Pensions dashboards – DP(IA) or not DP(IA)

First: apologies to Shakespeare for the dreadful pun. Then again, Hamlet definitely had concerns other than personal data – or pensions dashboards - on his troubled mind. 

This week marks the connection date for the largest schemes, and with the pension dashboard connection dates coming thick and fast from here on in, some pension scheme trustees have been asking whether they need to carry out a data protection impact assessment (DPIA) in advance of their connection date. Mandatory compliance with a (near) universal legal obligation to connect pension scheme data to the dashboards ecosystem feels much lower risk than, say, a whizzy new advertising technology, social media tools targeting children or teens, or AI-driven tracking or profiling. 

However, in the absence of a clear statement from the Information Commissioner’s Office (ICO), should pension scheme trustees nevertheless carry out a DPIA in respect of connecting and providing information to the dashboards ecosystem? The answer depends on trustees’ assessment of the legal test, as well as their attitude to risk. 

What is the legal test?

Some types of processing always require a DPIA. These are: “systematic and extensive profiling with significant effects”, “large scale use of sensitive data”, or “public monitoring”. Connecting to the dashboard and providing personal data to it will not fall in these categories. DPIAs are also required in other circumstances: the legal test here being, ”where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” (Art.35 UK GDPR). 

To assess whether something is “high risk”, the UK GDPR requires consideration of both the likelihood and severity of any potential harm to individuals. “Risk” implies a more than remote chance of some harm. “High risk” implies a higher threshold, either because the harm is more likely, or because the potential harm is more severe, or a combination of the two. Assessing the likelihood of risk in that sense is part of the job of a DPIA. However, the question for these initial screening purposes is whether the processing is of a type likely to result in a high risk. If “yes”, then a DPIA is required. 

Both the Article 29 Working Party of EU data protection authorities (now known as the European Data Protection Board) and the ICO in its DPIA guidance have set out criteria which might indicate likely high risk processing – noting on the one hand that, in most cases, a combination of two of these factors indicates the need for a DPIA (but on the other hand that this is not a strict rule). Many of these criteria are, again, clearly not relevant to pensions dashboards (for example, tracking a person’s location or behaviour, automated decision-making with legal or similar significant effect, the processing of biometric or genetic data, or the targeting of children or other vulnerable individuals). However, some may well apply (most obviously, for example, “data processed on a large scale” and “matching or combining datasets”). The ICO ( is also clear in its data sharing code of practice that it considers it good practice to carry out a DPIA before any major project which requires the processing of personal data, even if there’s no specific indicator of likely high risk.

What should trustees do?

The reason trustees are asking us the question is that the ICO hasn’t expressed a specific view on trustees’ duties re DPIAs in respect of pension dashboards.  TPR’s initial guidance on whether a DPIA must be produced for dashboard connection is also not particularly definitive. It states “Matching, combining or comparing data from multiple sources requires a Data Protection Impact Assessment (DPIA) under UK General Data Protection Regulation (GDPR), so you may need to produce one. If you already have a DPIA, you may need to update this”.   Moreover, the drafting of Article 35 does allow for some discretion and account to be taken of the nature, scope and purposes of the processing. 

Trustees may question the benefits and likely outcome of completing a DPIA – given that dashboard connection is mandatory, you can’t refuse to connect. The only choice lies in setting the matching criteria in such a way as to ensure that accurate matches are made.  Completing a DPIA could lead to a scheme setting matching criteria more rigorously as a mechanism for addressing the risk identified. The other main benefit of completing a DPIA is to ensure that the trustees’ third-party administrator (and integrated service provider if using one) have put in place appropriate security measures and are lined up to review those from time to time. 

If you step back and think about the purpose of a DPIA – ultimately a risk management tool – preparing a DPIA is a useful and prudent opportunity for trustees to ensure they are assessing what they are doing with data, which data, how they are doing it and, crucially, to identify possible risks and how to mitigate those. After all, one sea change underlying the GDPR is “data protection by design and default” i.e. thinking about the principles of data protection, assessing compliance and risk, and incorporating those principles into your processing from the outset.  

Deciding whether or not to produce a DPIA is ultimately also a question of the trustees’ approach to risk management. Given that dashboards necessarily involve data matching from different sources (as a minimum, the scheme is matching the data from the finder service with the data it holds) and data processed on a large scale, it’s hard to see that there is any doubt that the ICO would say that the requirement for a DPIA is triggered, based on what its guidance says in relation to matching or combining datasets and the presence of two or more factors.  And when it comes to data protection, the domain regulator for the trustees in their capacity as data controllers is the ICO rather than (or at least in addition to) TPR. 

Trustees who decide not to carry out a DPIA would be doing so on the basis that they have considered the legal test and concluded that, for their scheme, one is not required. Further, they may be taking into account that the ICO hasn’t specifically stated that one is required in relation to dashboard connection, they may consider the risk of a data breach in relation to dashboards is low, an ICO investigation is unlikely and the risk of a fine even less given the ICO’s current enforcement approach is to focus on severe harms e.g. in relation to sensitive data. Trustees who take this approach should document their reasons, not least as, under the GDPR, “accountability” is key.

Trustees should note that generally, the view from data privacy lawyers is that trustees should prepare one. Certainly, it would be best practice to do so and the ICO has recently demonstrated it will consider enforcement action in relation to DPIAs (see below). Given that it is the trustees that ‘own’ and are responsible for the content of a DPIA, where one is prepared, trustees should seek legal advice to ensure it is suitably robust. The Pensions Dashboards Programme will be preparing a DPIA in relation to MaPS’ processing of personal data and trustees may be able to take into account some of that content once published when preparing a DPIA for their own scheme.

Some post-scripts

As part of their dashboards GDPR compliance trustees should also check (i) whether their privacy notices need updating for connecting to the dashboards, and (ii) whether their records of processing activities (data mapping, data flows etc.) need to be updated. 

Any readers wishing to see a worked example of how the ICO assesses compliance with its guidance on DPIAs – albeit in a very different context - may wish to read this post from our data privacy blog, the Lens. The context is, of course, very different, but it makes for helpful reading, particularly in relation to assessing high-risk processing.