Who Owns A Participant's Personal Information?
Service providers for 401(k) and other retirement plans require access to personal data on participants including name, age, address, date of hire, compensation and possibly social security number. This data is necessary to allow plan administrators and recordkeepers to properly allocate plan contributions and earnings to individual participant accounts, to prepare participant statements and for income tax reporting purposes.
Some financial institutions providing services to retirement plans have used such participant data to solicit sales of their non-plan products and services, such as individual retirement accounts, outside wealth management services, and life or disability insurance. So, are these plan service providers simply taking advantage of a business opportunity or are they improperly exploiting information that belongs to the retirement plan and its participants? In legal terms, is the personal information of retirement plan participants a “plan asset” that plan fiduciaries must protect, or is it just incidental data of little commercial value?
At least one district court has concluded that the personal information of retirement plan participants is not a plan asset because it is not “property the plan could sell or lease” (see _Divane v. Northwestern University _which is discussed in more detail HERE).
But there is a thriving commercial market for personal information and it is bought and sold for marketing purposes every day (think Google here). So, should retirement plan fiduciaries act to protect the personal information of plan participants while the courts sort this out? Recent settlements in cases involving Vanderbilt University and Johns Hopkins University strongly suggest that the answer to that question is “yes.” These settlements, in addition to requiring the payment of millions of dollars to resolve a variety of claims involving retirement plan administration, also require the university plan sponsors to prohibit plan service providers from soliciting current plan participants to “cross-sell” their non-plan products and services. Participant data has value and, like medical records, is not disclosed to service providers with the expectation that it will be used by the provider for its own commercial purposes.
Plan fiduciaries should protect participant information from non-plan use by plan service providers. Whether the basis for doing so is protection of personal privacy or the preservation of “plan assets,” the trend is clear. And that is the case because one court’s conclusion that personal information is not “property” simply does not reflect commercial reality.
Plan fiduciaries can take action by including appropriate provisions in their agreements with plan service providers. For plans in mid contract, consider inquiring about the non-plan use of participant data and objecting to any such use that comes to their attention. Plan service providers themselves need to take stock of their sales practices and evaluate them in the light of the Vanderbilt and Johns Hopkins settlements as well as any opinion that may be issued in the appeal of Divane v. Northwestern University.