In April 2023, the Information Commissioner's Office (ICO) fined a social media company £12.7 million for a number of breaches of UK data protection law, including failing to use children's personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR).
Alongside its enforcement notice, the ICO published an annex which considers the specific wording of the company's privacy notices1 between August 2018 and July 2020 and sets out why the ICO concluded that the wording did not meet the requirements of the UK GDPR. The ICO found that many of the general statements often seen in privacy notices about lawful processing bases, recipients of personal data, international data transfers and data retention were insufficiently detailed to satisfy the requirements of the UK GDPR.
What this means for trustees
The enforcement notice provides further detail about what the ICO considers to be a (non-)compliant privacy notice and trustees should update their privacy notices to reflect the ICO’s comments. The following points are likely to be of particular relevance to pension schemes:
- Privacy notices need to show a link between each type of personal data held, the purpose for which that type of data is processed and the basis on which that type of data is processed so the individual can understand their rights in relation to the data held. It is not sufficient to just separately list the types of personal data held, the various purposes for which personal data is processed and the various bases on which personal data is processed.
- Privacy notices should be more specific about the parties with whom personal data is shared. The notice should either include the names of the recipients or, if this is not possible or practicable, the notice should explain who the recipients are, what they do with the relevant personal data and where they are located. If personal data starts being shared with a new recipient, the notice should be updated to reflect this. This may be relevant in the pension scheme context where, for example, a buy-in is being considered and the trustees share personal data with prospective insurers.
- Privacy notices should also specify any country to which personal data is transferred, whether the country benefits from an adequacy decision and, if not, what safeguards have been implemented (such as standard contractual clauses or an international data transfer agreement) and how to obtain a copy of those safeguards.
- General statements in privacy notices about keeping personal data for as long as is necessary for the purposes of processing are unlikely to comply with the UK GDPR. Notices should specify a clear period for which personal data will be stored or at least “meaningful” information about the criteria used to determine the retention period with specific examples.
However, unlike the ICO’s detailed guidance on the right to be informed, the enforcement notice is not general guidance for organisations subject to the UK GDPR, and the ICO's decision to fine the company should be considered in the context of the ICO's focus on protecting children from the unlawful processing of personal data and the company's role as a major social media platform. These aspects would be unlikely to apply in the context of a pension scheme.
As such, we do not believe that trustees need to update their privacy notices immediately. Instead, trustees should make any updates as part of their next scheduled review of their privacy notices. Regardless of the ICO’s decision, privacy notices should be subject to regular (e.g. annual) review.
For more detail on the ICO’s comments, please see our data protection colleagues’ legal update.