Retirement data plays a pivotal role in shaping individuals’ financial well-being and has far-reaching economic implications. This data empowers individuals to make informed decisions about their financial future by capturing and analyzing retirement savings, investments, and planning. Data privacy has become a significant concern for individuals, businesses, and governments in today’s digitally-driven world.
DCIIA and RRC have teamed up to highlight this pressing issue in “Understanding Data Privacy across Defined Contribution Investments.”
This blog aims to provide an overview of the report, highlighting its key findings, insights, and implications for data privacy in the modern age.
The DCIIA-RRC SPARK report dives deep into the multifaceted aspects of data privacy, exploring various dimensions such as regulations, industry practices, consumer perspectives, and technological advancements. They desire limited distribution of “added” details, similar to lending, with clear definitions and restrictions.
Here are the key findings across Participant Focus Groups, Plan Sponsors, and Record keepers:
| Participant focus groups | Plan Sponsors | Record Keepers |
| Data privacy support is sought from employers across generations. | Data privacy and sharing have become a growing focus, with many plan sponsors limiting data access and reviewing contracts. | Plan sponsors/employers need to protect and control participant data. |
| While willing to share their data, they want more transparency on its usage and more control over third-party access. | Plan sponsors manage and protect it on their behalf (not the employer). | Due to the recordkeeping contract with the employer, recordkeepers believe the employer controls participant data, not the plan sponsor. |
| Trust in data privacy largely stems from brand strength. | Despite needing to understand ERISA’s implications fully, many plan sponsors consider data an asset. | Recordkeepers recognize the nuances of data elements and the varying sources of data. |
| Participants are willing to share data for a clear purpose if they see its value. | Data sharing is treated as lending, with data sent to the recipient. When the relationship ends, the shared data should be terminated. | They see themselves playing a custodial role but are aware of associated risks. |
| They desire limited distribution of “added” details, similar to lending, with clear definitions and restrictions. | Smaller plans may have a less clear distinction between the employer and plan sponsor. | Data sharing/access is guided strictly by plan sponsor/employer’s direction. |
Increasing Awareness and Priority
Across all defined contribution (DC) sectors, data privacy and sharing have gained significant attention, so policies have been formalized as a result.
- Employers, especially large plan sponsors, have prioritized cybersecurity, data privacy, and litigation concerns by investing time in establishing robust processes and contracts.
- Recordkeepers have also tightened guidelines for data sharing internally and externally, driven by legal actions and state regulations.
The increased focus on data privacy has created hurdles and resistance to data sharing, requiring explicit purposes, benefits, and critical business needs for sharing data.
The “Grey Zone” of data
Defining data access, control, and ownership becomes complex due to unclear distinctions and blurred data sources.
- The involvement of various entities such as payroll, the plan, recordkeepers, and employers further complicates the issue.
- The complexity increases when financial wellness providers are connected to the equation.
- Differentiating between housing the data and accessing/utilizing it is essential.
- The value of data lies in its usage, requiring parties to understand how data will be used and the benefits it will provide to specific individuals or entities.
Control, not ownership
A consensus exists among all parties that the participant retains ownership of their personal data.
The plan participants themselves firmly hold this viewpoint.
Within the DC system, there is a recognition among all stakeholders of the distinction between ownership and access/control.
- Participants are unable to remove their data, whether personal or collectively gathered, from mandatory plan obligations such as nondiscrimination testing or plan performance reviews.
- Employers concur that participants cannot selectively revoke permissions for custodial obligations, as data protection extends beyond normal plan operations.
The parties in general agree that the employer or plan sponsor is responsible for protecting and controlling participant data.
While not possessing ownership, the employer/plan sponsor has an implicit contractual obligation to safeguard the data.
This consensus highlights the significance of data protection and control within the DC system. Data privacy and security are shared responsibilities among employers, plan sponsors, and recordkeepers.
Financial wellness solutions: A Third layer
DC plans are becoming a nexus in financial wellness, and the adoption of new tools and features will continue.
- Employee support and guidance are crucial for helping them make informed financial decisions.
- Participants are hesitant to grant their employers access to their broad financial information.
- Employers often view financial wellness solutions as separate add-on features employees can opt into.
The DCIIA-RRC’s SPARK report serves as a comprehensive resource for understanding the complexities of data privacy in today’s interconnected world. The report highlights key findings and underscores the importance of compliance, consumer empowerment, education, and collaboration to tackle data privacy challenges.
