Date posted: 01/02/2008

Action: This Notice will be of particular interest to:

  • HR Managers and Payroll Managers

Action: To apply the guidance in this EPN to the movement of Civil Service pension scheme data

Timing: Immediate

  1. Data used for the administration of the Civil Service pension schemes is of a personal nature. Guidance is needed because it is sensitive data and its loss could be used to cause distress or damage.
  2. All employers should have systems in place for the secure handling of data. Guidance in this EPN concentrates on the security of pensions related data in transit. The guidance is not intended to replace or conflict with recent employer guidance. Its purpose is to highlight some key areas of concern and to remind you of how you should assess the risk of loss, theft or misuse. For general guidance on security you should contact your Departmental Security Officer or the Cabinet Office’s Security Policy Division (0207 276 2529). If you have GSI access you can find out further information at
  3. We have issued guidance to APACs on secure handling of data in APAC letter 89. This EPN provides you with guidance as employers are the source of much data used for pensions administration.

Key principles

  1. Civil Service pension scheme data is personal data and should be treated as the equivalent of RESTRICTED, or a sub-division of RESTRICTED, under the Government Protective Marking System. As there is a difference between personal data which is sensitive and data that could be used to cause distress or damage, a new sub-division of the RESTRICTED category called PROTECT has been introduced. PROTECT applies to data which is sensitive but which does not require the same level of security as data which could be used to cause distress and damage; this remains RESTRICTED.

How to assess the risk of loss, theft or misuse

  1. You need to consider what the impact would be if the data were lost or stolen and misused. Personal data potentially has a great financial value and needs to be protected appropriately when it is sent to someone else.
  2. General information about an individual, such as their name, address, etc - and summary financial details, if lost and misused would cause inconvenience to an individual. This would come under the PROTECT sub-category. If additional detail was included that would enable identity theft or access to and misuse of bank accounts or credit records etc (date of birth, account numbers, place of birth, relationship details etc), the RESTRICTED category would apply. This is because of the greater impact as someone emptying their bank account or obtaining credit in their name would cause distress beyond inconvenience.
  3. Where a significant quantity of data is collected together in one place (on a disc or in an envelope), the precautions needed for the collection as a whole may need to be higher than for the individual items. This reflects the impact should the whole collected data be lost or otherwise compromised. This also applies to smaller collections of different bits of data to form a more complete picture – e.g. name and address in one set of information linked with bank details and place of birth in another. RESTRICTED would apply in these circumstances.

Specific guidelines

  1. Having assessed the risk, the next stage is to decide on the appropriate precautions in transmitting the data according to the medium being used. For RESTRICTED/PROTECT personal data the following guidelines apply:

(a) Paper: Normal letter post is generally acceptable for individual correspondence (such as benefits statements). If the personal data is particularly sensitive (as in personal files) then recorded delivery or a tracked courier service is appropriate. Royal Mail special delivery, TNT or DX tracked service can be used. Individual benefit statements or letters would come under the former, documents such as birth/marriage certificates under the latter. Paper documentation should also be appropriately logged and packed. For personal files, including referrals to the Scheme Medical Adviser, these should include logging so that a record is kept, secure double packaging applied with both envelopes addressed with the security marking on the inner packaging. In all cases letters/packages should be sent to a named contact. For packages containing multiple data records you should tell the addressee when you have sent the package and ask them to confirm receipt.

(b) E-mail: Personal data should generally only be sent by email where it is being sent to a GSI email address. RESTRICTED data should not be sent to external email addresses. Data with a PROTECT category can be sent to an external email address but only where there is a clear understanding and acceptance of the risks involved. Where more sensitive or collected data is involved, it should be encrypted to an appropriate standard (see below) and password protected. Please see EPN202 for instructions about orders for Starter Packs.

(c) Portable media: Personal data should only be written to CD/floppy disk/USB stick if it is done in a secure centralised environment. The data should be encrypted to AES 256 bit standard and protected by complex password. The data should be transported by secure courier using a tracked service. This is the method by which you should send your payroll interface files to your APAC. We will monitor compliance through APACs. APACs will be told that if any employer does not comply with the guidance they should refuse to accept the file and report the breach to us. We will take up breaches with employers.

Regular monitoring and review

  1. We will regularly review the arrangements to ensure they remain appropriate to the perceived and actual threat. We will continue to review the data, its purpose and content to see if the threat of loss or misuse can be lessened. For example, we are reviewing the personal details form to see if all the personal data it contains is necessary. Also, for the first time this year, the pay advice sent annually by Capita Hartshead to pensioners only shows the last four digits of the bank account number.
  2. We will also be monitoring compliance by adding a specific item on data security to the agenda for our regular APAC management reviews and for our contract management meetings with Capita Hartshead and Capita Health Solutions. An item on data security will be added to the agenda for the next series of ESG meetings.


This document relates to EPN202.

01256 846414
Employer Helpdesk
Civil Service Pensions
Grosvenor House
Basing View
RG21 4HG

1 February 2008
Last updated:
24 April 2023