Memorandum of Understanding regarding Compliance with Data Protection Law

1. Introduction

1.1

The Local Government Pension Scheme (“LGPS”) in England and Wales is an occupational pension scheme registered under section 153 of the Finance Act 2004 and its rules are currently set out in The Local Government Pension Scheme Regulations 2013 (SI 2013/2356) as amended (“LGPS Regulations”). 

1.2 

The LGPS is administered locally by administering authorities which are defined in Regulation 2 of the LGPS Regulations and listed in Part 1 of Schedule 3 of the LGPS Regulations.

1.3

Bath and North East Somerset Council (“Administering Authority”) is an administering authority under the LGPS Regulations. The Administering Authority manages and administers the Avon Pension Fund pension fund within the LGPS (the “Fund”) in accordance with its statutory duty under Regulation 53 of the LGPS Regulations.  Employers employing employees who are eligible to be members of the LGPS will participate in the Fund as a “Scheme Employer” (as defined in schedule 1 of the LGPS Regulations).  The Administering Authority and the Scheme Employer (together the “Parties”) are required to share personal data relating to the Scheme Employer’s current and former employees who participate in the Fund (the “Members”) and their dependants, beneficiaries and/or potential beneficiaries, in order for the Administering Authority to fulfil its statutory duties to manage and administer the Fund under Regulation 53 of the LGPS Regulations and provide the Members with benefits upon retirement, pay ill-health benefits, pay death grants, pay survivors’ pensions to Members’ spouses, civil partners and co-habiting partners, pay children’s pensions upon the death of the Member, offer Members the option of paying additional voluntary contributions to one or more providers in accordance with Regulations 1 – 52 of the LGPS Regulations.

1.4

Scheme Employers are under a statutory obligation, as detailed in Regulation 80 of the LGPS Regulations, to provide certain personal data relating to its Members on an annual basis to the Administering Authority, including the Member’s name, gender, date of birth, national insurance number, pensionable pay, employer and employee pension contributions, details of any additional pension contributions and additional voluntary contributions.

1.5

This Memorandum of Understanding sets out:

  1. the basis on which personal data will be shared between the Parties; and
  2. the Administering Authority’s expectations of the Scheme Employer during its participation in the Fund;

in order to comply with Data Protection Law, including the General Data Protection Regulation (2016/679) as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018. For the avoidance of doubt, the commitments set out in this Memorandum of Understanding only apply in respect of personal data shared between the Parties.

1.6

References to “Data Protection Law” in this Memorandum of Understanding mean the UK Data Protection Act 2018, the Electronic Communications Data Protection Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (each as amended and incorporated into the laws of England & Wales, Scotland and Northern Ireland), the GDPR and all applicable laws and regulations relating to personal data and privacy which are enacted from time to time, including (where applicable) the guidance and codes of practice issued by the Information Commissioner’s Office and any other competent authority. References in this Memorandum of Understanding to the “GDPR” are to the General Data Protection Regulation (2016/679) as amended and incorporated into the laws of England & Wales, Scotland and Northern Ireland under the UK European Union (Withdrawal) Act 2018, but also include a reference to the underlying EU regulation itself if and to the extent that it is applicable.

2. Controllers

2.1

The Parties acknowledge that they will:

  1. not hold a pool of joint data;
  2. be separate and independent controllers in relation to the copies of the Members’ personal data they respectively hold and/or otherwise process;
  3. each act as independent controllers in relation to personal data transferred to them;
  4. each be responsible for complying with the requirements in Data Protection Law that are applicable to them as independent controllers.

2.2

References to Members’ personal data includes personal data relating to the Members’ dependants (including children) spouses/civil partners (where applicable), beneficiaries and or/potential beneficiaries.

3. Data Sharing 

3.1

The Parties confirm that they understand their respective obligations under Data Protection Law as controllers and agree to only process personal data relating to the Members: 

  1. transparently, fairly and lawfully and in accordance with the data protection principles set out in Data Protection Law;
  2. where there are lawful grounds for doing so; and
  3. in accordance with Data Protection Law and best practice guidance (including the Data Sharing Code of Practice issued by the Information Commissioner’s Office and updated from time to time).

3.2

Each Party will separately inform the Members (as required under Data Protection Law) of the respective purposes for which they will each process their personal data and provide all required information to ensure that the Members understand how their personal data will be processed in each case by the Administering Authority or Scheme Employer (as applicable). The Scheme Employer’s privacy notice to Members will inform them that their personal data will be provided to the Administering Authority and a copy of that notice will be provided to the Administering Authority on request.

3.3

When sharing personal data, including for any onward transfers of personal data, the Parties shall ensure that they have a lawful basis for doing so.

3.4

To the extent any Scheme Employer or Administering Authority makes any transfer of personal data outside of the UK or European Economic Area, it shall ensure compliance with Chapter 5 of the GDPR and the principles set out in the judgement issued by the Court of Justice of the European Union on July 16, 2020 (case C-311/18; “Schrems II”).

3.5

In the event that a Scheme Employer or Administering Authority collects, uses or otherwise processes Special Category Personal Data, or Criminal Convictions Data, it shall comply with all of the requirements under Data Protection Law, as applicable. This includes ensuring that a condition for the processing of this data has been satisfied.

3.6

Each party shall ensure that it;

  1. only collects, uses or otherwise processes personal data for a specific and limited purpose; 
  2. has measures in place to ensure that personal data remains accurate and up-to-date; and
  3. ensures that all staff who have access to the personal data are properly trained in the handling of personal data.

