Exemptions to disclosure

August 2012

Part 6 Exemptions to disclosure

81A.60 Exemptions from right of subject access

Some personal data are exempt from the right of access by the data subject and the right to receive the information (the ‘fair processing of information‘) specified in paragraph 2 of Part II of Schedule I (the ‘subject information provisions’). Such exemptions are specified for personal data processed for the following purposes: [note 1]

Section 28 - National security

Section 29 - Crime and taxation

Section 30 - Health education and social work

Section 31 - Regulatory activity

Section 32 - Journalism, literature and art

Section 33 - Research, history and statistics

Section 34 - Information available to the public by or under enactment

Section 35 - Disclosures required by law or made in connection with legal proceedings

Section 36 - Domestic purposes

Section 37 - Miscellaneous exemptions

Section 38 - Powers to make further exemptions by order

Section 39 - Transitional relief (Schedule 8)

In all cases where personal data is not being disclosed because an appropriate exemption/s is engaged the official receiver or section head (or other nominated person) must review all the personal data held and decide what is to be withheld. When issuing a response (with copies of the data being provided), details of The Service’s complaints procedure and right of referral to the IC must be included in the covering letter since a failure to provide this information may lead to an Enforcement Notice being issued against the data controller in the event of a complaint to the ICO.

It is important to note that the existence of the personal data need not be disclosed if its disclosure would prejudice an ongoing enquiry (including cases where another agency is known to be carrying out an investigation) or it contains information about another individual (unless consent has been given or it is reasonable to disclose without consent). In all cases of doubt the FOI/DPA Team should be consulted.

Proforma forms and letters are available from the FOI/DPA Team.

Annex A of this chapter provides an overview of FOI and DPA requests and a flow chart to assist decision making.

Annex E of this chapter provides details guidance for official receivers staff when responding to subject access requests under DPA. The general process described is also applicable to other parts of The Service.

The exemptions available under the DPA that are relevant to The Service are covered in detail in the following paragraphs and in some cases more than one may apply to a request.

81A.61 Section 29 – Crime and taxation

Section 29 relates to personal data processed for any law enforcement or tax collecting function. Personal data are exempt from the non-disclosure provisions if withholding the information would be likely to prejudice any of the following purposes: [note 2]

the prevention or detection of crime,
the apprehension or prosecution of offenders, or
the assessment or collection of any tax or duty or of any imposition of a similar nature,

and are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned above.

Schedules 2 and 3 set out the conditions that must be met by the data controller for processing of personal information (Schedule 2) and sensitive personal information (Schedule 3).

The relevant conditions within Schedule 2 as they relate to this exemption and The Service are:

sub-section 5 – The processing is necessary for the administration of justice; the exercise of functions under enactment; the exercise of functions of the Crown, Minister of the Crown or government department; the exercise of any function of a public nature exercised in the public interest

The relevant conditions within Schedule 3:

sub-section 6 – The processing is necessary for the purpose of, or in connection with, legal proceeding (including prospective); is necessary for obtaining legal advice; is necessary for establishing, exercising or defending legal rights.
Sub-section 7 (1) – the administration of justice; the exercise of functions under enactment; the exercise of functions under enactment; the exercise of functions of the Crown, Minister of the Crown or government department.

Since The Service does not fulfill any of the purposes under section 29 it is unlikely that any circumstance would exist that would allow the official receiver to use the exemption to obtain personal data from another data controller. This exemption would most likely be quoted by other agencies having law enforcement functions, and where information was being requested from the official receiver (or any other part of The Service).

Legal advice has been received that the official receiver should only disclose information about individuals where expressly required to do so by insolvency legislation (e.g. in the report to creditors) or by the valid engagement of an exemption provided under DPA. For example, if the official receiver is approached by HMRC for information about a bankrupt’s tax affairs, disclosure might be justified under section 29 on the basis that HMRC need the information for the assessment of a tax, provided the conditions set out in Schedules 2 and 3 (conditions relevant for purposes of First Principle – processing of personal and sensitive personal data) of the Act are met.

