Background: The DCIIA RRC and SPARK Institute recently published joint research on privacy, data sharing, and security within the retirement and employee benefits industry. The report is the first phase of an ongoing effort to create more effective holistic financial wellness solutions that safeguard plan and participant data. Dozens of participants, plansponsors, recordkeepers, advisors, and service providers were interviewed while a broader industry survey was also fielded.Findings: Cybersecurity and data privacy are top of mind with employers, particularly with the expansion of financial wellness benefits and the connections these services create outside of the retirement plan. Foundationally, we explored their thoughts on who ultimately “owns” the data needed for services alongside where the duty to manage it lies. During focus group interviews, most employers believed the employee ultimately “owns” their data; however, it is the employer's responsibility to manage and safeguard that information - ultimately controlling access to participant data.The nuances between the plan versus the employer were also explored. Through an online survey, when asked who “owns” or controls the data related to their plan participants, 62% of respondents indicated that the plan has control, which implies ERISA duties. Just 22% responded the employer has control and 14% said the employee.Furthermore, the majority of employers believe the plan has the right to access the data regardless of who “owns” it. More specifically, 92% responded that the main entity with rights to access the data was “the plan, for plan related needs.” Meanwhile, 79% said recordkeepers to run the plan, employers to evaluate the plan and engage workers, and employees had the right to access the data freely. Only 27% of employers indicated that the recordkeeper has a right to access the data to offer their own additional services, which highlighted a growing perspective gap between the two practitioner groups. This exploratory study uncovered multiple differences of opinions among plan sponsors, recordkeepers, and advisors related to data access, consistency, and inherit responsibility in safeguarding participant information.Due to differing practitioner opinions, employers were asked about what would make them more comfortable with allowing the recordkeeper and service providers to use plan participants' data. The majority of employers (65%) responded, “the DOL providing employers and plan sponsors a safe harbor for allowing the sharing and use of data,” as a primary solution. Please find additional details in the report here.Bottom Line: The topic of data privacy continues to be top of mind across the retirement plan industry and will continue to be explored given the grey area that financial wellness services creates. The second phase of this study is underway to examine possible solutions and operational guardrail needs to generate a deeper analysis with employers, service providers and participants. At the DCIIA/SPARK Public Policy Forum, we will have a special half day focused on further discussing the discrepancy in opinions amongst practitioners, where facilitated discussions will explore if compromises exist. Please join us and be a part of the conversation!