Data Protection Framework
Version 1.0 27 February 2018
1. Preparation for GDPR
The Law Debenture Corporation p.l.c. (“LDC”) and its subsidiaries (together “Law Debenture” or “we”) are preparing for compliance with the General Data Protection Regulation and associated UK legislation (together “GDPR”). We have established a Steering Group which is working with our Secretariat team, Virginia Duncan and Ian Bowden, to update the data protection policies and procedures that are in place for the whole organisation. Virginia is responsible for reporting on this project to the LDC Board.
David Curtis represents Law Debenture’s Pensions Department on this Steering Group. He is the first point of contact for any questions about the GDPR in the context of the services which we provide in relation to the trusteeship and governance of pension schemes (whether as trustee, trustee director, committee member, secretary, provider of executive or project support or otherwise). These services are generally provided by The Law Debenture Pension Trust Corporation p.l.c. (“LDPTC”), its subsidiaries and The Law Debenture Trust Corporation p.l.c. (“LDTC”) (together “LawDeb Pension Trustees”). References to “the Pension Trustee Team” are to the people who work in the Pensions Department, comprising directors of LDPTC and their support staff employed by LDC Trust Management Limited. We do not currently have a data protection officer but this situation will be reconsidered as part of our compliance review.
As a pension scheme trustee, the LawDeb Pension Trustees will be a data controller in relation to those schemes. This document has been prepared as a record of our processing activities, and to assist others involved in the schemes in understanding our approach to GDPR and what we are doing to ensure that scheme data is properly protected. The Steering Group has put in place a project plan and timetable with a view to delivering full GDPR compliance before 25 May 2018.
Everyone working in the Pension Trustee Team receives security awareness and data protection training. Our training material is currently being reviewed and updated to ensure that it covers the specific requirements of GDPR. Once this is complete, and prior to 25 May 2018, the whole team will receive the further training which is necessary to ensure appropriate knowledge and understanding of the new requirements. Refresher training will then be provided on an annual basis.
2. Governance framework
All relevant Law Debenture companies have notifications registered with the Information Commissioners’ Office (ICO) and comply with the requirements of the Data Protection Act 1998. We currently have a Data Protection Policy which is designed to support those requirements.
Our existing Data Protection Policy is in the process of being reviewed and updated to reflect the new GDPR requirements. Work on this will continue up to 25 May 2018 and beyond as our understanding of the requirements and guidance from the ICO and the best practice response to them develops.
The Data Protection Policy forms part of our broader governance framework which is in place to ensure that we can store and process data safely. The implications of the GDPR and the resulting changes to our Data Protection Policy may lead us to amend or revise our broader governance framework and all necessary work in this area will be complete prior to 25 May 2018.
3. Organisational measures and controls
We commission comprehensive background checks for all individuals offered employment by Law Debenture. These checks include verification of:
- Home address
- Employment history
- Academic history
- Professional qualifications
- Personal qualifications
- Personal references
- Criminal records (unspent convictions)
We also contact previous employers for a professional reference.
Each employee is contractually required to comply with Law Debenture’s security regulations including our Information Security Policy as a condition of employment in order to protect any information accessed as part of their work with Law Debenture. Misuse of IT systems and unauthorised use of personal data are both treated as gross misconduct offences which will involve instant dismissal.
4. The capacity in which we act
The capacity in which we act depends on the capacity in which LawDeb Pension Trustees is appointed in relation to a particular scheme:
(a) Where we are sole trustee we will normally be a data controller in relation to the scheme’s personal data.
(b) Where a scheme has a number of trustees of which LawDeb Pension Trustees is one, the data controller will normally be the trustees as a body and we will share the obligations of data controller with our co-trustees.
(c) Where a scheme has a corporate trustee of which LawDeb Pension Trustees is one of the directors, the data controller will normally be the trustee company.
(d) In acting in any of the capacities referred to in (a), (b) and (c) above LawDeb Pension Trustees does not act as a data processor.
3 Version 1.0 27 February 2018 Where LawDeb Pension Trustees acts in any of the above capacities, although it will not be acting as a data processor, its policy is to abide with not only Law Debenture’s own Data Protection Policy but also any data protection policy which we have agreed with our co-trustees or co-directors should apply in relation to any particular pension scheme.
