UK - The Information Commissioner's Office has ruled Verity Trustees, the independent trustees for The Pensions Trust, breached the Data Protection Act when unencrypted personal data of 110,000 scheme members was stolen from its software provider.
The laptop, which was stolen from NorthgateArinso's offices in May, contained in the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 people - as well as the bank details of around 18,000 pensioners. (Global Pensions; May 29, 2009)
NorthgateArinso is the sole supplier of the trustees' computerised pension administration systems.
The ICO said the data was downloaded for training purposes in breach of the company's policy of only using an anonymous data sample for 50 to 100 pension scheme members.
Verity Trustees has now signed a formal undertaking to ensure personal data is processed in line with the Data Protection Act. The firm will also make sure portable and mobile devices used to store and transmit personal data are encrypted.
The ICO said it will also have adequate written contracts, including data security obligations, put in place with data processors.
ICO assistant information commissioner Mick Gorrill said: "This is a stark reminder of how easy it can be to put so many people's details at risk."
He said it is "encouraging" to see the trustees have taken remedial steps, including the engagement of a fraud protection service provider to protect the affected individuals.
The ICO has also produced the Guide to Data Protection, providing practical advice about the Data Protection Act. It said the guide will help organisations safeguard personal data and comply with the law.
It said sometimes organisations misinterpret the Act, or hide behind it, while conceding misunderstandings do occur.
Information Commissioner Christopher Graham said: "The Data Protection Act provides us all with important privacy rights and the vast majority of businesses and organisations understand their legal obligations to protect our personal details."
Yet he said there are still too many organisations "playing fast and loose" with personal data.
He added: "Security breaches, inaccurate records and instances of data being held for too long are common. This new guide will help organisations comply with the law and demystify data protection."
The Pensions and Lifetime Savings Association (PLSA) is in the process of convening an industry-wide group to take forward the work of the Institutional Disclosure Working Group (IDWG).
The Transfers and Re-registration Industry Group (TRIG) has given its support to an initiative which aims to complete occupational pension transfers within three weeks.
Scottish Widows has completed a bulk annuity deal for the Hitachi UK Limited Pension Scheme.