On 19 June 2026, trustees of pension schemes will be subject to the new requirement for data controllers to put in place a data protection complaints process.

Published: 6 March 2026
Authors: Suzanne Burrell & Rhiannon Barnsley-Bloomfield

From 19 June 2026, trustees of pension schemes will be subject to the new requirement for data controllers to have a data protection complaints process in place. The Information Commissioner’s Office (ICO) has published new guidance to help data controllers get ready for the changes and set out what represents “good practice”. It is important that trustees are aware of the new requirements so they can make the necessary preparations before 19 June 2026.

The Data (Use and Access) Act 2025 requires data controllers to put in place a complaints-handling process so that data subjects can lodge complaints directly with data controllers if they consider that their data protection rights have been infringed.

In a pension scheme, the trustees of the scheme are data controllers for the purposes of data protection legislation as they determine the purposes and means by which personal data is processed. The data subjects (the people that can bring a complaint) include current and former members, beneficiaries and potential beneficiaries and ex-spouses of members.

Is a written process required?

Trustees need to have a process in place for potential complainants to submit data protection complaints to them, however, the guidance is clear that a written complaints process is not necessary. The ICO changed their recommendation on this point following responses to its consultation on the draft guidance. The trustees have scope as to the method they provide for complaints but options include making the complaints process part of the scheme’s internal dispute resolution procedure (IDRP) or providing a complaint form that can be submitted electronically. It is important to note that members may make a complaint outside of the designated process and trustees must still accept it.

Trustees need to inform data subjects that they can make a complaint (i) at the point personal data is collected and (ii) when responding to a subject access request. Trustees may choose to include a reference to the complaints process in their privacy notice to meet this obligation.

What happens once a complaint is received?

Once a complaint has been received, trustees must acknowledge receipt of the complaint within 30 days. It is up to the trustees how this is done, although the guidance suggests that following the method used by the complainant is likely to be the most practical solution. If the trustees use a dedicated email address for complaints, an auto-acknowledgement email would be sufficient.

Trustees must make enquiries into the complaint without undue delay. The time taken to investigate will depend on the complexity and scale of the issue but trustees must make an appropriate level of enquiries based on the circumstances of each complaint. Trustees must keep complainants updated on the progress of the complaint without undue delay.

If the investigation into the complaint is likely to take some time, trustees must follow up on the initial response so that the complainant knows the trustees are working to resolve the issue.

Trustees should keep a record of all complaints and the investigation.

How should trustees respond?

Once the investigation is complete, trustees must let the complainant know the outcome without an unjustifiable or excessive delay. How this is done is up to the trustees, but the response should clearly explain what has been done to resolve the complaint and, if applicable, any actions taken.

Following this, the trustees should review what happened and consider if there is anything to be learnt which may prevent future complaints.

Key takeaways

Trustees should ensure they are aware of the new requirements coming into force on 19 June 2026 and implement a procedure for data subjects to submit complaints. Trustees should consider whether a data protection complaints policy would be helpful to ensure obligations and timeframes are met. Trustees should also consider revising their privacy notice to ensure members are made aware of the complaints process.

For further information on the other requirements brought into force by the Data (Use and Access) Act 2025, please see this article.