Confidential information - client, customer and patient databases

June 2013

Part 7 Confidential information - client, customer and patient databases

31.10A.125 Confidential information

Confidential information can be intellectual property but it is covered by informal protection, under the general legal right to confidentiality and by confidentiality protection provisions in contracts as well. Three tests are required to satisfy whether information is subject to confidentiality protection:

  • Must by nature be confidential;
  • Must have been told or conveyed to the recipient in circumstances in which an obligation of confidence arose (e.g. it must be obvious what was being imparted was confidential)
  • Its unauthorised use would be detrimental to the owner.

31.10A.126 Client, customer or patient databases

Some businesses, particularly those providing a service requiring periodic repetition such as private clinics, dentists, opticians or vets, will be in possession of a list of clients or patients, often held in the form of a computerised database.   Whilst the client information held on the database may well be confidential, this database is also a potential asset, which may be sold for the benefit of the insolvent estate.

31.10A.127 Data Protection Act does not prevent sale of a database

Normally personal information in a database should not be sold if the individuals have not been told originally that their information could be passed on to other organisations. However, where a business is insolvent, bankrupt, closed down or sold, the Data Protection Act 1998 (DPA) will not prevent the sale of a database containing the details of individual customers, providing certain requirements are met [note 1]. These requirements are detailed in paragraphs 31.10A.128 to 31.10A.131.

The Information Commissioner has published a “Data Protection Good Practice Note” on the buying and selling of databases which can be accessed at: ico - practical guide to buying and selling customer databases.

The Information Commissioner’s office website is available here:

31.10A.128 Information must only be used for its original purpose

When personal information covered by the DPA is collected from individuals initially it should be clear to them what it will be used for. When a database is sold, the seller must make sure that the buyer understands that they can only use the information for the purposes for which it was originally collected. Any use of this personal information should be within the reasonable expectations of the individuals concerned. So, when a database is sold, its use should stay the same or similar e.g. if a database contains information obtained for the provision of dental treatment, the database should only be sold to another dentist providing similar dental treatments.  Selling it to a business for a different use is likely to be incompatible with the original purpose and likely to go beyond the expectations of the individuals.

31.10A.129 Database purchaser must be made aware of its original purpose

The buyer of any database should be made aware that they can only use the personal information on it in line with the purposes for which it was originally collected. The official receiver will need to inform any buyer what these purposes were when they buy the database. If the buyer wants to use the personal information for a new purpose, they will have to get consent for this from the individuals concerned. As the original collector of the information, the seller, in this instance the official receiver, has a responsibility to ensure that the personal information is used properly. The official receiver can achieve this by making it clear to the buyer what the information can or cannot be used for.

31.10A.130 Individuals on database to be informed of change of ownership

If the database is sold it is the responsibility of the buyer to make sure that all the affected individuals are told who now has their information. This should be done as soon as practicable, giving contact details for the new owners and confirming that the personal information obtained will only be used for the same purposes as before. If the buyer wants to use the information in a new way then this will also provide an opportunity to ask individuals for their consent. Before selling the database the official receiver will need to ensure that buyer undertakes to inform all individuals that they now hold the information.

31.10A.131 Restrictions on the sending of marketing material

The buyer of a database often wants to use it to send marketing material. Whether they will be able to do so will depend on the basis on which the personal information concerned was collected originally. The general rule is that unsolicited marketing can be sent to individuals where they have agreed to this or where this is nevertheless likely to be within their reasonable expectations. For example, if an individual takes on dental insurance with a particular insurance company then it is reasonable for that company to send details of insurance for the following year and details of other insurance products on offer, unless the individual has made clear that they do not wish to receive such marketing. Therefore, the buyer should check the basis on which the information was collected and whether any of the individuals have objected. The buyer should also establish whether the individuals would only expect to receive marketing via a particular medium, for example via the postal system. Particular care should be taken when using the telephone or e-mail to ensure that the special rules governing electronic marketing are complied with. Unsolicited marketing e-mails should only be sent to individuals who have consented and buyers should not assume consent if an individual does not respond. When they have established that they can use the personal information for marketing the buyer should only market products and services, which are similar to those that the information has been used to market previously. Further guidance on electronic mail marketing can be found at:

ICO - privacy and electronic communications

ICO - Guidance on Electronic Mail Marketing

Before selling the database to any potential buyer the official receiver should point out to the buyer the restrictions imposed by the DPA on the use of marketing material.

31.10A.132 Length of time information on database may be held

The DPA requires that any personal information held should be adequate, relevant and not excessive, and that it should not be kept for longer than is necessary [note 2]. The official receiver should inform the new owner of a database that they will be required to decide how much of the information supplied on the database they need to keep. Any unnecessary personal information should be deleted. Personal information should not be held simply on the basis that it might become useful one day.

31.10A.133 Action required where database cannot be sold on

If no potential buyers can be found for a database or if the official receiver decides not to proceed with its sale the information held should be deleted or destroyed as soon as it is no longer required.


[Back to Part 6 Goodwill]