On this page
- Key points
- Types of data to keep
- Internal controls
- General Data Protection Regulation (GDPR) guide
- Maintaining data
- Cyber security
- Working with employers
- Record-keeping guide
- Detailed guidance
- Identify what types of member data you need to keep for your defined benefit (DB) scheme.
- Set up adequate internal controls that enable you to maintain accurate and up-to-date member data.
- If you’ve outsourced management of member data, check your scheme administrator’s internal controls and that you’ve covered data issues in the service level agreement.
- Carry out a data review exercise regularly and create a data improvement plan.
- Work with employers to ensure that they understand when they need to pass information to the scheme administrator.
Types of data to keep
You are legally required to keep certain types of information. You must keep records relating to:
- your meetings and decisions
- the date each member joined the scheme
- details of all contributions received
- all other payments to and from the scheme including, for example, benefit payments and payments to advisers or the employer
- details of transfers of members’ benefits and related assets to and from the scheme.
You should also hold certain types of member data that is common to all schemes. Common data consists of:
- National Insurance number
- surname and either forename or initials
- date of birth
- date pensionable service started, policy start date or first contribution date
- expected retirement/maturity date (target retirement age)
- membership status
- last status event
- address including postcode.
You’ll need to hold other types of detailed member data, but this is conditional on a number of factors. In a DB scheme, this may be conditional on scheme design, a member’s status in the scheme and events that have occurred during an individual’s membership of the scheme. You should pay particular attention to areas such as salary records, member options exercised and payments of benefits.
If you’ve outsourced the management of scheme data, you should discuss what conditional data you may need to hold with your administrators.
You must keep records for a minimum of six years. However, you’ll need to keep some records, including both common and conditional data, for a much longer period.
Measuring data quick guide (PDF, 418kb, 3 pages)
What data you need to measure in your scheme and how to do it.
You must have adequate internal controls that enable you to maintain accurate and up-to-date member data. You should ensure that your processes meet the requirements of the Data Protection Act 1998, which is due to be replaced by the General Data Protection Regulation (GDPR) on 25 May 2018.
If you’ve outsourced the management of scheme data, you should understand what controls your administrator is operating. Check that you’ve covered data issues in the service level agreement. For more information, go to working with advisers.
General Data Protection Regulation (GDPR) guide
New rules on data protection known as the General Data Protection Regulation (GDPR), comes into force on 25 May 2018. GDPR affects all organisations that hold personal data – including pension schemes.
The Pensions and Lifetime Savings Association (PLSA) has produced a GDPR made simple guide to help schemes understand the new rules.
You should ensure a data review exercise is carried out at appropriate intervals, eg annually. You should also carry out a review when significant events occur, such as changing administrator or merging or winding up the scheme.
You should have a data improvement plan to address poor quality data. Download our guide to producing a data improvement plan.
Improving data quick guide (PDF, 45kb, 6 pages)
Help you design an improvement plan, or assess the one you currently have in place.
Pension schemes hold large amounts of personal data and assets which can make them a target for fraudsters and criminals. As trustees and scheme managers, you need to take steps to protect your members and
assets accordingly, which includes protecting them against the ‘cyber risk’.
You should take steps to build your cyber resilience – your ability to assess and minimise the risk of a cyber incident occurring, but also to recover when an incident takes place.
Cyber security guidance (PDF, 87kb, 12 pages)
Our cyber security guidance for trustees tells you what steps you should take to make sure your scheme and its data are secure.
Working with employers
You should take reasonable steps to ensure that member records are reconciled with information held by employers.
You should work with employers to ensure that they understand when they need to pass information to the scheme administrator. This includes key events such as when an employee:
- joins or leaves the scheme
- changes their rate of contribution
- changes their name, address or salary
- retires from work or dies.
If an employer fails to provide the required information, you should consider whether you need to report the breach to us. See code of practice 1: reporting breaches of the law.
Trustee toolkit online learning
Go to the Trustee toolkit The ‘Running a scheme’ module contains a tutorial on ‘Scheme administration and member data’. You must log in or sign up to use the Trustee toolkit.
Record-keeping quick guide (PDF, 84kb, 4 pages)
Understand why scheme record-keeping is important and the steps you need to take to make sure your records are complete and accurate.
Guidance for DB scheme advisers on keeping records and managing data for your clients