Although in mopping up the aftermath, it helps to have a plan. I was talking to Stewart Room the other day, a partner at Field Fisher Waterhouse, who is widely recognised as something of a guru in the field of data protection and privacy. The question I had for Stewart was whether pension schemes really needed to worry about the Information Commissioner's Office ("ICO") now it was being given the power to impose fines of up to £500,000 for serious breaches of the Data Protection Act. Was this something we really needed to worry about or was the dog's bark worse than its bite? What came out of our discussion, was that there were increasing indications that this Regulator really meant business this time.But as Stewart explained and our briefing note (linked to the side of this blog) explains, all is not lost. There are sensible things which can be done to pacify this potentially dangerous beast. Quite often, organisations spend a lot of time and energy on addressing operational risks associated with the loss of data, whilst ignoring the big picture. What is really needed is not a commitment to designing a full-proof infallible workforce, since to error is human (Did you see what I did there?). The most important thing is to have systems and processes in place, which both minimise the risk of data being lost, as well as limiting the consequences of that loss once it has occurred. For a lot of the people that Stewart meets this is a major learning curve. For trustees of pension schemes it should not be - as it very much follows the Pensions Regulator's risk-based approach to achieving long-term compliance after it discovers inadvertent one-off errors.
But a £500k fine is a substantial amount and some large fines are expected under the new regime. Are you a trustee of a pension scheme or perhaps an employer who has promised to indemnify the Trustees against loss? What do you think about this issue and how do you go about trying to address it?
Posted by: Lee Harding
0 comments:
Post a Comment