Data ownership and protection has been a hot topic for financial services providers over the past few years. This insight looks at how workplace pension providers approach the data they hold on schemes and members.

Financial services customers demand their personal information should be handled with the highest standards and companies are starting to understand how much their assets are in danger if they cannot provide their customers with the reassurance that their data is secure.

The 2018 Data Protection Act brought EU General Data Protection Regulation (GDPR) into UK law. Ever since, companies have had to be even more careful about what they do with the personal data of their customers.

Workplace pension providers are not immune to this rule and over the past two years some have had to tighten up how they hold and use scheme and member data to be sure they are fully GDPR compliant.

It comes as no great surprise that our data shows that all workplace pension providers take this matter very seriously and have annual procedures and testing in place to ensure an understanding of data protection rules. All providers also have a process to follow up this testing, although in the case of True Potential this is only followed up for some individuals.

For Aegon all staff are required to evidence their understanding of data protection during half yearly and annual performance reviews. There is an embedded awareness of risk at Aegon, and regular risk assessments are undertaken to identify and develop controls to prevent data protection breaches, with such risk assessments required in response to legal, economic and regulatory changes and in line with the operational risk self-assessment process.

Royal London, Scottish Widows, Hargreaves Lansdown and Fidelity all have annual online e-tests that the employee must pass with a certain mark to avoid re-testing and possible follow-up action. For Scottish Widows, the mark needed to pass is 100%. This is monitored centrally by HR to ensure compliance across the group.

True Potential is the only provider that relies on written tests that require individual marking and assessment, rather than computer-based testing that gives and instant result. True Potential is also the only provider for whom the data held within their system is not covered by any standards or protection processes. All providers standards are detailed in the table below.

Our data shows that who has the ownership of scheme and member data varies by provider. For Aviva the ownership of the data lies solely with the client. For Legal & General the ownership lies with the system and/or software provider. The remainder of workplace pension providers share ownership with the client.

Despite the data ownership not always being with the client, our data shows that should an employer wish to transfer their scheme, or use an alternative AE solution provider, they can take all the accumulated data with them. There is no additional charge for any provider.

As a whole, our data shows that workplace pension providers have a firm grip on data protection and ownership. However, it shows up a couple of gaps for some providers where improvements could be made. It is also good to see that should an employer wish to move away from their current pension provider they can take all the accumulated scheme and employee data with them.