COVID-19 – Advice for Pension Trustees – Force Majeure in Outsourcing/Third Party Contracts and Data Protection: Legal Rights and Practical Steps

COVID-19 has spread rapidly across the globe, bringing with it devastating consequences for the communities that it has touched. As well as the very real human impact of the virus, many businesses have experienced severe difficulties, as a result of the economic downturn and issues with the global supply chain. Pension schemes face their own unique challenges in navigating through these difficult times, with the investment markets struggling, and the potential for staffing shortages forcing schemes to prioritise certain key tasks. One aspect that pension schemes must consider is the effect of COVID-19 on their contractual relationships with administrators and other third party outsourcers. Trustees also need to consider their obligations under the data protection legislation.

Businesses that have been affected by COVID-19 may seek to amend or relieve themselves of their contractual duties, so as to reduce the strain of staff shortages, and manage issues in their supply chains. This is something that pension scheme Trustees may have to consider doing themselves and, at the same time, potentially contend with the impact of their suppliers and contractors (such as administrators) seeking to do as well.

Under English law, a party that is seeking to change or suspend their contractual duties following a materially unforeseeable event that makes it impossible (or substantially more difficult) for the contract to be performed, may seek to rely on the following:

• a "force majeure" clause;
• the doctrine of "frustration"; and/or
• change control processes.

The extent to which any or all of the above may be relied upon will generally depend on the construction of the contract, as well as the nature of the unforeseeable event. The impact of COVID-19 will have significant ramifications from a contract law perspective, and it is important that Trustees are aware of the rights and responsibilities that they have.

Force majeure:

• English law does not imply the concept of force majeure into commercial contracts, and so specific force majeure clauses must be negotiated by the parties at the point of contracting.

• Force majeure clauses generally allow at least one party to a contract to suspend or modify their contractual obligations without penalty, as a result of an unforeseeable event that is beyond the control of the parties provided they have taken steps to mitigate the impact of the unforeseeable event.
• As the clauses are a product of negotiation, their construction is crucial, with the courts generally reluctant to imply or interpret them to read or cover anything beyond what was initially decided between the parties. In respect of COVID-19, the following questions are likely to be key:
  • When reading the clause, is COVID-19 an event that, on balance, is likely to trigger the force majeure clause?
  • Has the disruption to the contract caused by COVID-19 resulted from events entirely out of the party's control (for example, if an administrator is unable to provide their usual services as a result of their staff working from home, has this been due to actions taken by the government – e.g. an enforced lockdown – or due to an internal policy of the company – e.g. not being set up for staff to work from home)?
  • Does the clause read such that it is necessary for performance to be completely prevented in order for the clause to be invoked, or could simply the delay or hindering of performance trigger it?
  • What are the consequences of the clause being successfully invoked? What steps will each party have to take? Will there be a termination right for either party if the impossibility of performance continues?

Frustration:

• Under English law, the doctrine of frustration allows for contracts to be potentially set aside - and the parties discharged from their obligations - if an unforeseeable event means that either:
  • it becomes impossible for at least one party to perform their obligations under the contract; or
  • the obligation(s) of at least one party under the contract become radically different to those which that party first agreed to under the contract.
• The application of the doctrine of frustration is highly dependent of the facts of the unforeseeable event and the contract itself. Furthermore, one would imagine that in the current circumstances, with the sheer number of commercial contracts that have been, and will continue to be, affected by COVID-19, the courts are unlikely to take a liberal approach to its application.
• Considering the above, Trustees should exercise caution if seeking to rely on frustration in order to amend or void their contracts with suppliers and outsourcers (and consider if this is even something they would want to do given that most Trustee relationships are long term), and should be wary if supplier or outsourcer attempts to do the same. Specific legal advice should always be sought on a case by case basis.

Change control clauses:

• Contracts, particularly those for outsourcing, may contain change control processes. Depending on their construction, these may allow for the contract to be varied in order to mitigate the effects of COVID-19. However, they are likely to have quite specific terms, and should certainly not be relied upon as a catch-all.

Trustees' data protection obligations
Presuming contracts, including administration agreements, continue to operate as intended, Trustees will need to consider what steps (if any) they should take in light of the fact that service providers, such as administrators, are likely to be using personal data in their homes.

The European Data Protection Board (the "EDPB") and the Information Commissioner's Office (the "ICO") have both issued statements on how to comply with data protection laws in relation to issues arising from the COVID-19 pandemic. 

In its statement on the processing of personal data in the context of the COVID-19 outbreak, the EDPB cautioned that while the General Data Protection Regulation (the "GDPR") does not hinder measures taken in the fight against the pandemic, controllers (such as Trustees) are still responsible for ensuring the protection of personal data. The EDPB stated that when processing is necessary for reasons of substantial public interest in the area of public health (for example in relation to sharing personal data about an organisation's personnel with the authorities) or to protect vital interests, there is no need to rely on consent of individuals.

However, the EDPB stressed that data subjects should be provided with transparent information in clear and plain language on the processing activities that are being carried out and their main features.

The ICO recommended organisations adopt a proportionate approach to their data protection practices during the pandemic. The ICO reassured organisation that it understands the challenges that some organisations are facing when allocating financial and human resources away from their usual compliance work during this period.

There are five practical points from the two statements for Trustees to consider:

1. Security of personal data and homeworking: The legal obligations of Trustees to keep personal data secure remains the same, even during a crisis.Trustees need to consider and implement security requirements that are appropriate to protect personal data that may be processed in a homeworking environment. These may be the same or tougher than those used when working in the office.
2. Data protection compliance related deadlines: While the statutory timescales under the GDPR and the Data Protection Act 2018 continue to apply, the ICO said that it will take a more pragmatic view during this extraordinary period and will not penalise organisations that they know need to prioritise other areas.
3. Collection and use of health data: It is reasonable for Trustees to ask individuals that they come into contact with, such as colleagues, members of staff or visitors, whether they have visited a particular country, or are experiencing COVID-19 symptoms but Trustees may not need to collect more specific information about individuals' health conditions and should not collect more personal data than they need (proportionality and data minimisation).
4. Sharing information about affected individuals: Where there has been a case or suspected case of COVID-19, Trustees may inform other Trustees but it is probably not necessary to name the affected individual(s) unless it is strictly required to protect other individuals. In cases where it is necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and their dignity and integrity protected. For further information about the use of personal data in the context of employees, see our blog post on the Right to know (COVID-19).
5. Sharing health information with public authorities: While it is unlikely that Trustees will have to share information with public authorities about specific individuals on public health grounds, data protection law is unlikely to prevent this.

Our data protection and pensions teams have hands-on experience of supporting pension Trustees through these types of situations.  We can help you navigate your way through your contracts, leveraging the expertise of our data protection and pension teams, through our practical and pragmatic approach.