Data Protection

Data Protection

May 2012

 

Abbreviations

The following abbreviations have been used in this work:

BIS Department for Business, Innovation and Skills
CHM Case Help Manual
DPA Data Protection Act 1998
FOIA Freedom of Information Act 2000
FCU Forensic Computer Unit
IES Investigations and Enforcement Services
IP Insolvency Practitioner
TM Technical Manual
The Service Insolvency Service
SAR  Subject Access Request

 

Introduction

1. Requests for personal information and the DPA

The right to know whether personal information (data) is held and to have access to it must be dealt with under the provisions of the DPA. Any request from an individual for personal data about him or herself is referred to as a ‘subject access request’ (SAR) and must be treated in accordance with data protection legislation. Requests for personal data may be received from bankrupts, former bankrupts, partners and company officers or any other individual who may be connected to an insolvency case.  

Where the information requested relates to a third party, it will be exempt (under the FOIA section 40(2)) if either:

  1. its disclosure would contravene the DPA data protection principles;
  2. it would contravene section 10 of the DPA regarding the right to prevent processing likely to cause distress or damage;
  3. the person to whom the personal data relates would not have a right of access to it under the DPA.

 

2. What are the DPA ‘data protection principles’?

The DPA is governed by eight principles which are set out in Schedule 1 part 1 of the Act and these must be complied with by the data controller (official receiver) in respect of personal data they hold. These principles cover such points as:

  1. fair and lawful processing of personal data (first principle);
  2. the purpose for which personal data may be obtained and processed (second principle);
  3. the accuracy of personal data (fourth principle);
  4. processing of personal data in accordance with the rights of data subjects under the Act (sixth principle).

To view all eight principles click HERE 

 

3. The official receiver as statutory office holder (requests quoting the FOIA)

Legal advice received by The Service states that if personal data was obtained by the official receiver solely by virtue of acting as ‘statutory office holder’, the FOIA will not apply. Instead, the DPA provisions must be considered as far as requests for any personal data held, whether the request is for information personal to the applicant or personal to a third party. All requests for information in bankruptcy cases are likely to be for personal data and the DPA provisions must be applied.

The provisions of the Insolvency Act 1986, Insolvency Rules 1986 and any other relevant legislation will be applied to requests for any other information.

The official receiver will need to take into account the restrictions in the insolvency legislation on who is entitled to the information, as well as the guidance in TM Chapter 47 – Disclosure of information (including inspection and production of records), when deciding if the requested information can be given in full or in part. For example, if an applicant who is not a creditor requests a copy of the list of creditors, a copy of the list should not be provided, as rule 12A.54 of the Insolvency Rules 1986 will apply.

 

4. What if the official receiver has instructed agents who are holding requested information?

Where the official receiver is acting as statutory office holder and instructs agents, a request for information held by those agents should be considered for disclosure in the same way as if the official receiver were holding the information, and the DPA and TM Chapter 47 considerations may also apply.

 

5. When is the official receiver not acting as statutory office holder?

There are some occasions where the official receiver is not acting as statutory office holder and where the FOIA still applies. If the official receiver is holding information in the capacity of a civil servant, as a manager of staff for example, the FOIA as well as the DPA will be relevant. Also more likely are those occasions where the official receiver is acting on the specific instructions or carrying out delegated functions of the Secretary of State, when the FOIA will also apply (see TM Chapter 81).

 

6. What if an official receiver needs guidance regarding a request for information held?

If the official receiver is uncertain in what capacity he or she is holding the information requested, the FOI/DPA Team should be consulted. Whenever possible the information should be disclosed but if the official receiver considers that the requested information cannot be provided, the reason for that decision must be given to the applicant. All requests for advice on dealing with FOI and DPA matters can be made by emailing The Service’s generic email FOI@insolvency.gsi.gov.uk

 

7. What has been the effect of the Freedom of Information Act 2000 on the Data Protection Act 1998?

The FOIA amended the DPA by making requests by an individual (SAR) exempt from disclosure under FOIA. A request for personal data by a third party is an FOI request, but must be considered by reference to the DPA provisions (see paragraphs 17 and 18 below). Basically, the DPA regulates the handling of all personal data and grants an individual the right, subject to various qualifications and exemptions, to be told by any ‘data controller’ e.g. the official receiver, whether any personal data in which that individual is the data subject is being processed and, if so, to be told what information is contained in that data.

