We’ve identified potential consumer harms that could arise in connection with using dashboards if we weren’t to put adequate mitigations in place. Those within PDP’s remit largely concern: the risks of personal data being misused, the risks of inappropriate entities gaining access to the ecosystem, and risks of information confusing consumers.
At a high level, the following will mitigate the potential harms:
- the ecosystem’s compliance with UK GDPR meaning there is minimal data sharing and persistence of data within the ecosystem
- strict ecosystem security and technical requirements, including identity verification and the operation of the governance register, which monitors all parties
- provision of design standards to ensure clarity of information for consumers
We have detailed below the work PDP is undertaking to deliver the required consumer protection.
The General Data Protection Regulation (GDPR) was an EU regulation established to protect the rights and freedoms of EU citizens with respect to their personal identifiable information. It defined who could use their data, how they could use it and how long they could store it.
The UK government incorporated these rights into UK law, with the 2018 Data Protection Act. This was amended prior to Brexit, to ensure UK citizens maintain the same protections, so we now refer to the UK GDPR.
UK GDPR sets out seven principles that lie at the heart of the data protection regime:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality (security)
Dashboards will involve personal information being processed at scale. Therefore, PDP is creating the pensions dashboards ecosystem, standards and processes with these data protection principles at its heart. It will apply Data Protection by Design principles as an integral approach to all ecosystem design processes and components, including the central digital architecture, dashboards, and pension providers’ interfaces to the ecosystem. PDP will need to supply documentation of all ecosystem design processes to evidence compliance with all applicable data protection principles and data subjects’ rights.
UK GDPR protections for pensions dashboards users
The UK General Data Protection Regulation (UK GDPR) applies to the movement and storage of personal data. PDP has designed in the consumer protection created by UK GDPR into the pensions dashboards ecosystem, to ensure that dashboard users remain in control of their data and how it is processed within the system.
UK GDPR refers to data subjects, when applied to pensions dashboards, this equates to dashboard users.
The ecosystem is also entirely underpinned by UK GDPR: any organisation wishing to host a dashboard, or participate in the ecosystem in any way must adhere to this legislation and be subject to the ICO’s oversight. If any parties are found to be not meeting the requirements to protect individuals’ personal data, they are subject to ICO regulation.
We set out below how we are designing the pensions dashboards ecosystem to embody the seven principles that lie at the heart of data protection. The final form of the legislation and FCA’s rules will dictate how we firm up on these provisional positions.
Lawfulness, fairness and transparency
Pensions dashboards are founded on data subjects’ consent – PDP will develop a user-tested consent and privacy model with our digital architecture supplier.
The pensions dashboards ecosystem is based on the principle that consent should be sought, consent should be clear, granular, specific, time-bound, revocable, and ask for no more processing of data than is absolutely necessary to deliver the service.
In line with Data Protection Act 2018, dashboard users will have control over who can access their information and will be able to review and revoke their consent at any time, by directly accessing the consent and authorisation service.
Dashboard users will also be able to delete all their personal information (PeIs, consent policies, tokens) from the pensions dashboards ecosystem.
Initial dashboards will be find and view only.
Personal identity data is only collected, generated and used within the pensions dashboards ecosystem for verifying data subjects’ identity and sharing with pension providers to find users’ pensions.
The digital architecture will not store this personal information. Pension providers will only have a lawful basis for processing personal data to undertake this matching, and they will not be permitted to hold on to, or use, the identity data of dashboard users for any other purpose, such as marketing.
Dashboards will enable users to access and view their pensions information. This data will only be available for temporary display purposes. Dashboards will not store the pensions information, except temporarily as a cache for user convenience and performance.
The architecture will collect only the minimum personal data necessary for the purposes of enabling dashboard users to find and view their pensions information.
Personal identity data is only collected and generated to the degree to which enough is gathered to determine a unique match accurately during identity verification or the pension providers’ find processing (to match dashboards users to any pensions).
Users will enter their own details at the dashboard and digital architecture. They will need to periodically confirm or update it.
Responsibility for the accuracy of dashboard users’ pension information rests with the pension providers; inaccuracy in pension data should be addressed by providers on request, outside of the scope of the ecosystem, as part of normal customer service obligations.
Pension providers may only hold on to the find data sets they receive for as long as is required to execute the search and match process. If they do not identify a match, they must not retain this data.
Pension information will only ever be supplied directly to a dashboard by a data provider: no part of the pensions dashboards ecosystem will store pensions (view) data. The ecosystem will store user consents and the unique pension identifier (PeI) for the user to access that information.
Other than short-term caching at dashboards (ie allowing a user to see their information again) view data will persist in one place only: within the pension providers’ own systems, where it was originally located. Dashboards will not store the pensions information displayed; only the PeI.
Integrity and confidentiality (security)
The identity service will ensure that only appropriately identity-assured users will be able to use dashboards.
The pensions dashboards ecosystem has no central database, as there is no need for this in order to find pensions and view their values, and for reasons of security, privacy, and compliance with the UK GDPR.
