We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Surrendering Privacy for Employment Benefits

Surrendering Privacy for Employment Benefits

On Tuesday, I attended the International Pension & Employee Benefits Lawyers Association conference in Brussels to talk about whether privacy concerns are getting in the way of delivering benefits (such as pensions) to employees. I was joined by counterparts from the USA and Canada in a lively panel discussion.

My view is that privacy concerns don't get in the way of delivering benefits in the UK. However they place hurdles that need to be considered by benefit providers to ensure data protection obligations are met.

The key risk areas that need to be given careful consideration can be grouped into three topics: (a) using sensitive personal data; (b) outsourcing; and (c) transferring data outside Europe.

Sensitive Personal Data

The DPA imposes far higher standards when using sensitive personal data (such as medical, racial and ethnic information). The regime prescribes the grounds upon which you can use sensitive personal data - if they aren't met then the data can't be used.

Grounds which are commonly used in delivery of benefits are securing the explicit consent of the individual who is getting the benefit or the requirement to comply with a legal obligation.

It's also important to flag that security breaches where sensitive personal information has been lost or misused have resulted in the highest fines to date.


Often services are delivered by third parties on behalf of a benefit provider. It's a legal requirement that the service provider undertaking data processing has entered into a written contract setting out security obligations. It's also important that the benefit provider also has various rights of audit.

It should be noted that the benefit provider is on the hook for data protection liability if the processor of services breaches the regime, therefore a written contract is key to manage risk here.

International Transfers

Outsourcing may result in services being undertaken outside Europe. This needs to be carefully managed because personal data can't be transferred outside Europe unless there’s adequate protection in place for the use of personal data. This always feels odd when cast against the global nature of business, but it's the law and needs to be considered for each transfer.

Fear not! The authorities have given a range of options to deal with this including, but not limited to, additional non-European countries having approval to receive data, consent of the individual concerned and making an assessment of adequacy. There's a lot more options here but that's beyond the scope of this note.

Yes, there's hurdles to overcome...  and these hurdles may feel like the start of training for an Olympic sport in some difficult cases, but thought about early on can help deliver benefits effectively and efficiently. 

Ross McKenzie