Data protection and insolvency
The Data Protection Act 1998 (DPA) came into force on 1 March 2000. It sets rules for companies and organisations that deal with personal data. Personal data is information that identifies living individuals. The DPA applies to the processing of personal information and extends to some paper records as well as those held electronically. Its scope is very wide and it imposes a number of obligations. Some obligations are quite onerous on those involved in the processing of personal data.
The information on this page is aimed at insolvency practitioners and does not go into detail about the basics of data protection. More general information about data protection is available. Practitioners should be aware, however, that on 25 May 2018 the General Data Protection Regulations (GDPR) will come into force and that a new UK Data Protection Bill is expected in the Autumn of 2017. Until then the DPA will still be the relevant legislation.
Please note: detailed guidance on how to implement the GDPR is not yet available from the Information Commissioner’s Office (ICO). It is expected to be available in the autumn of 2017. ICAEW will then publish its own guidance for members. ICAEW’s Essential guide to GDPR will help practitioners to understand the new regulation and what you need to do to prepare. Regular visits to the ICO website and ICAEW’s Cyber Security Resource webpages for the latest information is recommended.
Implications for insolvency practitioners
Insolvency practitioners are not exempt from any requirement of the DPA. They have to comply with all applicable requirements.
In the case of insolvency practitioners, a distinction can be drawn between personal data which is attributable to the activities of the insolvent company or individual for whom they act (company data) and personal data which they generate as a result of their responsibilities as practitioners (practitioner data).
Insolvency practitioners will usually need to be notified (how registration with the Information Commissioner is described) individually, not in the firm’s name:
- for personal data which they generate as a result of their personal responsibilities as a practitioner;
- when dealing with an insolvency in which they do not have agency status to ensure this notification also covers any processing which their actions or decisions cause to happen;
- when acting as agent of an insolvent company, to ensure that the company is notified and complies with the DPA .
The terms of appointment of insolvency practitioners are important. Because of the different powers associated with appointments - such as administrative receivers, receivers and managers, administrators, liquidators, supervisors of corporate and individual voluntary arrangements and trustees in bankruptcy - the DPA will have different implications for the different appointments. The different effects of data protection requirements are explained below for the different appointments of insolvency practitioners.
Compliance with the data protection principles
Particular care must be taken over dealing with subject access requests in insolvency. The usual rules for subject access apply to:
- the insolvent company;
- insolvent individuals; and
- the practitioner.
On receipt of any subject access request, the insolvency practitioner should take care to ascertain whether the application is being made in respect of data held by the practitioner or by the company. There are no exemptions for commercial sensitivity of information. In particular cases, it may be open to a practitioner to claim an exemption from subject access by virtue of a statutory order made under section 31 of the DPA. This may enable personal data held by office holders for the purposes of their functions under the Company Directors Disqualification Act 1986 to be withheld on a subject access request in any case in which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
Corporate insolvency appointments
Administrative receiver and receiver and manager
It’s important to remember that liquidation terminates any agency of a receiver or administrative receiver. Therefore, if a receiver continues to exercise control over personal data after the appointment of a liquidator, the insolvency practitioner will have lost the protection of the deemed agency provisions and they will be likely to be held to be controlling personal data on their own behalf and not on behalf of the company. Unless the insolvency practitioner ensures appropriate personal notification, they run the risk of becoming an unregistered data controller with personal liability to prosecution.
The powers of an administrator are set out in Schedule B1 of the Insolvency Act 1986. The administrator of a company may do anything necessary or expedient for the management of the affairs, business and property of the company. Paragraph 69 of Schedule B1 states that in exercising their powers, the administrator is deemed to act as the company’s agent.
Supervisor of company voluntary arrangements
A supervisor of a voluntary arrangement is charged with supervising the implementation of a proposal for a composition in satisfaction of the company’s debts or a scheme of arrangement of its affairs. The exact terms of the proposal will vary from case to case, and the supervisor should have careful regard to the terms of each particular proposal when considering the extent to which it will impose responsibilities upon them under the DPA. The supervisor may be appointed as trustee of the company’s property although this will not necessarily be the case. Whether the supervisor is the agent of the company will depend on the terms of the appointment.
On appointment, a liquidator has a duty to take custody and control of all the assets of the company. This will include any database or personal data in the hands of the company. The extent to which a company is processing personal data at the time of a liquidator’s appointment will depend on the particular circumstances of each case.
In cases where liquidation is not preceded by receivership or administration, it is more likely that the company will be processing data than in cases where a prior receiver or administrator has disposed of the bulk of the company’s assets and dismissed its employees. In circumstances where the business is carried on or personal data is used or processed after the appointment of a liquidator, it will be a question of fact as to whether the liquidator’s control has been exercised on behalf of the company (in which case the company will be the data controller) or on their own behalf (in which case the liquidator must notify separately as data controller).
In cases where the appointment of an administrator, administrative receiver, receiver or liquidator covers more than one person under section 231 of the Insolvency Act 1986, the terms of appointment will determine whether they are both data controllers. Practically, it may be helpful to ensure that both appointees are data controllers.
