Agenda item

Breaches Log

The purpose of this report is to update the Pension Board on the Fund’s Breaches Policy, procedure for recording & reporting breaches, training carried out for Teams and breaches recorded in the last year.


The Governance & Risk Advisor introduced this report to the Board, a summary is set out below.


Regulatory breaches are breaches of the regulations or standards as set out in

the Administration Strategy and if Material need to be reported to the Pensions Regulator (TPR) as set out in the Breaches Policy. In addition to the requirement to report Material breaches to TPR, the Pensions Manager will formally report all breaches to the Avon Pension Fund Committee and the Pension Board on a quarterly basis.


5 Year Refund Cases


The 2013 LGPS regulations require schemes to pay a refund of contributions

within 5 years. Failure to complete payment is classified as a regulatory breach

and is required to be reported to the pensions committee and local pension

board. The National Technical Group has previously made a recommendation to the Scheme Advisory Board (SAB) to remove the requirements to pay a refund of contributions within five years under the 2013 regulations. The SAB have agreed to proceed with this regulatory change and are in the process of making recommendations to MHCLG.


A notifiable breach must be reported to the Information Commissioner’s Office

(ICO) within 72 hours after becoming aware of it. If it takes longer than this,

reasons for the delay must be provided.


All breaches must be reported to Banes Data Protection Officer (DPO) within 24 hours of the incident using the incident reporting template. The DPO will advise if the incident meets the criteria for reporting to the ICO and also makes

recommendations on future preventative actions.


Procedures are in place for staff to follow and regular training takes place to

ensure that everyone has a full understanding of data protection and the

reporting procedure for breaches.


Steve Harman commented that from looking at the Breaches Log it was hard to tell if these figures were good in comparison to other years or other Funds. He asked if in a future report this information could be included.


The Governance & Risk Advisor replied that the figures had been consistent across the last two years. She added that she would look to add the information requested into future reports.


The Chair asked if she could expand on the data breaches that occurred and the subsequent measures taken.


The Governance & Risk Advisor replied that only one incident had been reported to the Information Commissioner’s Office (ICO) in 2019 and that this had related to IConnect. She added that an employer had uploaded an extract and in doing so the first line of the address of 71 members had become incorrect.


She said that this incident led the Fund to set up the IConnect Team and the implementation of further controls.


She informed the Board that four incidents had been reported to Information

Governance in 2019. She explained that twice data was sent to an incorrect employer (Globalscape) and that twice data was sent to an incorrect member.


She said that a checking step had been added to the Globalscape procedure and that more training had been given to staff.


She informed the Board that three incidents had been reported to Information

Governance in 2020. She stated that 2 pensioner payslips were sent to the incorrect person via the Toplink – Print Service, 1 data set was sent via Secure Share to the wrong recipient and 1 member data set was sent to an old address.


She explained that a review of Toplink’s procedures has been carried out and that the machine that malfunctioned has been decommissioned. She added that training & education of staff members has been carried regarding the other two incidents.


The Chair commented that this was something the Board could look at when discussing the Digital Strategy in the early part of 2021.


The Board RESOLVED to note the report.

Supporting documents: