure that proper risk mitigation measures are put in place by their board and service providers.

For instance, malware and ransomware attacks or system failures can be catastrophic for pension schemes and It is, therefore, never too soon to evaluate what needs to be done to prepare your respective pension schemes for such risks.

There are several endorsed approaches to safeguard sensitive data from cybercrime and also reduce data breaches.

Policies and guidelines: Member data security should be at the forefront of trustees’ governance strategies, especially in the light of the Data Protection Act and the regulations provided thereunder.

The trustees remain responsible for data security even when they appoint reputable service providers, as such frequent reviews of the providers’ data resilience and procedures should form part of scheme governance procedures.

Trustees need to have in place privacy and information security policies that detail personal data handling procedures and practices. The policies should also guide an incident response plan in case of an attack or breach.

Monitoring and evaluation: Pension schemes may designate or appoint a data protection officer whose main role would be to advise them and their employees on data processing requirements provided under the Act.

The officer would also ensure that the trustees comply with the provisions Data Protection Act while facilitating capacity building of staff involved in data processing operations.

Engaging a data protection officer will aid in continuous monitoring and evaluation of the processes and procedures in place not only to ensure compliance with the Act but also to minimise data-related risks.