3.7

Each Party confirms that it understands its respective obligations under Data Protection Law, to ensure that the Members’ personal data of which it is a controller is kept and used securely at all times and to take such technical and organisation security measures against unauthorised and unlawful processing of, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Members’ personal data transmitted, stored or otherwise processed as may be required. Such measures will have due regards to the state of technological development and the cost of implementation of these measures, to ensure a level of security appropriate to the harm that might result from such processing and the nature, scope, context and purposes of processing the members’ personal data and the risk or likelihood and severity for the rights and freedoms of data subjects. Such measures will ensure:

  1. the ongoing confidentiality, integrity, availability and resilience of processing the Members’ personal data;
  2. the ability to restore the availability and access to the Members’ personal data in a timely manner in the event of a physical or technical incident;
  3. carrying out of regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3.8

Each Party undertakes to notify the other as soon as practicable if an error is discovered in the Members’ personal data of which it is a controller and which was received from or a copy of which has been provided to the other Party, to ensure that such other Party is then able to correct its own records. This will happen whether the error is discovered through existing data quality initiatives or is flagged up through some other route (such as the existence of errors being directly notified to the Administering Authority or Scheme Employer (as appropriate) by the Member (or the Members’ dependants, spouse/civil partner) themselves). 

4. Transfer of members’ personal data

4.1

The Parties agree that Members’ personal data will only be transferred from one Party to the other via an acceptable method specified by the Administering Authority which may include any of the following:

  1. face to face / telephone
  2. courier
  3. secure email / de-personalised email
  4. access secure websites (for example GlobalScape and i-Connect)
  5. third party solution as agreed by the Parties

4.2

Each Party will, when transferring the Members’ personal data of which it is the controller to the other Party, ensure that that data is secure during transit (whether physical or electronic).

4.3

If either the Administering Authority or the Scheme Employer appoints professional advisers, third party administrators or another entity which provides other services involving the transfer of Members’ personal data, those third parties will be processors or controllers in their own right. The Administering Authority or the Scheme Employer (as applicable) will comply with its own obligations in accordance with Data Protection Law (in particular, by requiring any such entity to which it transfers Members’ personal data to also comply with Data Protection Law) and shall ensure that that nothing in the terms of engagement between the Administering Authority or the Scheme Employer (as applicable) and such third party would contradict this Memorandum of Understanding.

5. Rights of members (including the member’s dependants, spouses/civil partners (where applicable))

5.1

Each Party shall, in respect of the personal data of which it is a controller, respond to any requests from Members to have access to or to exercise any of their other rights under Data Protection Laws in relation to any of their personal data or a complaint or enquiry relating to that Party’s processing of the Members’ personal data received by that Party in line with its own obligations under the Data Protection Law. Such requests, complaints or enquiries should be directed to the individuals named in 9 below. 

5.2

Each Party agrees to provide reasonable assistance to the other as is necessary to enable the other Party to comply with any such requests in respect of Members’ personal data of which that Party is a controller and to respond to any other queries or complaints from Members.

6. Data security breaches and reporting procedures

6.1

Each Party confirms that it understands its respective obligations under Data Protection Law in the event of any personal data breach, unauthorised or unlawful processing of, loss or destruction of or damage to any of the Members’ personal data, including (where necessary) an obligation to notify the Information Commissioner’s Office and/or the Member(s).

7. Additional responsibilities of scheme employers

7.1

Notwithstanding the statutory obligations which apply to Scheme Employers under the LGPS Regulations and as a controller under Data Protection Law, the Administering Authority, as Administering Authority for the Fund, expects Scheme Employers participating in the Fund to comply with the responsibilities set out below in relation to Members’ personal data.

7.2

On request, the Scheme Employer will inform the Data Protection Officer at the Administering Authority of any appointed qualified person to fulfil the role of data protection officer (“DPO”) together with their contact details.  If the Scheme Employer has not appointed a DPO, the Scheme Employer, on request, will inform the Data Protection Officer at the Administering Authority of the details of a nominated person for GDPR compliance purposes.

7.3

The Scheme Employer will demonstrate to the Administering Authority’s satisfaction when dealing with ill health early retirement applications for current employees that explicit Member consent has been received which gives consent to processing by both the Scheme Employer and the Administering Authority. In the absence of such consent, the Administering Authority may not be able to process the Member’s application. 

7.4

The Scheme Employer acknowledges the financial penalties that can be imposed by the Information Commissioner’s Office in relation to breaches of Data Protection Law and will inform the Administering Authority within 48 hours from the point that it becomes aware that the Scheme Employer may be liable to pay such a financial penalty. The Scheme Employer further acknowledges that any liability it may have to pay a financial penalty to the Information Commissioner’s Office may result in a revision of the rates and adjustments certificate in accordance with Regulation 62(7) of the LGPS Regulations.

8. Compliance with the Memorandum of Understanding

8.1

Failure by the Scheme Employer to comply with the terms set out in this Memorandum of Understanding may result in the Administering Authority taking any or all of the following actions:

  1. reporting the Scheme Employer’s non-compliance to the Information Commissioner’s Office;
  2. any other action which the administration authority deems appropriate and which is within its powers to do so.

9. Contacts

All queries, correspondence and notifications including requests made pursuant to 5.1 above should be directed to;

Avon Pension Fund 

Email: APF_Governance@bathnes.gov.uk 

Telephone: 01225 395100

Address: Bath and North East Somerset Council, Lewis House, Manvers Street, Bath, BA1 1JG

10. Review and amendment of Memorandum of Understanding

The Administering Authority will review the Memorandum of Understanding annually.

The Administering Authority also reserves the right to amend the Memorandum of Understanding at any time and with immediate effect and will provide written notice to the Scheme Employer of such amendment.