Legal risk to pension trustees from misdirecting member data

The Court of Appeal has reversed that decision, so that pension trustees are exposed to the risk of damages claims by scheme beneficiaries if member data is misdirected, provided that scheme members had a well-founded fear that third parties could access the data, without needing to prove that third parties had in fact accessed the data.

Level of compensation and key risks

However, it should be noted that the likely amount of compensation in such cases is low, unless a large number of scheme members have such a well-founded fear. The compensation ultimately sought in the Farley case was £1,250 per affected member. The greatest risks involved with misdirection of scheme members' personal data, or other data breach affecting pension scheme members' data, therefore, are of use of disclosed member data by a fraudster to steal pension scheme funds and/or scheme members' data and assets and/or of a substantial fine from the Information Commissioners' Office or from the Pensions Regulator.

Facts of the Farley case

In the case of Farley v Paymaster, the administrators for the pension scheme covering the Sussex Police sent annual benefit statements by post to members of the scheme. Those scheme members were police officers. Those annual benefit statements included such details as the name, address, national insurance number, police service, salary and pension benefit details of the scheme members. A significant number of those annual benefit statements, over 750, were posted to out-of-date residential addresses of the scheme members. The majority of those statements were never recovered and it remains unknown what happened to them.

Data breach and response

The posting of the annual benefit statements clearly constituted data processing within the wide definition of that term in the Data Protection Act 2018 and the UK GDPR. There was also clearly a data breach. Being police officers, the scheme members were concerned about the security implications of the misdirection of their personal data, as well as the potential for fraud against them and against their pension scheme. The scheme administrators offered the scheme members an opportunity to sign up to a fraud protection service at the administrators' expense.

The scheme members made claims before the High Court for damages by way of compensation for the data breach from the scheme administrators. The High Court struck out all but 14 of the claims because the claimants could not prove that unauthorised third parties had opened and read their annual benefit statements.

Court of Appeal ruling

The Court of Appeal allowed the claimants' appeal against that High Court judgment and held that the scheme members could claim, albeit modest, damages by way of financial compensation from the scheme administrators for the personal data breaches which had occurred. This was on the basis that the scheme members had a well-founded fear that unauthorised third parties could have opened and read their annual benefit statements and could perpetrate fraud or other crimes against them, notwithstanding that they could not prove that any annual benefit statement had in fact been opened and read by an unauthorised third party. Whether a fear is well-founded is to be determined by reference to the facts and matters which were known or should have been known to the scheme members at the time at which they experienced the fear, and not with the benefit of hindsight.

No threshold of seriousness required

The Court of Appeal held that there was no threshold of seriousness which scheme members must meet in such circumstances in order to recover financial compensation from scheme administrators for a personal data breach. It was sufficient in Farley that the affected scheme members suffered anxiety, alarm, distress and embarrassment as a result of the personal data breach and that they were distressed about the loss of control over their personal data and that some scheme members suffered an aggravation of pre-existing medical conditions as a result of the personal data breach. The Court of Appeal held that the concept of damage from a personal data breach, which would be compensated, should be broadly interpreted. On the other hand, mere irritation or annoyance would not be sufficient to mount a claim for financial compensation for a personal data breach.

Since pension trustees are ultimately responsible for the administration of their schemes, pension trustees are exposed to the same legal risks of claims by scheme beneficiaries, as scheme administrators in these circumstances.