Scheme websites – are you asking the right legal questions?


Questions scheme website

As life moves increasingly online, many trustees will be looking to set up or develop their scheme website. Communications specialists will clearly take the lead on a website project, but there are good reasons why trustees should also involve their lawyers.

So what are the sorts of “legal” questions trustees should be asking?

Who is responsible for content?  

Trustees should check who is taking responsibility for the website’s content. There may be key sections which need legal review (for example, the terms of use and any disclaimers – see below). This should be allowed for at an appropriate stage in the process so that changes can be made more easily.

For other sections, trustees may be comfortable with the communications specialists taking full responsibility provided they are clearly on the hook for this under their contract and the trustees understand (a) what source materials are being used (so they can check they are appropriate) and (b) what internal review process will be followed (so they can check this is sufficiently robust). Trustees should also agree a process for reviewing, updating and approving content once the new site is up and running.

What risk warnings, disclaimers and terms of use do we need?

Trustees need to be comfortable that the website’s terms of use reflect its functionality (and are therefore neither too light touch nor too heavy handed) and include appropriate risk warnings and disclaimers. Risk warnings will be particularly important if the site includes modellers which members might use to help them make decisions.

It’s important to think about the positioning of such warnings and disclaimers, as well as their content. Are they sufficiently prominent? How they will be drawn to members’ attention both when they first visit the website, and if/when there are any material changes or updates in the future?

Will the site meet all relevant operational and access requirements?

 Trustees should check that the site will meet relevant requirements regarding searchability, storage and access for disabled persons. What is needed may vary depending on exactly what you are using the website for, so this should be considered alongside discussions on the website’s role. Either way, the communications specialists should be able to confirm what requirements they have taken into account in the design of the site and how these are being met.

How will we keep a record of changes to the site?

Trustees need to maintain a record of what updates and changes are made to the website and when. This could be important if, for example, a member brought a complaint referencing content on the website and you needed to be able to demonstrate what the site said at a particular date.

What contractual protections do we have (eg who “owns” the site)?

Building or upgrading a website is a big, and often expensive, project. It can also bring risks if something goes wrong such as a content error or access issue. Before kicking off, trustees should check they have a contract and scope of work which specifically covers the work being done and gives them an appropriate level of contractual protection.

In particular, trustees should check who will “own” the website, its content and any features included on it. As trustees might want to change communications specialists in future, you need to know what you could take with you, what you would need to leave behind and how this would work in practice.

Will the site include any personal data?

 If the website will allow members to access or upload any personal data (eg a new address or change to their death benefit nominations), trustees must ensure that data protection requirements are being met.

Trustees should also consider what data is being collected as part of any tracking or monitoring of usage of the website and how this data is being used.

Will the site be used to meet key disclosure requirements (eg issuing benefit statements)?  

Disclosure law allows for electronic communications, but only if certain safeguards are put in place.  Trustees need to ensure they understand what their website will be used for and that any procedural requirements are being followed. Some steps (eg notices highlighting a move to electronic communications and requesting email addresses) could be built into any campaign to launch the site and encourage members to log in.

Have we considered cyber risk?

The Regulator expects trustees to be on the lookout for cyber threats to their scheme. Trustees should therefore check what, if any, impact the website’s operations could have on their cyber risk assessment and controls and take further action if they have concerns.

These sorts of questions should be easy to address. They just need to be asked at the right time and in the right way.

However, if they aren’t picked up at an early stage, trustees run the risk of storing up potential problems that are likely to be much harder to tackle further down the line.

 

< Back to blog