Understanding our data protection impact assessment (DPIA)

The Pensions Dashboards Programme (PDP) has published its data protection impact assessment (DPIA).

This is an essential step in ensuring we uphold the highest standards of data protection, security and consumer trust throughout the development and delivery of the central digital architecture that makes pensions dashboards possible.

What a DPIA is

A DPIA is an important part of accountability obligations under the UK General Data Protection Regulation (GDPR). The process helps systematically identify risks arising from the processing of personal data and minimise these risks as far and as early as possible.

The complexity and scale of the pensions dashboards ecosystem is significant, involving the sharing of personal and financial information across multiple parties. As such, undertaking a DPIA is not just a legal requirement but a helpful way of assessing and demonstrating compliance with all data protection principles and obligations.

The Information Commissioner's Office (ICO) provides a detailed definition of a DPIA on its website.

What this DPIA covers

This DPIA concerns the processing of personal data by the Money and Pensions Service (MaPS) to deliver the central digital architecture (CDA) and related services that make pensions dashboards possible, and the connection of pension providers and schemes to it.

This assessment provides a comprehensive description of the processing of an individual's data within the central digital architecture. It defines all personal data processed within the CDA and by MaPS to provide its ecosystem functions.

This DPIA identifies how we are adhering to the UK GDPR data protection principles and clarifies how and where data will be processed. It also outlines how MaPS will ensure appropriate accountability and proportionality, and how the individual data subject's rights will be met.

It does not cover MaPS's other dashboard function, the provision of the MoneyHelper public service pensions dashboard, which will be covered in a separate DPIA.

Connected parties' DPIA responsibilities

It is important to stress that this DPIA does not cover the separate and equally important responsibilities of other parties connecting to the pensions dashboards ecosystem, such as pension providers and schemes and dashboard providers, who have their own obligations under UK data protection law.

This is particularly crucial given the scale of the processing involved in pensions dashboards, which is estimated to be more than 16 million users in steady state.

Pension providers and schemes need to ensure they meet their data protection obligations to members as well as dashboards duties. This includes accurately matching members to their pensions, protecting members' data and not disclosing it to anyone other than the member, and ensuring accurate data is returned to members.

It is also important to be clear that pension providers and schemes are independent data controllers not only for the view data for their members, but for every find request they receive and must match against. Their DPIAs must reflect this large-scale processing they will undertake.

Consumer protection

Our DPIA is a cornerstone of our broader consumer protection approach towards delivering the digital architecture that will make pensions dashboards work. To protect consumers, MaPS follows the design principles set out by the Department for Work and Pensions:

• put the consumer at the heart of the process by giving people access to clear information online
• ensure a customer's data is secure and simple to understand (minimising the risks to the consumer and the potential for confusion)
• ensure that the consumer is always in control over who has access to their data

Consumer trust is essential if pensions dashboards are to be used confidently and effectively by the public. That trust will be built by ensuring users have control over their data, understand how it is used and feel reassured that their information is secure.

Publishing our DPIA reflects our commitment to transparency and accountability. It is part of our responsibility to consumers and the many stakeholders who are helping deliver pensions dashboards. We encourage all ecosystem participants to take a proactive approach to protecting consumers and their data by carefully considering their DPIA responsibilities and acting accordingly.

You can read the full DPIA on the PDP website: Data protection impact assessment | PDP central digital architecture and related services