The DPA also covers third party information if disclosure of that information would contravene the data protection principles (paragraph 2) or section 10 of the DPA. Section 10 of the DPA relates to processing likely to cause substantial distress or damage. The DPA principles prevents any right of access to personal data by a third party where the data subject themselves has no right to obtain the data because of an exemption. 

 

8. Who would be described as a ‘data controller’?

A ‘data controller’ means a person who either alone, jointly or in common with other persons determines the purposes for which and the manner in which personal data is being, or is to be, processed. Official receivers are data controllers in respect of the personal data they control, held on The Service’s computer system and in manual records. The official receiver is a data controller in respect of the personal data of bankrupts where he or she is acting as receiver and manager or trustee, and in partnerships and companies where he or she is liquidator. The Department for BIS is data controller in respect of all other personal data processed by The Service, on ISCIS, or on other computer systems and manual records. 

 

9. What happens when a request for information is first received?

When a request for information is received, and the official receiver is not holding the information solely in his or her capacity as statutory office holder, he or she must consider whether the FOIA or DPA provisions should be applied, or whether both should be applied. There may be some information which is not personal data but does relate to an individual making an information request, in which case both Acts will need to be considered.

Generally requests for personal data in bankruptcy or partnership cases (as long as the individual is alive) will fall to be dealt with under the DPA, but if the individual to whom the information relates is deceased, the DPA will not apply. The specific exemption in section 40(1) of the FOIA means that where information requested constitutes personal data of which the applicant is the data subject, the request will be dealt with under the DPA. Similarly, requests by a company director about himself or herself will be a ‘subject access request’ under the DPA.

 

10. What is a ‘subject access request’ - SAR

A request by a living individual for their ‘personal data’ is called a ‘subject access request’ or SAR and must be made in writing and relate to the personal data of the data subject. The data controller is not obliged to supply information unless reasonably satisfied of the identity of the person making the request. The FOI/DPA Team will when notified of a request issue an acknowledgment asking the individual for suitable ID to be provided before the request is processed further.

Responding to SAR’s (once ID has been provided) should be dealt with by the official receiver (data controller) in each official receiver’s office, or by the appropriate section head holding the information. In official receivers’ offices, the data controller is the official receiver and for the remainder of The Service section heads act as data processors for the data controller (BIS). In addition the FOI/DPA Team in Technical Section is available to provide specialist advice and, if required, to co-ordinate a response across The Service. The procedure set out in the document linked at the end of this CHM Part (See Data Protection Act - OR process), and also available in chapter 81A of the Technical Manual and Technical Section intranet page.

 

11. Fees

The maximum statutory fee that a data controller may charge for dealing with a request is £10 (except where the personal data is held in an unstructured paper filing system and requires disproportionate effort to recover). This exception will very rarely apply.

The Service does not charge any fee for dealing with subject access requests. The statutory maximum fee of £10 must be refunded where it has been remitted by the requester.

 

12. What data is covered by the DPA?

The definition of ’data’ under the DPA has been extended by the FOIA to include all recorded information held, even if in manual form. It was formerly limited to information processed or intended to be processed automatically i.e. by computer, and to information held in a manual file that fell within the definition of a ’relevant filing system’. There is a division of manual data into structured and unstructured information, the aim being to limit the obligation to provide access to manually held personal data that can be found ’with reasonable endeavours’.

