Hand of referee with red card.

The rugby Six Nations Championship has been a recent topic of conversation. But do you know how long pensions dashboards have been a topic of conversation? Almost 10 years – ever since the issue was raised in a report by the Financial Conduct Authority in December 2014! We are now about to witness kick-off as the industry prepares to connect pension schemes to the dashboards architecture.

Any day now, the Department for Work and Pensions (DWP) will issue guidance setting out a line-up of expected connection dates, split by scheme size and type. Do not be fooled by the word “guidance” – compliance is not optional. Legislation requires trustees to “have regard to” this (and other) dashboards guidance and The Pensions Regulator (TPR) has said that non-compliance with connection dates will be a breach, for which it can award penalties. We can expect to hear a lot more from TPR in the coming weeks/months, including its compliance and enforcement policy.

We expect that dashboards connection dates will be concertinaed into a fairly short timeframe, likely leading to capacity issues among service providers. Much of the focus so far has been, quite rightly, on data readiness – making sure that member and scheme data is accurate and can be automated to satisfy dashboards requirements. But, ahead of the expected scrum of dashboards activity, I would like to extend a request to trustees and advisers – please do not kick important legal issues into touch – deal with these well in advance of the final whistle.   

Here are some examples of legal matters that should be on your dashboards game plan.

  • Many schemes are working with a trusted third party to tackle dashboards compliance without having agreed contractual terms as yet. It is advisable to allow time to understand and negotiate the terms of a commercial contract – involve your legal adviser at an early stage to ensure that the terms are acceptable and understood.
  • A data protection impact assessment (DPIA) should be carried out before connecting to the dashboards architecture. TPR states in its initial guidance that matching, combining or comparing data from multiple sources requires a DPIA to be produced or updated under the UK GDPR. Such an assessment is a key part of trustees’ risk management processes and audit trail. As part of this, trustees should test that the data matching criteria is set at an appropriate level for their scheme. If it is not, trustees risk returning pensions information to the wrong person, or not matching a high level of member records. The matching process should be interrogated – and if it needs improvement, trustees should try, try and try again, until they are satisfied. 
  • Do not let data privacy notices catch you offside. Most pension scheme data privacy notices were prepared in the rush to comply with GDPR in May 2018, well before the dashboards legislation landed in the Pension Schemes Act 2021. As such, trustees will need to update their privacy notices to include the potential sharing of member personal data with dashboard providers. (Privacy notices that have not been updated since GDPR day are in serious need of a refresh in any event.) In addition, if new service providers are given access to scheme personal data (or existing service providers expand the scope of their processing activities), then this should be recorded in data maps and service provider agreements will need to be reviewed.
  • Is there an obstruction ahead? If trustees believe that their scheme will have difficultly complying with dashboards requirements, they may consider applying for deferred connection before 9 August 2024. The DWP will only consider deferral applications in very limited circumstances. Trustees would need to provide evidence that, before 9 August 2023, the scheme had embarked on a programme to transfer the pension scheme data to a new administrator, and/or had entered into a contract containing an obligation to retender the administration. The timetable for the administration transition would need to be reasonable and conflict with the dashboards connection deadline of 31 October 2026, and the evidence would also need to show that compliance would be a disproportionate burden, or would put the personal data of members at risk. This is a high bar to jump over, but if trustees feel that their scheme satisfies these criteria, a prompt chat with a legal adviser should help to establish the grounds for the application.

Much like general code of practice compliance, dashboards compliance should be viewed as a team effort, including key advisers. Sidelining the legal adviser could lead to penalties, sin-binnings or sending-off offences.