81A.62 Dealing with requests for information under section 29

Where a request for personal data contained in an Insolvency Service file is received from an agency which is a prosecuting or regulatory authority the official receiver or HoT should request from that agency the following information, in writing, by a senior person, before any personal information or access to a file is provided.

a) Precise details of the personal data being requested and how this supports the stated purpose.

b) The precise purpose or purposes for which the data is required.

c) Details of how the data may be used and who it may be further disclosed to.

d) Precise details of the legislative authority for the request, and/or data protection exemption engaged.

e) Details of the prejudice that may be caused to the purposes stated in b) if the personal data is not provided with the requested data.

f) A statement as to the authority of the person or organisation making the request.

The official receiver or HoT must also be aware that his file may contain details of third parties to whom a duty of confidentiality exists under DPA. Where information is passed to another agency the data controller must consider the disclosure of third party personal information in the same way as if that information were being requested under a subject access request e.g. apply the guidance in paragraph 81A.32

Further information of the application of section 29 may be obtained in the ICO guidance HERE.

81A.63A Disclosures to prosecution authorities - the Landywood case

The position with regard to the disclosure by the official receiver to Prosecution Authorities of statements and other material procured pursuant to the compulsive powers of section 235 of the 1986 Insolvency Act has been clarified by the Court of Appeal in R v Brady (also known as the "Landywood" case).

The Court ruled that once the official receiver is satisfied that section 235 material is required by another prosecuting authority for the purpose of investigating crime he should be free to disclose it without an order of the court or notice to the person concerned and without the need to conduct any balancing exercise to weigh the public interest in disclosure against the public interest in ensuring the co-operation of those involved with the company to effect its speedy winding-up. The Insolvency Act 1986 has now been amended so as to prevent the prosecution from relying on any section 235 material at trial (see what is now section 433 (2) and (3) of the 1986 Act). The satisfactory response to the enquiries set out in paragraph 81A.62 above would provide an appropriate method for the data controller to be satisfied that the processing is for a legitimate purpose and therefore allows disclosure.

The principle decided by case law is also applicable in bankruptcy cases.

A case digest is available HERE.

Requesting personal data by a third party is subject to the exemption provided by section 40(2) of the FOIA where disclosure would breach any of the data protection principles or section 10 DPA. As such if the data controller decides to refuse such a request (in part or in full), then a Refusal Notice under FOI legislation must be issued. The advice of the FOI/DPA Team should be sought for use of the appropriate template.

81A.63 Section 31 – Regulatory activity

Personal data processed for the purposes of discharging relevant functions to which this section applies are exempt from the subject information provisions (see Annex B) in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions. [note 3]

A relevant function is one which is designed for protecting members of the public against:

(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii) financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity

A data subject is prevented from seeking access to their personal data if access would be likely to prejudice the proper discharge of functions designed for protecting members of the public against financial loss and misconduct.

This exemption will relate to the official receiver’s / Secretary of State’s functions in relation to unfit directors, bankrupts and insolvency practitioners.

81A.64 Dealing with requests where section 31 may apply

Section 31 is not a blanket exemption from the subject information provisions and is only available to the extent that permitting access to the data or informing the data subject of the purposes for which the data is held would be likely to prejudice the discharge of those functions. For example, if the official receiver is investigating an offence or misconduct or is attempting to trace undisclosed assets, disclosure of the personal data would have to be shown to prejudice those functions. In cases of doubt, guidance should be sought from the FOI/DPA Team (in the case of asset related enquiries) or Enforcement Technical Team (in the case of enquiries relating to ongoing enforcement action).

Further guidance and suitable template is available by contacting the FOI/DPA Team.

81A.65 Section 32 – Journalism, literature and art

Personal data which are processed only for the special purposes (meaning journalism, literature or art purposes) are exempt from the non-disclosure provisions (see Annex B) if:

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes

Personal data processed for special purposes only are exempt from the subject information provisions and Principles 1 - 6, 8, section 7 (right of subject access), section 10 (right to prevent processing likely to cause damage or distress), section 12 (rights in relation to automated decision taking) and section 14(1) to (3) (rectification etc of inaccurate data) subject to the processing satisfying specific conditions e.g. the information is relevant to the publication in question or the information has been designated by the Secretary of State by order, for the purposes of this subsection. [note 4]

For the purposes of the DPA ‘publish’ in relation to journalistic, literary or artistic material, means to make available to the public or any section of the public.