5. The personal data which we handle
In the normal course of its work LawDeb Pension Trustees does not systematically hold or process personal data in relation to the members and beneficiaries of the pension schemes to which it is appointed. However, we do receive and hold some such data, for example in agenda papers and minutes of Trustee meetings. In addition, some of our activities involve access to and the processing of such data, some of it of a sensitive nature. An example of this is when making decisions about ill-health early retirement requests or deciding on the discretionary distribution of death benefits. Our clear preference is to work with our clients to ensure that member data is anonymised or pseudonymised before it is shared with us so that a higher level of data protection is automatically built into our processes. However, even if such policies are put in place, there may still be instances when identifiable individual data is made available to us. Accordingly, we will maintain organisational and technological measures to protect any personal and sensitive personal data to which we have access.
The processing activities for which LawDeb Trustees may be responsible are shown in Appendix I.
6. Data security, retention and business continuity
Electronic data is stored in our London Office server room and offsite at our Disaster Recovery and Business Continuity partner site. Data in paper form is stored locally in our London office and offsite in an independently run archiving facility. LawDeb Pension Trustees does not store personal data in relation to the pension schemes to which it is appointed outside the EEA (including the US). Nor does it transfer any such data to any country outside of the EEA. All data is transferred via secure means. For example, documents containing personal data are password protected when emailed.
No data security incidents have been reported to the ICO by Law Debenture and we have not been the subject of any enforcement action or investigations by the ICO.
Law Debenture has in place a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). Particular elements of these plans are subject to testing throughout the year. The BCP aims to ensure that, in the event of a major incident, Law Debenture can continue to operate with the minimum of disruption to client and business activities.
Electronic data is stored in our London Office server room and offsite at our Disaster Recovery and Business Continuity partner site. Data in paper form is stored locally in our London office and offsite in an independently run archiving facility. LawDeb Pension Trustees does not store personal data in relation to the pension schemes to which it is appointed outside the EEA (including the US). Nor does it transfer any such data to any country outside of the EEA. All data is transferred via secure means. For example, documents containing personal data are password protected when emailed. No data security incidents have been reported to the ICO by Law Debenture and we have not been the subject of any enforcement action or investigations by the ICO. Law Debenture has in place a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). Particular elements of these plans are subject to testing throughout the year. The BCP aims to ensure that, in the event of a major incident, Law Debenture can continue to operate with the minimum of disruption to client and business activities.
Our core IT systems are run securely out of a specialist data centre. Our individual offices connect to the data centre via resilient high-speed circuits. In an emergency, backups are available to reinstate systems and data. Additionally, each office has local and exclusive infrastructure that can be used in isolation to support the restoration of any server or required data. Telephony systems have dual voice routes into the data centre, resilient voice servers and gateway hardware. Each office is also equipped with independent stand-alone voice systems to operate in isolation if required. Each office has the ability to operate independently of the others. Where needed, individuals can work as normal from an alternative office or remotely via a secure Virtual Private Network (VPN).
Please see the extract from our AAF 02/07 Assurance Report, reproduced in Appendix II for more details on our existing controls.
The most recent major testing of the BCP was carried out in October 2017. The BCP worked as intended in response to this testing. High level details of any learning or updates as a result of this testing are available on request.
Law Debenture’s systems are backed up in full every day.
Our policy is to retain data only for as long as it is necessary to cover our and our clients’ legal, professional and regulatory obligations. In many cases, data will be retained indefinitely as pension schemes are inherently long-term arrangements and questions/issues can arise many years after our appointment has ceased or the scheme has been wound-up. Data in paper form is disposed of using our locked shredding bins which are emptied by our approved shredding contractor. We engage specialist suppliers to safely remove all data and systems from redundant computer hardware and mobile phones. We are in the process of developing an enhanced policy to address GDPR requirements in respect of subject access requests.
7. External accreditation
LDPTC has an AAF 02/07 Assurance Report in place for the year ended 31 March 2017. The reporting accountant is Crowe Clark Whitehill LLP. The Information Technology control objectives and procedures from the report are reproduced in Appendix II.
We will be reviewing the control objectives and procedures covered by this accreditation as part of our GDPR implementation project.