Insolvency appointments in Scotland
This guidance is based on the provisions of the Insolvency Act 1986 as they relate to England and Wales. The general principles set out above (individual practitioner notification and responsibility for compliance) also apply to insolvency appointments in Scotland. However, it should be noted that there are differences in the details of insolvency provisions between the jurisdictions.
Insolvency practitioner’s data
Licensed insolvency practitioners are required to keep records of their appointments. This includes keeping records relating to the directors of the companies in respect of which they are appointed. The practitioner has a duty, under the Company Directors Disqualification Act 1986, to report to the Secretary of State in respect of the directors. This information is likely to be held as data and will be personal data. The practitioner may also personally hold other information they have a duty to deal with, for example, list of debtors, list of creditors and the dividend distribution to the creditors. These records are kept by the practitioner and are not the same as the records of the insolvent company. The practitioner should be notified for such data. This must be distinguished clearly from the practitioner’s firm’s notification and is a personal registration in the name of the practitioner.
The reason for this is that an insolvency practitioner will be the person who determines the purpose for which the data are used and cannot be subject to interference from his firm (although the firm may be a data processor, processing data on the practitioner’s behalf). The practitioner is therefore the data controller.
Insolvent company data
An insolvent company can be a data controller as long as it remains in existence without being dissolved. The duty to register and to comply with the data protection principles, the rights of individuals to subject access and the ability to take advantage of the exemptions continue to apply.
The practitioner as agent.
In those cases where the insolvency practitioner acts as agent for a company, the company will continue to be the data controller for personal data held and used as part of the company’s business. This is the case even though the control of the company’s affairs is to a great extent in the hands of the insolvency practitioner. The insolvency practitioner will be acting as agent for the company under the appointment or statutory powers. In actions taken on behalf of the company, the insolvency practitioner must take care to ensure the company observes the terms of its notification entry.
The insolvency practitioner should be careful to ensure compliance with the principles when disposing of company assets. In particular the practitioner should be aware of the security considerations when selling computer equipment and make sure all personal data has been effectively erased from disks. The insolvency practitioner should also consider carefully the data protection implications of any proposed sale or transfer of a database containing personal data.
The practitioner without agency status
In most cases the insolvency practitioner will be acting as the agent of the company. If, however, the insolvency practitioner does not have agency status and takes decisions involving the use of personal data, or takes control of contracts or arrangements involving the processing of personal data, the insolvency practitioner is liable to become the data controller for that data and must notify personally.
This could occur, for example, in the case of a receiver or manager who was not the agent of a company and who took responsibility for a contract which necessarily involved the processing of personal data relating, for example, to customers.
It could also occur if a company moves from administrative receivership into liquidation. An administrative receiver’s agency terminates on liquidation and if the insolvency practitioner continues to exercise control after the termination of the agency, the insolvency practitioner could become the data controller for it and must notify personally.
Individual voluntary arrangements
In a voluntary arrangement, a supervisor is appointed to supervise the implementation of a proposal for a composition in satisfaction of an individual’s debts or a scheme of arrangement of their affairs. As in the case of company voluntary arrangements, the terms of the proposal will vary from case to case, and supervisors should have regard to the terms of a particular proposal when considering the extent to which it will impose responsibilities upon them under the DPA. The arrangement may authorise or require the continuation of the debtor’s business. In such cases the proposal will usually expressly provide that the debtor will continue the business on their own account. The supervisor should ensure the control of the content and use of any personal data involved is clarified in the proposal.
It is also possible, although unusual, for a supervisor to be constituted trustee of the debtor’s assets. If those assets include personal data, the supervisor will assume control of the data also. In these circumstances, the supervisor will be the data controller and should notify. Supervisors are also required to report on the progress of the arrangement and will therefore usually hold their own data. This should be notified just as in the case of a practitioner dealing with a company.
The estate of the bankrupt vests in the trustee on the appointment of the trustee. The position is therefore different to other appointments. If personal data held by the bankrupt vests in the trustee in bankruptcy, the trustee would be in control of their contents and use. Unless the personal data is exempt, the trustee will need to be notified as a data controller in respect of the data. The trustee will also need to be notified as a data controller in respect of any non-exempt personal data which the trustee creates in the course of administering the bankrupt’s estate; for example, a list of creditors and of the debts proved by them.
Under section 390 (1) of the Insolvency Act 1986, only an individual can be qualified to act as an insolvency practitioner. The individual insolvency practitioner will therefore become responsible for this role in non-agency situations. The responsibility will not fall on the practitioner’s firm. For this reason, it's important to consider, and be aware of, where the responsibility lies.
It's a criminal offence under the DPA to hold personal data without being notified (subject to some restrictive exemptions). This is an offence of strict liability. This means that if a data controller should have been notified but was not, there is no defence, even if they honestly believed the data was exempt. It is also an offence for a data controller knowingly to operate outside the terms of their notification, for example to disclose personal data to someone to whom they are not notified to disclose.