Teachers’ Pensions run the public sector pension scheme for teachers nationwide, responsible for the pensions of retired teachers. In recent times, it has come under fire for its management of personal data. The scheme, currently run by private firm Capita, is due to transfer to Tata Consultancy Services this October. A recent case involving retired teacher LS sheds light on what might be serious gaps in the system’s procedures. It raises serious privacy issues.
Each year, Teachers’ Pensions post out hundreds of thousands of statements to retired teachers across the UK. These letters threaten that pension payments will be terminated if the teachers don’t verify their status hasn’t changed. These reminder letters are automatically produced based on matches against the state register of deaths. The Department for Education (DfE) confirms that the matching process does not require a full match of all details. That is, differences in name, address, or date of birth will not stop the application.
This should not happen If nothing else, the DfE has accepted that a match on the death register can continue forever if no exact matching details are provided. In LS’s case, unlike that of all too many others, paperwork is already in place to right that wrong. Once LS receives financial advice and confirms her options, her retirement calculation will be finalized and backdated within 10 working days.
The Information Commissioner’s Office (ICO) has raised alarms. They fear a possible violation of the General Data Protection Regulation (GDPR). In its advice, the ICO told the DfE that continuing to chase an individual using incorrect information would likely breach GDPR.
"Continuing to chase an individual based on details they have confirmed are inaccurate may be a breach of the General Data Protection Regulation (GDPR)," stated the ICO.
Despite these concerns, the DfE has ignored the ICO’s advice and continues to not un-link pensioners from erroneous data matches. The department claims that this type of process would be more time consuming and costly. Following outcry over previous like cases, the DfE pledged to review its process. Yet this review has never materialised.
Neither Teachers’ Pensions nor the DfE have yet acknowledged our report of the potential GDPR breach. For one, they’ve been directed to carry out a Title VI investigation. This unfortunate incident raises important questions regarding the privacy and stewardship of personal data. It is a call to action—it tells us we must challenge what we are doing today.
"Organisations have a responsibility under the law to ensure the personal information they hold on an individual is accurate and up to date. If an organisation becomes aware that information is incorrect, it should take all reasonable steps to correct it," emphasized a spokesperson.