 

13. What is ‘unstructured’ personal information?

This is any information that is not recorded as part of a set of information structured by reference to individuals or criteria relating to individuals. The access to such information is limited in two ways:

  1. the applicant must expressly describe the information requested or access will not be given,  and
  2. even if the unstructured personal information is adequately described, there is no obligation to provide it if the estimated cost of doing so would exceed the appropriate limit (as defined by the FOIA).

Charges for unstructured personal information can be made in accordance with the FOI (Fees and Appropriate Limits) Regulations 2004 but in all cases where a request to obtain personal data held within an unstructured (paper) filing system advice should be requested from the FOI/DPA Team (see paragraph 6).

 

14. What is ‘structured’ personal information?

For the information to be ‘structured’ it must be information with something coherent or defining about it that means it may be regarded as ‘a set’

  1. the information must relate to a living individual,   and
  2. the set must have an internal structure dictated by reference to individuals or criteria relating to them.

Thus a file arranged in date order, such as the official receiver’s case file, would be covered as long as the name of the individual was on the front cover. There is no requirement that structured personal information must be readily accessible and if the personal information falls within this structured category, it must all be provided unless it is exempt information (see paragraphs 23 and 24).

 

15. ‘Right to know’ under the DPA

Once a request is received in writing (including transmission by electronic means) and satisfactory ID has been provided for the individual making the subject access request, and that the information requested is not exempt under the DPA, the individual is entitled:

  1. to be told whether their personal data is being processed,  and if so
  2. to be given a description of the personal data, the purpose for which it is being processed and to whom it is or may be disclosed,  and
  3. to be provided with copies of the information that forms such personal data and information that may be available as to the source of the data

 

      16. In what form should the information be supplied?

      The data subject is entitled to the information in a permanent form, unless the supply of such copies is not possible or would involve a disproportionate effort, or if the data subject agrees otherwise. Unlike the FOIA, under the DPA the data subject is not given a choice as to how the information requested is to be provided.

      Subject to any exemptions that may apply in the DPA, bankrupts, company directors and any other individuals are entitled to know what personal data about them is held on any of The Service’s record systems and to have copies of that data. 

       

      17. Can information relating to another individual be disclosed?

      If to comply with a subject access request under the DPA would involve disclosing the personal data of another individual who could be identified from that information, the official receiver does not have to comply with the request, unless either the other individual concerned has given consent to the disclosure or it is reasonable in the circumstances to comply without consent.

      Where it is straightforward to remove the third party information from the document(s) to be disclosed by covering names or other identifying particulars, this should be done. A copy of the data provided should be taken and placed on the file in case of subsequent query.

       

      18. Can personal information be disclosed to third parties?

      The second data protection principle states ’personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’. ’Processing’ includes disclosure.

      It is also necessary to ensure that the first data protection principle that personal data should be processed fairly and lawfully is not breached.

      Based on the above the general rule is not to disclose personal data to third parties, unless under disclosure order from a court, where legislation allows for such disclosure or a DPA exemption is engaged. All requests from third parties must be copied to the FOI/DPA Team for logging and advice.

       

      19. When is the official receiver ‘expressly required’ to disclose information?

      The official receiver should only disclose information about individuals where expressly required to do so by insolvency legislation e.g. in the report to creditors, or in other circumstances, having considered the exemptions contained within the DPA. For example, if the official receiver is approached by HM Revenue and Customs for information about a bankrupt’s tax affairs, disclosure might be justified under the DPA, section 29, on the basis that the information is required for the assessment of a tax, provided the conditions set out in Schedules 2 and 3 of the DP Act are met. Equally, if the organisation seeking the personal data has a statutory power to require the information, its disclosure in pursuance of that requirement may be permitted under section 35 of the DPA.

      The exemption under the FOIA section 40(2), ensures that access to third party personal data is not widened. Basically, if the information constitutes third party personal data and its disclosure would contravene one of the data protection principles, it will be exempt.

