ICAEW.com works better with JavaScript enabled.

Data protection and insolvency

The Data Protection Act 1998 (DPA) came into force on 1 March 2000. It sets rules for companies and organisations that deal with personal data. Personal data is information that identifies living individuals. The DPA applies to the processing of personal information and extends to some paper records as well as those held electronically. Its scope is very wide and it imposes a number of obligations. Some obligations are quite onerous on those involved in the processing of personal data.

The information on this page is aimed at insolvency practitioners and does not go into detail about the basics of data protection. More general information about data protection is available. Practitioners should be aware, however, that on 25 May 2018 the General Data Protection Regulations (GDPR) will come into force and that a new UK Data Protection Bill is expected in the Autumn of 2017. Until then the DPA will still be the relevant legislation.

Please note: detailed guidance on how to implement the GDPR is not yet available from the Information Commissioner’s Office (ICO). It is expected to be available in the autumn of 2017. ICAEW will then publish its own guidance for members. ICAEW’s Essential guide to GDPR will help practitioners to  understand the new regulation and what you need to do to prepare. Regular visits to the ICO website and ICAEW’s Cyber Security Resource webpages for the latest information is recommended.

Implications for insolvency practitioners

Insolvency practitioners are not exempt from any requirement of the DPA. They have to comply with all applicable requirements.

In the case of insolvency practitioners, a distinction can be drawn between personal data which is attributable to the activities of the insolvent company or individual for whom they act (company data) and personal data which they generate as a result of their responsibilities as practitioners (practitioner data).

Insolvency practitioners will usually need to be notified (how registration with the Information Commissioner is described) individually, not in the firm’s name:

  • for personal data which they generate as a result of their personal responsibilities as a practitioner;
  • when dealing with an insolvency in which they do not have agency status to ensure this notification also covers any processing which their actions or decisions cause to happen;
  • when acting as agent of an insolvent company, to ensure that the company is notified and complies with the DPA .

The terms of appointment of insolvency practitioners are important. Because of the different powers associated with appointments - such as administrative receivers, receivers and managers, administrators, liquidators, supervisors of corporate and individual voluntary arrangements and trustees in bankruptcy - the DPA will have different implications for the different appointments. The different effects of data protection requirements are explained below for the different appointments of insolvency practitioners.