August 2012
Part 1 – Data Protection Act and The Insolvency Service
The DPA grants an individual the right, subject to various qualifications and exemptions, to be told by a data controller whether personal data of which he is the data subject is being processed and, if so, to be given a description of the data in question and to have communicated to him the information contained in the data. The definitions of these terms are all contained in section 1(1) DPA. [note 1]
The DPA is only concerned with ‘personal data’, that is, information relating to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Data concerning corporate bodies is excluded from the Act, as is data concerning deceased individual. Personal data is defined in section1(1) of the DPA.
Further information on what constitutes personal data can be viewed in the ICO guidance leaflet HERE.
81A.04 Sensitive personal data
The DPA created a category of data called ‘sensitive personal data’. A data controller who processes sensitive personal data must meet additional conditions within the DPA, Schedule 3, and in secondary legislation. ‘Sensitive personal data’ is defined in section 2 of the DPA as consisting of information as to: [note 2]
A data subject is an individual defined under the Data Protection Act 1998, who is the subject of personal data.
Data subjects must be living individuals. Deceased persons or limited companies cannot be data subjects.
For data protection purposes, ‘data’ covers all recorded personal information held by The Service. An amendment under section 68 of the FOIA extended the meaning of ‘data’ within section 1(1) of the DPA. One effect of the extension to the definition of data is to provide a right of subject access to records that are not automated e.g. manual files, even though they do not form part of a relevant filing system or accessible record, but consist of unstructured personal information held in manual form. [note 3]
A ‘data controller’ means a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which personal data are being, or are to be, processed. On this definition official receivers are data controllers in respect of the personal data they control held on The Service’s computer system and in manual records. The official receiver is a data controller in respect of the data belonging to bankrupts where he/she is acting as receiver and manager or trustee, and in partnerships and companies where he/she is liquidator. The Department for BIS is the data controller in respect of all other personal data processed by The Service, whether in manual files or on computer systems.
This is defined as obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. This includes word processing as well as displaying or printing an individual’s computerised accounting records. It also includes disclosure of information and destruction of data and therefore covers virtually every activity in relation to data.
A ‘data processor’ is any person (other than an employee of the data controller) who processes data on behalf of the data controller. The Service uses a number of third parties in carrying out it’s functions. As long as the third party merely acts on the instructions, or on behalf, of the data controller, and do not determine the purposes for the processing of the data, then they are classified as a data processor. A data processor has no statutory obligations under DPA (in respect of the processing) and are not required to notify the IC of their activities. Data processors are required to comply with the same requirements with respect to the security and processing of personal data as the data controller and should act only act on the instructions of the data controller, and these obligations must be set out by contract between the data controller and the third party.
81A.10 Notification of data controllers
Data controllers are required to notify the IC of their name and address, a description of the personal data and the categories of data subjects to which they relate, purposes for which the data are processed and intended persons to whom disclosures of personal data may be made in respect of all personal data which they process by computer (the ‘registerable particulars’).
Notification must also be made regarding intended transfers of personal data outside the European Economic Area. The data controller must also provide a description of the security measures taken to protect the personal data. This information will not appear on the register of data controllers. There is also a duty on data controllers to notify the IC of any changes to the register information. If a data controller processes data without the required notification, he/she is guilty of an offence, and under the new enforcement regime be subject to a fine.
The register of data controllers is open to public inspection at the Commissioner’s office or from the website free of charge. Certified copies of register entries are issued for a small fee.
The FOI/DPA Compliance Manager in the FOI/DPA Team maintains The Service’s registrations of official receivers as data controllers. Where an assistant official receiver is temporarily fulfilling the role of an official receiver (for an extended period of absence by the official receiver) the FOI/DPA Team in Technical Section should be notified to enable registration of the temporary post holder with the ICO.
81A.11 Rights of data subjects
Upon making a request in writing (which includes transmission by electronic means) and providing such information as might be requested by the data controller so that he can satisfy himself as to the identity of the individual making the subject access request, an individual is entitled: [note 4]
In addition, the data subject must be supplied with copies of the information in a permanent form, except where the supply of such a copy is not possible, would involve disproportionate effort or the data subject agrees otherwise.
There is no definition of what disproportionate effort is but guidance suggests that the costs of providing the information and the time it will take must be weighed against the effect that not supplying it will have on the data subject.
In cases of doubt, the official receiver should refer to the FOI/DPA Team for guidance. Unlike the FOIA, DPA does not give the data subject a choice as to how the information requested is to be provided.
81A.12 Personal data in manual files
Originally, the right of subject access to personal data provided by DPA was limited to information processed or intended to be processed automatically (i.e. by computer) and to information recorded in a manual file that fell within the definition of a ‘relevant filing system’.