       

      20. How quickly must a DPA request be dealt with?

      The DPA allows 40 (calendar) days for dealing with subject access requests and all requests must be dealt with within this time limit. The official receiver thus has 40 days to comply from the time the request is received (but subject to valid ID being provided).

      Once a request has been received that is to be dealt with under the DPA, the procedure set out in the document linked at the end of this CHM Part (See Data Protection Act - OR process), and also available in chapter 81A of the Technical Manual and Technical Section intranet page.

       

      21. Can the official receiver provide information held by other parts of The Service?

      Official receivers should be aware that files may be held for bankrupts and company directors by various parts of the Service. If advice has been sought about a case from Technical Section, a file will have been opened which will contain copies of any exchange of minutes and may contain other associated papers. In addition, the Authorisations Team hold files on various bankrupts and directors and also maintain databases of prosecution and/or disqualification details.

      In all cases where it is likely that personal data is held by another part of The Service the official receiver should include this information when notifying the FOI/DPA Team of the request.

       

      22. Who is the ‘data controller’ for data held by other parts of The Service?

      The data controller for such data is the Department for BIS, therefore none of this information will be under the control of the official receiver and he or she will not have any duty to disclose it. The FOI/DPA Team will co-ordinate (where necessary) an single response from the whole of The Service (except for the personal data held by the official receiver). The Department for BIS is also data controller for information held on ISCIS. One request will cover all information held across The Service and it is therefore important that where it is known that information is held by various teams across The Service the FOI/DPA Team are informed as soon as it is received.

       

      23. Exemptions from the right of subject access

      Some personal data is exempt from the right of access by the data subject and the right to receive the information, the ’fair processing of information’ specified in paragraph 2 of Part II of Schedule I of the DPA will apply. Such exemptions are specified for personal data processed for the following purposes, amongst others:

      1. to prevent or detect crime
      2. to apprehend or prosecute offenders
      3. to assess or collect any tax or duty or any imposition of a similar nature
      4. was obtained for that purpose from a person who had it in his possession for any of the purposes in (a – c) above. (Crime and taxation, DP Act section 29)
      5. to discharge functions which are designed for, amongst others, protecting members of the public against financial loss due to dishonesty, malpractice, or other serious improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate   
      6. financial loss due to the conduct of discharged or undischarged bankrupts involving dishonesty or malpractice   
      7. dishonesty, malpractice or other seriously improper conduct by or unfitness or incompetence of, persons authorised to carry on any profession or other activity, e.g. insolvency practitioners, to the extent that permitting subject access rights or providing data subjects with the fair processing of information, would be likely to prejudice the proper discharge of those functions (DPA section 31)

      There are also other exemptions relating to national security, ‘special purposes’ such as journalism, and historical or statistical research but these are less likely to be applicable to the cases dealt with by official receivers.

       

      24. Section 31 DPA exemption

      Under section 31 of the DPA, a data subject is prevented from seeking access to their personal data if access would be likely to prejudice the proper discharge of functions designed for protecting members of the public against financial loss as outlined in paragraph 23(e). This exemption is relevant to the official receiver’s or the Secretary of State’s functions in relation to unfit directors, bankrupts and insolvency practitioners.

      Section 31 is not an absolute exemption from the subject information provisions and is only available to the extent that, permitting access to the data or informing the data subject of the purposes for which the data is held, would be likely to prejudice the discharge of those functions. For example, if the official receiver is investigating an offence or misconduct or is attempting to trace undisclosed assets, section 31 is likely to apply.

      In cases of doubt, guidance should be sought from the FOI/DPA Team when notifying the request.

       

      25. Subsequent requests

      If the official receiver has previously complied with a subject access request he or she is not obliged to comply with a subsequent identical or similar request by that individual unless a reasonable time has elapsed between the two requests.

