GDPR – The Age of Consent?

27 February 2018

Consent has been making the news a lot recently, mostly for the right reasons. However, when talking about GDPR, there does still appear to be a lot of confusion around when consent is needed and what it can be used for. So, when is consent needed and why?

Data protection rules require people who control data to have a basis for controlling or processing an individual's data (a processing basis). Under current data protection rules, there are seven bases, one of which is consent, which can be implicit. This means that, as long as there is active communication, no action is needed by the individual to signify consent. For pension schemes, this means the member accepting membership of the scheme: other actions include pre-filled checkboxes. However, GDPR removes implicit consent as a processing basis; instead, consent must be explicit. An individual must, therefore, consent to someone processing their personal data before their data can be used.

Does this mean that pension schemes need to contact all their members, deferred members, pensioners and dependants to obtain their consent to process their data? Using consent as a processing basis grants the individual a lot more rights over their data and is not recommended by most commentators for pensions administration. In fact, the GDPR offers eight processing bases, any of which can be used by data controllers and processors as a legal means for processing data:

Consent – where the individual consents to processing of the data
Contract – where processing the data is necessary for the performance of a contract
Legal Obligation – where data needs to be processed to comply with a legal obligation
Vital Interests – where processing the data is literally a matter of life and death
Legitimate Interests – where data is used in a way that people would reasonably expect
Public Task – where the data is required to perform a specific task set out in law
Special Category Data – sensitive personal data that needs to have a separate processing basis
Criminal Offence Data – data around criminal offences which requires a legal obligation and a legal or statutory authority to process the data

Pension schemes should consult with their lawyers but, from the list above, there are options that avoid the need for capturing members' consent for everyday business. The Local Government Association (LGA) has obtained a legal opinion for local authority funds that recommends they use legal obligation. See http://lgpslibrary.org/assets/opinions/201710GDPR.pdf. For trust-based schemes, contract with the scheme sponsor may be an option, though trustees should seek a formal legal opinion.

The one area where consent will be needed is when a scheme allows members access to their data online. As data controllers, scheme administrators need to have a processing basis to share a member's data with anyone, including the member; failure to have a basis could be interpreted as a data breach. From the above list, the most obvious to allow members to access their data online is consent. Member Self-Service (MSS) access could be handled as Subject Access Requests as well, but this would also have administrative overheads.

We are already seeing a number of websites being updated to capture this consent. With the next release of our products, Aquila Heywood will also have functionality for their customers to capture member consent.