From 1 January 2005 FOIA introduced new provisions into the DPA, extending the definition of data to include ‘recorded information held by a public authority’. This includes all data held and processed manually even if it does not form part of a relevant filing system. [note 5]
FOIA further amended the DPA introducing specific provisions for the exercise of the right of subject access to this new category of manually held personal data. The intention of the section is to limit the obligation on public authorities to one of providing access to manually held personal data which can be found with reasonable endeavours. Section 9A introduces a sub-division into the category of manually held personal data, dividing it into structured and unstructured information. [note 6]
81A.13 Unstructured manual data
Unstructured personal data means any information that is not recorded as part of any set of information structured by reference to individuals or criteria relating to individuals. Subject access to such unstructured information is restricted in two ways:
For personal data to fall into this definition, there must be a set of information with something coherent or defining about the nature of the data which means it may be regarded as a set. The information must relate to living individuals and the set must have an internal structure dictated by reference to individuals or criteria relating to them. However, there is no requirement that the specific information must be readily accessible. Thus, a file arranged in date order would be covered as long as the name of the individual was on the cover or it was referenced by some criteria relating to that individual. An official receivers manual files are deemed to be structured information for the purposes of the DPA.
In summary, where the personal data falls into the definition of structured manual data, the public authority dealing with the subject access request must provide all of it. Where the personal information is within the unstructured category, the obligation to provide the information will be subject to the cost limits and reasonable endeavours referred to above.
81A.15 Limitations on disclosure of manual data
Much of this new category of manually held personal data is exempt from some of the provisions of the DPA, although the right of subject access to this category of personal data still applies. [note 8]
Disclosure from manual files is limited to the following data protection principles:
Manual data that is not part of a ‘structured filing system’ is exempt from the remaining data protection principles (which are covered in detail in the following paragraphs). Essentially, such manually held information is exempt from most of the data protection principles except those relating to subject access and accuracy of the information.
81A.16 The Data Protection Principles
The DPA lays down eight principles, which must be complied with by data controllers in respect of personal data held by them.
1) Personal data shall be processed fairly and lawfully. (Section 33A limitation applies – see paragraph 81A.15)
2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Section 33A limitation applies – see paragraph 81A.15)
3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Section 33A limitation applies – see paragraph 81A.15)
4) Personal data shall be accurate and, where necessary, kept up to date.
5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. (Section 33A limitation applies – see paragraph 81A.15)
6) Personal data shall be processed in accordance with the rights of data subjects under the Act.
7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Section 33A limitation applies – see paragraph 81A.15)
8) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (Section 33A limitation applies – see paragraph 81A.15)
81A.17 Fair and lawful processing (First Principle)
This Principle does not apply to unstructured manual data.
In order to comply with the first principle, that the data shall be processed fairly, the data controller must ensure that, so far as is practicable, the data subject is advised of or has made readily available to him:
In addition, the data controller must have a legitimate basis for the processing the data. This involves satisfying one of the conditions set out in Schedule 2 DPA.
Either the individual must have consented to the processing or it must be necessary for any of the following purposes: [note 9]
There are separate conditions which apply for the processing of sensitive personal data, which should only be processed by the official receiver or action officer insofar as it is necessary for the exercise of a statutory function or for the exercise of any function of the Crown, a Minister of the Crown or a government department or where it is necessary for the purpose or in connection with any legal proceedings or for obtaining legal advice or establishing or exercising or defending legal rights.
81A.19 Providing fair processing information to data subjects
The Guide to Bankruptcy and the Guide for Directors will contain details of the identity of the data controller and the purposes for which data is processed. In order to comply with the first data protection principle, it is important to ensure that these guides are provided to all bankrupts and those company directors who are interviewed, or at the time that personal information is obtained from them, if this is earlier. In addition The Service’s website carries a Privacy Statement informing data subjects how The Service collects and uses personal information.
81A.20 Further processing (Second Principle)
This Principle does not apply to unstructured manual data.
The First and Second Principles concern the obtaining and further processing of personal data. The Second Principle carries an obligation on the data controller to make known to the data subject the purposes for which the data is required. Essentially the purposes are specified:
Official receivers are registered data controllers and therefore the purposes for his/her processing are part of the notification provided to the IC.
81A.21 Adequacy (Third Principle)
This Principle does not apply to unstructured manual data.
The Third Principle impose an obligation on the data controller to obtain only that information that is necessary for the stated purposes for which processing will take place e.g. information obtained must be relevant and not excessive for the purposes.
81A.22 Accuracy of data (Fourth Principle)
This Principle applies to unstructured manual data.
The data must be accurate and, where necessary, kept up to date. This does not impose a duty on the data controller to actively seek new information to up-date his/her records but if the official receiver becomes aware of some new personal information, for example that a bankrupt has moved, he/she should ensure that the records are amended accordingly. This does not impose a requirement, for example, to amend the bankruptcy description at court but does mean that the Individual Insolvency Register (EIIR) will be updated when the official receiver is notified of a new address. (It is also a requirement under the Insolvency Rules that the last known address appears on the EIIR; rule 6A.4(3)(b)).