       Consideration should be given to the nature of the data, the purpose for which the data is processed and how frequently the data is altered. Where a request is received within a 6 month period for the same or substantially similar information, it is reasonable to refuse the request but, beyond that time period, the information should be provided unless there are other reasons for not doing so.

      NB: There is no DPA equivalent to ‘vexatious requests’ as exist under the FOIA.

       

      26. Answering enquiries where an individual’s details do not appear on the Individual Insolvency Register (IIR)

      Where an inquiry is dealt with over the telephone, care should be taken not to breach the provisions of the DPA. Enquiries by members of the public involving an individual whose details appear on the IIR are not a problem and information held on the public register can be given freely. But if an individual’s details do not appear on the IIR, telephone enquirers should be informed that the matter cannot be looked into any further over the telephone.

      NB: A search of ISCIS should not be undertaken.

      The duration of entries on the IIR is limited by the Insolvency Rules 1986 so that, for example, all information relating to a bankruptcy will be deleted three months after the date of discharge.

       

      27. What should enquirers be told where The Service has internal records and details of cases which are not in the IIR?

      Enquirers should be told that The Service’s internal records may contain details of cases which are not included in the IIR, and that, while such information cannot be requested or provided over the telephone, if they exist, they may be disclosable, depending on the enquirer’s interest. If the enquirer wishes to pursue the matter, it must be by means of a non-verbal inquiry, i.e. by letter, fax or e-mail.

      On receipt of a non-verbal enquiry in respect of an individual whose details do not appear on the IIR, consideration must be given to the enquirer’s interest in the case. Enquiries from known creditors or from a person claiming to be a creditor who provides adequate information for there to be no reason to doubt his or her claim to be a creditor, can be answered. All other types of enquiry must be referred to the examiner to decide if the enquirer has a legitimate interest entitling him or her to the information requested. In cases of doubt, the FOI/DPA Team in Technical Section should be consulted. 

       

      28. Answering telephone enquiries regarding companies

      ISCIS information on companies can be revealed to telephone callers. However, caution should be exercised as regards providing personal details of directors (e.g. their addresses) and if the winding-up order was made more than five years ago, it is advisable to supply no personal information about the directors over the telephone. Requests for such details should be referred to Companies House, which will have information on files available by request. Alternatively, a non-verbal request can be made to the official receiver and if done, consideration should then be given as to whether there are good grounds for releasing the information to the enquirer.

       

      29. Can the official receiver obtain personal data from third parties?

      Other data controllers will be under the same constraints as the official receiver when it comes to disclosing personal data. Whilst section 35(2)(a)&(b)  of the DPA allows disclosure if it is required for the purpose of legal proceedings, or potential proceedings, there are no provisions in insolvency legislation which would entitle the official receiver to require that a third party make disclosure to him or her. The official receiver may quote section 35(2)(a)&(b) if refused information by a third party, but if the official receiver is unable to obtain the information by any other means, the bankrupt should be asked to sign a disclosure authority. If that fails, the official receiver may then consider obtaining an order under section 366 of the Insolvency Act 1986.

      The DPA applies to any organisation that is established in the UK.  It is important to consider the data protection legislation in force within the jurisdiction where the third party is based.  An example of this is where the official receiver needs information about a bankrupt who has been gambling online using a casino based in Gibraltar.  In this example the relevant legislation is the (Gibraltar) Data Protection Act 2004,  and the process is outlined in more detail in TM paragraph 81A.70A 

      The official receiver may require personal information from Channel Island based casinos, who operate under their own data protection legislation. Details of requesting information is given in TM paragraph 81A.70B

      For advice on making requests for personal information from other data controllers email the FOPI/DPA Team on FOI@insolvency.gsi.gov.uk

       

      30. Can the official receiver sell computer equipment containing personal data?

      Where the official receiver intends to dispose of computer equipment which he or she is aware contains personal data, he or she should, unless the disposal takes place as part of a sale of the data, ensure that the personal data is ’cleaned’ from the equipment prior to the sale. It is important to remove all traces of data from the system, it is not sufficient to simply delete the files. Consideration may also be given to destroying the equipment, if the costs of cleaning it up is likely to exceed its realisable value.

