FOI reference - FOI-126
Original enquiry date - 22 June 2023
Appeal request date - 21 July 2023
Appeal request
Request
I'd like to appeal against the decision not to say how many customers are affected by this.
If the total number of customers affected is provided and this is not broken down by firm/fund there would be no way of identifying individual companies or customers. Please can you provide the figure for the overall number of customers affected?
And then clarified as being:
'could you provide a total membership number for the schemes involved'
Response
I confirm that we hold information falling within the scope of your request. However, some of the information you have requested is exempt from disclosure.
We confirmed in our previous response the number of schemes we contacted and for those schemes we have total membership number of 5,140,293.
Methodology and caveats
The source for this data is TPR's records as of the 28 July 2023, based on the information received directly from the schemes in response to the mandatory Annual Scheme Return.
The figure does not represent a total of unique members, as individuals may be members of more than one scheme.
This figure represents the combined membership of the schemes we contacted. It does not represent the number of members that may have been impacted by the cyber incident.
In relation to the first part of your request, as I explained in my email, we hold this information because it was provided to us by Capita, and as such this means the information is restricted information. Therefore, exempt from disclosure for the reasons explained below.
As we have been given strong powers to demand documents and other information from trustees, employers and others, those powers are also balanced by restrictions on how we disclose the information provided to us. The type of information you have requested would be ‘restricted information’. Restricted information is defined at section 82(4) of the Pensions Act 2004 (PA04) as:
‘…information obtained by the Regulator in the exercise of its functions which relates to the business or other affairs of any person’.
Under section 82(5) of the PA04 it is a criminal offence to disclose such information except as permitted under that Act.
Whilst the FoIA is based on the presumption of releasing information, section 44(1)(a) of the FoIA provides an absolute exemption to the requirement to disclose any information if its disclosure is prohibited by or under any enactment. In this case, section 82 of the PA04 prohibits disclosure and we are unable to disclose the requested information. This exemption is absolute and does not require a public interest assessment be undertaken.
Original enquiry
Request
The Pensions Regulator has written to 300 pension schemes to ask them whether they are affected by the Capita hack, which has resulted in customer data being leaked online.
I want to know how many pension schemes have responded to The Pensions Regulator, how many schemes have said they were affected by the hack and how many customers do those funds have?
Response
I confirm that we hold information falling within the scope of your request. However, some of the information you have requested is exempt from disclosure.
Information we are able to supply
Since first being notified about the incident, TPR has contacted 383 pension schemes which our records indicated are administered by Capita. This was initially an email communication to 324 scheme contacts on 20 April 2023, followed by communications to additional schemes. We received a response from every scheme included in our initial communications with the exception of a few schemes we subsequently identified as having been wound-up.
In response to our initial communication on 20 April 2023, and our follow-up emails on 3 May and 10 May 2023, there were 82 schemes which were able to confirm that their scheme member data was affected by the issue. At that time a number of schemes were waiting for Capita to complete its review to establish if they had been affected. We have maintained regular contact with Capita who have been able to provide a detailed breakdown of the schemes affected. The information we have received is legally restricted and would likely be exempt from disclosure under FoIA, as explained below.
Information we are not able to supply
In relation to the last part of your request, we are unable to provide details on the scheme sizes as this information could possibly identify individual schemes. Identifying scheme names and any firm associated to schemes is not permitted due to provisions set in Pensions Act 2004 relating to restricted information.
As we have been given strong powers to demand documents and other information from trustees, employers and others, those powers are also balanced by restrictions on how we disclose the information provided to us. The type of information you have requested would be ‘restricted information’. Restricted information is defined at section 82(4) of the Pensions Act 2004 (PA04) as:
‘…information obtained by the Regulator in the exercise of its functions which relates to the business or other affairs of any person’.
Under section 82(5) of the PA04 it is a criminal offence to disclose such information except as permitted under that Act.
Whilst the FoIA is based on the presumption of releasing information, section 44(1)(a) of the FoIA provides an absolute exemption to the requirement to disclose any information if its disclosure is prohibited by or under any enactment. In this case, section 82 of the PA04 prohibits disclosure and we are unable to disclose the requested information. This exemption is absolute and does not require a public interest assessment be undertaken.