The DPA contains no definition for ‘accurate’, but section 70(2) gives meaning to ‘inaccurate’ as being incorrect or misleading as to any matter of fact.
81A.23 Retention of data (Fifth Principle)
This Principle does not apply to unstructured manual data.
The Service as a government body must create records that document its official activities and these must be managed in accordance with The Service’s Corporate Policy Statement. The vast majority of The Service’s records will be kept for as long as they meet a business or administrative need and this is formally recognised in a disposal schedule signed by Senior Management and the KIM Team in CWS.
The KIM Team are responsible for ensuring that The Service’s records management policy is used throughout the organisation and by all staff, irrespective of whether they have specialist record responsibilities or not. More information on The Service's policy on records management can be found on the Records Management Homepage of the intranet.
The Official Receivers case records have specific instructions concerning their retention and destruction policy across the Service and this meets legislative requirements of the DPA. These instructions can be found in the Filing Code of Practice available on the intranet.
81A.24 Official receivers files
Each office creates and maintains its own case files for insolvency cases that are recorded on The Service’s database (ISCIS).
When the case has been closed the (manual) file is sent to an offsite storage facility until its destruction accordance with the current file retention and destruction policy.
A small number of case files are retained for a longer period or even for permanent preservation if they fall under the ‘public interest’ category.
Company and bankruptcy files that do not fall under the ‘public interest’ category, and where no other reason exists to retain the file e.g. a complaint has been raised or where investigation action has been re-opened, are normally destroyed 5 years from the date of the order, or within 2 years of the completion of the official receiver's administration, whichever is the later. The file is generally deemed to have been completed on the date of the official receiver’s release or the appointment of an insolvency practitioner as trustee or liquidator.
There are exceptions this rule and staff should refer to the current policies which are covered in Chapter 10 of the Technical Manual in respect of official receivers files, and Chapter 118 of the Enforcement Investigation Guide in relation to enforcement and investigation work and investigation in IP cases.
81A.25 Data subjects rights (Sixth Principle)
This Principle applies to unstructured manual data.
The Sixth Principle states that personal data must be processed in accordance with the rights of the data subject and in particular by reference to the interpretation provisions in Part II of Schedule 1 of the DPA.
In particular the important provisions applying to The Service are that this principle is breached if: [note 10]
A data subject, by way of a written notice (‘data subject notice’), is entitled to require the data controller at the end of such a period as is reasonable in the circumstances to stop, or not to begin processing their personal data, if, for specified reasons, the processing is causing or is likely to cause substantial damage or distress to him or another and that the damage or distress is unwarranted. A data subject cannot seek to prevent processing in circumstances where:
The data controller has 21 days to respond (in writing) to the data subject’s notice. The response should state that he has complied or intends to comply with the notice, or the reasons for not complying and the extent (if any) to which he has or intends to comply. If the individual is still not satisfied, he can apply for a court order. If the court agrees that the notice was justified it can order the data controller to comply with the notice or to comply to such an extent as it sees fit. All data subject notices should be referred to the FOIA/DPA Team immediately on receipt.
81A.27 Security measures (Seventh Principle)
This Principle does not apply to unstructured manual data.
The Service’s contractor for computer services are responsible for ensuring that the computer systems are secure and password protection is applied for access to all computer systems, laptops and other electronic portable storage media. Ideally, manual files which contain personal data should be kept in locked cabinets when not in use but, in the absence of sufficient lockable cabinets, official receivers may use alternative storage, provided they are confident that the premises are secure.
All members of staff are responsible for ensuring that the personal data they access, hold or process is not disclosed unlawfully or without authorisation. In particular staff are referred to the Security Notices issued by CWS on handling personal data.
The official receiver’s statutory duty to issue a report to creditors is not affected, even though it will contain personal data. If there is any doubt about whether a particular piece of personal information may be disclosed, refer the matter to the FOIA / DPA Team for advice.
81A.28 Transferring data outside the EEA (Eighth Principle)
This Principle does not apply to unstructured manual data.
This Principle states that personal data should not be transferred to a country outside the European Economic Area unless that country has adequate provision for the rights and freedoms of data subjects in relation to the processing of personal data. The purpose of the restriction is to ensure that the protection of data subjects' rights are not lost where their personal information is transferred to countries that are not bound by the Data Protection Directive [note 13]
There a number of exemptions to this Principle contained in Schedule 4 of the DPA. In particular the provisions that may apply to The Service are: [note 14]
(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
In the event that a request is made for information about an individual to be passed to a country or territory outside the European Economic Area (which at the present time consists of 30 member states including Iceland, Liechtenstein and Norway), such requests should be referred to the FOI/DPA Team for specific guidance. Sending out a report to creditors will not be considered a ‘transfer of data’. A transfer would be, for example, if an overseas enforcement agency requested information about an individual.
[Back to Introduction] [On to Part 2 – Subject access requests]