Ecosystem participants involved in transmission of data (pension providers, dashboard providers, and the central digital architecture suppliers) will have to comply with technological and security standards to connect into the ecosystem and interoperate with ecosystem components. This will include encryption of all data within the ecosystem.
The governance register will restrict access to the architecture to a directory of regulated entities, which will all need to meet the required security and technical standards and specifications.
The digital architecture will similarly ensure that dashboards users are only able to grant delegated access to their pensions information to legitimate delegates (currently envisaged to be FCA-authorised financial advisers or MaPS pensions guidance specialists). Although the detail involved in the delegate process is being developed, the governance register will contain a directory of all the delegates allowed access to the ecosystem, and the identity service will ensure that only appropriately identity-assured delegates will be able to use ecosystem services.
Data within the ecosystem (identity data, access control information, pension details, associated identifiers and tokens) will be protected from modification in or by the ecosystem.
The ecosystem is based on user-managed consent processes and the systematic enforcement of user verification/authentication and data access authorisation. The architecture is based on trusted and complimentary open security standards including user managed access (UMA), OAuth2, the industry standard protocol for authorisation and open ID connect (OIDC), an identity layer that allows users to securely sign into an application.
The accountability principle requires monitoring and demonstration that processing is done in compliance with UK GDPR. The ecosystem’s governance framework will ensure transparency of all activity within the ecosystem and ensure implementation of appropriate technical and organisational measures. MaPS (PDP) is responsible for the central digital architecture and overseeing how well the suppliers we are contracting to deliver it are performing. The governance register will provide assurances that the different elements of the ecosystem operate correctly and securely, and enable compliance and monitoring of the system as a whole.
Data protection impact assessment (DPIA) to clarify roles and responsibilities
PDP is developing a DPIA for the ecosystem, focusing primarily on the processing of data within the digital architecture.
We are working towards publishing a DPIA in 2022. We will also develop guidance (with partners) in due course for pension and dashboards providers around UK GDPR and pensions dashboards, to inform their own DPIAs and to help to clarify roles and responsibilities with regard to data protection.
Ecosystem governance to exclude rogue operators and ensure correct behaviour by all ecosystem participants
Only FCA and TPR regulated pension providers (or their subcontracted third parties), FCA regulated financial advisers, FCA-regulated dashboard providers, plus MaPS, will be able to connect to the ecosystem. The pensions dashboards ecosystem design is such that it takes every opportunity to protect consumers and their data. There will be a strict governance system for data providers and dashboard providers. Before accessing the ecosystem, all participants will have had their credentials checked by the appropriate body.
There will be regular reporting to the regulators on all ecosystem participants, plus additional notification if we see any behaviour that doesn’t match up to the required standards. This is being developed.
Before the ecosystem uses live data, it will go through a rigorous testing cycle to minimise the risk of errors. We will scale up this process, during our testing phases with early volunteer providers, to refine all the processes before pensions dashboards are available to the public.
Technical and security standards to protect users’ data
PDP will create a set of technical and security standards around the pensions dashboards ecosystem, which will govern how data securely moves through the system.
In order to protect users’ data from external threats, PDP will apply best practice security standards as recommended by the National Cyber Security Centre. The technology we build will be tested for its ability to protect itself from cyber attack. In addition there will be:
- a security operations centre to protect from cyber attack
- strict protocols for information sharing
Design standards to ensure clear presentation of information
Dashboard providers will need to follow the PDP’s design standards. These will be developed with input from user research and prototype testing to ensure that users have the best end to end journey possible, with pensions information being presented in a clear, comprehensible manner to reduce harmful decision making.
Ensuring dashboards are efficient, effective and enjoyable means that dashboards will meet the user needs and users will return to the service. We want accessible and inclusive dashboards, so that all users have the same access to the service.
PDP is carrying out ongoing user testing across a range of measures. The findings from discovery research and user testing will inform the design standards. PDP will create a prototype front-end dashboard, so users can see how information may be displayed and how to access help or make a complaint. We will test iterations of the prototype until we have met the user needs.
The design standards will support users, ensuring that they understand messaging (including error messaging), guidance towards further advice or other onward journeys and any navigational prompts at a time that’s most helpful to them. They will not include the consents process as this will be developed by the supplier. However, the way that the dashboards display the consents will be included in the design standards.
Identity service to ensure data is released to the right individual
PDP will procure an identity service, which will verify that users really are who they say they are.
Verifying a user’s identity is a standard process to ensure potentially sensitive and personal information is released to the correct individual. It creates user confidence that only verified individuals can access pensions data and protect consumers from its theft.
PDP will use a centralised identity service, to ensure that a dashboard user’s identity will be verified to an appropriate level based on the information that is being shared and in a standard way, in accordance with the principles defined in the Government Digital Service’s Good Practice Guide 44 and Good Practice Guide 45.
Our identity service webpages provide more information on how this will work.
Clarifying how consumers can access redress when needed
PDP will charge its supplier with creating a complaints navigation procedure for the digital architecture, to provide a triage service to help consumers understand where to go if things go wrong and their available routes to redress.
We will also create a means for consumers to complain about inadequate service from the digital architecture itself, which could lead to consumer awards for distress, inconvenience or financial loss.