The changes arise under the Data (Use and Access) Act 2025 (DUAA), which applies to all organisations acting as data controllers, including pension scheme trustees, and introduces new requirements around the handling of data protection complaints from members.
Under the new regime, schemes must ensure members are able to raise data protection complaints directly, that complaints are acknowledged within 30 days, and that they are handled appropriately and without undue delay. *
Lauren Shipman, Trustee Executive, at ZEDRA Inside Pensions said: “For many pension schemes, the work required to comply is relatively modest, typically involving updates to existing complaints procedures, privacy notices and governance documentation. However, there is concern that the changes may have gone under the radar for some schemes amid wider regulatory pressures and competing governance priorities, and that some may need to establish new documented complaints-handling processes. And although modest, this is important governance work that trustees cannot afford to overlook.
“In instances where schemes have outsourced administration to third-party providers it’s important to be satisfied that compliance is being appropriately managed. Ultimately, accountability rests with trustees, and this can create potential governance and oversight risks where responsibilities, procedures and reporting lines have not been clearly reviewed. Trustees should seek confirmation from their administrators, where applicable, on what changes have been made and whether governance arrangements remain compliant. If these issues are not addressed, it could increase the risk of complaints escalating to the Information Commissioner’s Office (ICO), the Pensions Ombudsman, or broader governance scrutiny.”
Shipman added: “If complaints emerge later and trustees cannot evidence proper procedures, it could quickly open a can of worms from a governance and reputational perspective. With that in mind, trustees should now be using the remaining time before the rules take effect to review existing data complaints procedures, ensure member-facing privacy notices and governance documentation are updated where necessary, and confirm responsibilities with third-party administrators and processors.”
|
