The Data Protection Act 2018 (DPA) came into force on 25 May 2018. It changed how organisations process and handle data, with the key aim of giving greater protection and rights to individuals.

What laws governed data protection in the UK before DPA 2018?

In the UK, prior to DPA 2018, the Data Protection Act 1998 set out how your personal information could be used by companies, government and other organisations. The DPA 2018 replaced the Data Protection Act 1998 from 25 May 2018.

So what’s new?

There are new and extended rights for individuals in relation to the personal data an organisation holds about them, for example, an extended right to access and a new right of data portability.

You can obtain further information about these rights from the Information Commissioner’s Office or contact their telephone helpline: 0303 123 1113.

In addition, organisations have an obligation for better data management. A new regime of fines has been introduced for when an organisation is found to be in breach of the DPA.

The main principals of the DPA

The DPA states that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • held only for the absolute time necessary and no longer
  • processed in a manner that ensures appropriate security of the personal data

Personal data

The DPA applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including:

  • name
  • identification number
  • location data
  • online identifier

How DPA affects LGPS members

We already have procedures in place which comply with similar data protection principles under the Data Protection Act 1998. The new regulations reinforce these existing requirements. LGPS members are unlikely to notice a change in the service they receive from Derbyshire Pension Fund.

How Derbyshire Pension Fund is DPA compliant

Every LGPS Fund is required to update their privacy notice in line with the new requirements setting out:

  • why certain data is held
  • the reason for processing the data
  • who they share the data with
  • the period for which the data will be retained

Within the notice, members will also be provided with additional information about their rights under the legislation.

Why Derbyshire Pension Fund holds personal data

LGPS Funds require various pieces of personal data provided by both the individual member and their employer in order to administer the pension scheme. This data includes, but is not limited to:

  • names
  • addresses
  • National Insurance numbers
  • salary details

These are required to maintain scheme records and calculate member benefits.

Who LGPS funds share personal data with

On occasion, LGPS Funds are required to share personal data with third parties in order to:

  • meet regulatory and government requirements
  • gather necessary information for the accurate payment of member benefits
  • ensure scheme liabilities are met.

Each Fund’s privacy notice will set out who they share data with. This is likely to include bodies such as scheme employers, fund actuaries, auditors and HMRC.

Asking for your data to be deleted

The DPA provides individuals with the ‘right to be forgotten’ in certain limited circumstances. However, in practical terms the exercise of this right in relation to LGPS Funds is limited as the deletion of data can prevent the Fund from carrying out its duties. LGPS Funds are required to process personal data to comply with legal obligations under pension legislation, therefore, the ‘right to be forgotten’ is unlikely to apply to data held by LGPS Funds.

What happens if there's a data breach

Data breaches are a rare occurrence within LGPS Funds. However, should a security breach concerning a member’s personal data occur that's likely to result in a risk to that member’s rights and freedoms, there will be a direct obligation under the DPA for the Fund to inform the Information Commissioners Office within 72 hours of the breach taking place.