New data protection complaint duties for UK pension trustees take effect from 19 June

From 19 June, a new right for individuals to make data protection complaints directly to pension scheme trustees comes into force, introduced by the Data (Use and Access) Act 2025. Trustees will need to provide a way for people to submit data protection complaints to them, acknowledge receipt of any complaint within 30 days, respond without undue delay and keep complainants updated.

The Information Commissioner's Office (ICO) has published final guidance offering a detailed explanation on the new data protection complaints requirements. This helps to confirm what trustees need to do before 19 June.

Know the rules

Trustees will need to familiarise themselves with the new requirements and identify who may be entitled to make a data protection complaint to them. This will not be limited to scheme members. Training may be helpful.

Set up a complaints channel

Trustees need to provide a means for people to submit a data protection complaint: for example, designating a dedicated email address for this purpose.

Trustees may leverage an existing complaints channel, but individuals cannot be compelled to use the allocated complaints channel and so understanding how to recognise a data protection complaint is important.

Update privacy notices and DSAR template responses

Trustees are required to inform individuals of their right to complain, both to the trustees and to the ICO, at the point of collecting personal data and when responding to data subject access requests (DSARs).

Suitable wording will need to be agreed to add to privacy notices and standard DSAR responses. Trustees will also need to consider flagging the new right and linking to the updated privacy notice in their next scheme newsletter.

Draft a procedure

A short, written procedure, which perhaps has been added to the scheme's internal dispute resolution procedure and published on the scheme's website, will help trustees handle complaints consistently.

The ICO's guidance suggests that the procedure should cover a number of points including what evidence or supporting information might be needed to investigate complaints, what proof of ID will be accepted and what type of proof of authority will be accepted where someone complains on behalf of another.

Work with scheme administrators

The scheme administrator is one of the trustees' data processors. The ICO's guidance states that, where a processor is involved, there should be an agreement in place about how complaints are handled, whether they are sent to the trustees or the processor. The processor should help the trustees meet their obligations to investigate, forward complaints to the trustees and allow the trustees to obtain the information needed to handle a complaint.

In practice, this means trustees agreeing a clear procedure with their scheme administrator to ensure that data protection complaints are promptly identified, separated out where necessary, acknowledged and dealt with.

Relevant staff will also need to be trained and any dedicated inbox actively monitored.

Full records of complaints, acknowledgements, investigations, responses and the other matters listed in the ICO's guidance will need to be maintained.

Because the trustees are ultimately responsible for the handling of complaints, it will also be worth trustees reviewing whether amendments to administration agreements and service level agreements are needed to reflect these new requirements.

Osborne Clarke comment

Non-compliance with the complaints duties will be a breach of data protection law. Trustees may find it helpful to seek legal advice.