      If in doubt, speak with FCU who may be able to assist. The Service have in place contracts with specialist firms who are able to carry out data deletion, destruction and recycling work to the required specification for all digital media collected from insolvent estates.

       

      31. What is the role of the Information Commissioner?

      The Information Commissioner is responsible for monitoring the compliance of public authorities with the FOIA, DPA and the Codes of Practice. The Commissioners role extends to public rights under the Environmental Information Regulations and the Privacy and Electronic Communications Regulations.

      Any communication received from the Information Commissioners Office (ICO) must be forwarded to the FOI/DPA Team immediately.

       

      32. What if a person is dissatisfied with the Service’s compliance with the DPA

      Under section 50 of the FOI Act any person who is dissatisfied may apply to the Information Commissioner regarding The Service’s compliance with the requirements of the DPA, the most likely reason being that the complainant does not agree with the exemption relied upon for not providing the information. The Information Commissioner is obliged to consider an application unless he considers that:

      1. the complainant has not exhausted the complaints procedure provided by The Service  
      2. that there has been an undue delay in making the application
      3. that it is frivolous or vexatious
      4. that the application for information has been withdrawn or abandoned

       

          33. What should be done when a ‘notice’ from the Information Commissioner is received?

          Insolvency Service staff must not ignore any notice issued by the Information Commissioner as the courts may treat any failure to comply with an Information or Decision Notice as a contempt of court. Also, the FOI/DPA Team in Technical Section must be notified without delay, and supplied with copies of any notice or other correspondence that is received from the Information Commissioner.

           

          Notes

          a    Where someone makes a subject access request under section 7 of the

                DP Act, it is a criminal offence to alter, deface, block, destroy or conceal

                any record, or part of it, to prevent disclosure of all or part of the

                information in it (provided that the applicant would have been entitled to

                the information). Section 77 of the FOI Act states the individual employee

                who carried out such action would be liable to prosecution and this applies

                to the DP Act as well as the FOI Act.

           

          b    The Guide to Bankruptcy and the Guide for Directors contain details of the

                identity of the data controller (the official receiver) and the purposes for

                which the data is being processed. In order to comply with the first data

                protection principle, it is important to ensure that these Guides are

                provided to all bankrupts and directors that are interviewed.

           

          c    The official receiver may receive subject access requests from individuals

                who have had dealings with an insolvent and who believe that personal

                data about them may be held in records kept by the insolvent. If this

                happens, the official receiver should follow the same procedure as for any

                other subject access request.

           

          d    Where the official receiver is dealing with an insolvent that holds personal

                data, the insolvent will no longer be the data controller and the data will

                instead be covered by the official receiver’s registration for the duration of

                his appointment. Where an IP is subsequently appointed trustee of the

                bankrupt’s estate or liquidator of the company or partnership, the official

                receiver should make the IP aware of the existence and nature of the

                personal data as the IP will need to have his own notification under the DP

                Act to deal with the data.

           

          Where can I find out more?

          Freedom of Information Act 2000 

          Data Protection Act 1986 

          Freedom of Information (Fees and Appropriate Limit) Regulations 2004 

          Technical Manual

          Chapter 81 – Freedom of Information Act and Environmental Information Regulations

          Chapter 81A – Data Protection

          Chapter 47 – Disclosure of information (including inspection and production of records)

          Case Help Manual

          Freedom of Information Act and Environmental Information Regulations

          Technical Section Intranet page

          Freedom of Information and Data Protection Acts

          Technical Notice

          Dealing with subject access requests – T18-12 

          The Information Commissioner’s website

          www.ico.gov.uk   

           

          Procedure

          (Amended May 2012)

          See Data Protection Act - OR process