In January 2012 the European Commission published proposals to overhaul the existing data protection regime in EU Directive 95/46/EC (the "1995 Directive"). The Commission took the view that that regime required modernisation to tackle the impact that technology and globalisation have had on the way in which personal data are now used, and to harmonize the disparate ways in which EU member states had implemented the 1995 Directive.
These proposed changes (the "New Regulations"), if and when implemented, are expected significantly to alter data controllers' and data processors' responsibilities, and this in turn may have direct consequences for pension scheme trustees ("trustees") amongst others.
Current UK Data Protection Regime
The Data Protection Act 1988 ("DPA") implemented in the UK the provisions of the 1995 Directive. The DPA distinguishes between "data controllers" (defined as those persons who (alone or with others) determine the purposes for which, and the manner in which, personal data are to be processed) and "data processors", who process personal data on the data controllers' behalf.
Trustees often fall within the category of data controllers, in which case they are required to notify (register) with the Information Commissioner's Office ("ICO") unless any applicable exemption therefrom applies. To the extent that they operate as data controllers, trustees must observe the provisions of the DPA including the eight principles set out in its Schedule 1, failure to comply with which may result in (amongst other things) the ICO bringing enforcement action against them.
To the extent that they operate as data controllers, trustees are liable under the DPA for the acts of third party data processors in relation to scheme members' personal data. The definitions of both data processors and processing of data are drawn very...