In April 2023, the Information Commissioner's Office (ICO) fined a social media company £12.7 million for a number of breaches of UK data protection law, including failing to use children's personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR).

Alongside its enforcement notice, the ICO published an annex which considers the specific wording of the company's privacy notices1 between August 2018 and July 2020 and sets out why the ICO concluded that the wording did not meet the requirements of the UK GDPR. The ICO found that many of the general statements often seen in privacy notices about lawful processing bases, recipients of personal data, international data transfers and data retention were insufficiently detailed to satisfy the requirements of the UK GDPR.

What this means for trustees

The enforcement notice provides further detail about what the ICO considers to be a (non-)compliant privacy notice and trustees should update their privacy notices to reflect the ICO's comments. The following points are likely to be of particular relevance to pension schemes:

  • Privacy notices need to show a link between each type of personal data held, the purpose for which that type of data is processed and the basis on which that type of data is processed so the individual can understand their rights in relation to the data held. It is not sufficient to just separately list the types of personal data held, the various purposes for which personal data is processed and the various bases on which personal data is processed.
  • Privacy notices should be more specific about the parties with whom personal data is shared. The notice should either include the names of the recipients or, if this is not possible or practicable, the notice should explain who the recipients are, what they do with the relevant personal data and where they are located. If personal data starts being shared with a new recipient, the notice should be updated to reflect this. This may be relevant in the pension scheme context where, for example, a buy-in is being considered and the trustees share personal data with prospective insurers.
  • Privacy notices should also specify any country to which personal data is transferred, whether the country benefits from an adequacy decision and, if not, what safeguards have been implemented (such as standard contractual clauses or an international data transfer agreement) and how to obtain a copy of those safeguards.
  • General statements in privacy notices about keeping personal data for as long as is necessary for the purposes of processing are unlikely to comply with the UK GDPR. Notices should specify a clear period for which personal data will be stored or at least "meaningful" information about the criteria used to determine the retention period with specific examples.

However, unlike the ICO's detailed guidance on the right to be informed, the enforcement notice is not general guidance for organisations subject to the UK GDPR, and the ICO's decision to fine the company should be considered in the context of the ICO's focus on protecting children from the unlawful processing of personal data and the company's role as a major social media platform. These aspects would be unlikely to apply in the context of a pension scheme.

As such, we do not believe that trustees need to update their privacy notices immediately. Instead, trustees should make any updates as part of their next scheduled review of their privacy notices. Regardless of the ICO's decision, privacy notices should be subject to regular (e.g. annual) review.

For more detail on the ICO's comments, please see our data protection colleagues' legal update.

Footnote

1. Privacy notices are also commonly referred to as "privacy statements", "privacy policies" and "fair processing statements".

Originally published 3 August 2023

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.