A data breach involving the Hounslow Council Pension Fund was reported at a recent Pension Board meeting, highlighting the importance of data protection and governance within the fund's operations.
The breach, detailed in the Pension Board Monitoring Report, involved a letter containing personal data being incorrectly sent to the wrong address, affecting one individual. According to the report, the letter was opened, prompting immediate action from the council's Information Governance team.
The breach has been reported to the Council's Information Governance team and the follow up queries have now all been resolved,
the report stated. The incident is now listed on the Breach Register 25.26 v2.
In response to the incident, West Yorkshire Pension Fund (WYPF), which administers the Hounslow pension scheme, has implemented a new process to prevent future occurrences. The letter in question was produced by a team not normally involved in direct correspondence with individuals. According to the Breach Register 25.26 v2, this error has led to a new process being put in place to avoid future occurrences, although specific details of training or oversight weren't provided in the meeting information.
This data breach was one of two new entries on the breach register. The other related to the omission of McCloud remedy data on annual benefit statements, affecting a limited number of scheme members, though a much smaller number will actually be affected by this. The McCloud remedy addresses age discrimination found in the 2015 public service pension scheme reforms. To address this omission, a disclaimer has been included on the statements, and supporting information is available on the WYPF website. Furthermore, the actuary has been formally advised that the underpin data will not be included in the valuation submission.
While the breach regarding the letter sent to the wrong address was reported to the council's Information Governance team, the meeting information does not specify whether the Information Commissioner's Office (ICO) was notified or what their response was. The decision was made not to report the McCloud remedy data omission to the Pensions Regulator.
The incident underscores the critical importance of robust data handling procedures and vigilance in safeguarding sensitive information within the pension fund.