The Service may receive requests for information from journalists, researchers and others seeking information under this exemption. All such requests should be referred to the FOI/DPA Team for specific guidance on releasing personal data.

81A.66 Section 33 – Research, history and statistics

The processing of personal data for research (including historical or statistical) purposes are exempt from various provisions of the Act subject to meeting various conditions. [note 5]

Research purposes’ includes statistical or historical purposes; the relevant ‘conditions’, in relation to any processing of personal data, means the conditions:

that the data are not processed to support measures or decisions with respect to particular individuals, and
that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

The Service may receive requests for personal data from researchers and others under this exemption. All such requests should be referred to the FOI/DPA Team for specific guidance on releasing personal data.

Requesting the personal data by a third party is subject to the exemption provided by section 40(2) of the FOIA where disclosure would breach any of the data protection principles or section 10 DPA. As such if the data controller decides to refuse such a request (in part or in full), then a Refusal Notice under FOI legislation must be issued. The advice of the FOI/DPA Team should be sought for use of the appropriate template.

81A.67 Section 34 – Information available by or under enactment

Information made available to the public under an enactment are exempt from the subject information and ‘non-disclosure provisions’ (basically the 1st, 2nd, 3rd, 4th & 5th Data Protection Principles and section 10 and section 14 (1) to (3)) to the extent to which they are inconsistent with the disclosure in question (e.g. where disclosure is in the public interest) an example of this is the Individual Insolvency Register. [note 6]

Staff must be aware that where a request is received for information that is publicly available similar consideration to the request must be applied as when considering the FOIA exemption 21 (see Chapter 81, paragraph 81A.45) e.g. the definition of ‘reasonably accessible’.

Further guidance and suitable template is available by contacting the FOI/DPA Team.

81A.68 Section 35 – Disclosures made in connection with legal proceedings

Disclosures required by law or by any order of a court is exempt from the non-disclosure provisions as are disclosures that are necessary for the purpose of legal proceedings or obtaining legal advice. This exemption provides a means by which third parties may request information from The Service, or allows a third party to disclose information to The Service if certain conditions are met. [note 7]

Section 35(1) provides that disclosure required by law (for example a disclosure order made by a court or a specific legislative provision) should be complied with.

Section 35(2) provides that disclosure for the purpose of obtaining legal advice or taking legal proceedings is discretionary. It will be for the data controller to make the decision on disclosure based on whether disclosure is justified based on the balance of interests between the rights of the data subject (right to confidentiality under Schedule 1 DPA), and the legitimate interests of the requesting party (legitimate interest under Schedule 2(6) DPA).

81A.69 Disclosure of personal data to third parties

The second data protection principle states that ‘personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’. Processing includes disclosure. It is also necessary to ensure that the first data protection principle is not breached (see paragraph 81A.17). It should be noted, however, that this does not apply to unstructured personal data. Any third party requesting information must have a legitimate basis for the processing. This involves satisfying one of the conditions set out in Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data), and these conditions are unlikely to be met by third parties who are individuals. The Service must ensure that that the third party fulfils at least one of the conditions in Schedule 2 before personal data is disclosed. Where any doubt exists the request should be referred to the FOI/DPA Team for advice. [note 8]

Further guidance and suitable template is available by contacting the FOI/DPA Team.

81A.70 Requesting personal information from third parties

Other data controllers will be under the same constraints as The Service when dealing with requests from our official receivers and investigation teams to disclose personal data they hold.

In the first instance the official receiver or HoT should ask the data subject to sign an authority (consent to disclosure). This can then be used in conjunction with requests for information from the other data controller. If consent is refused or cannot be obtained, and the official receiver or HoT has reason to believe that a section 35 exemption can be applied, he/she should write to the third party quoting this section in the request for information. This exemption must only be used on cases that are on the official receiver’s investigation registers or under active investigation by an investigation team as the exemption only applies to investigations in connection with prospective legal proceedings, or obtaining legal advice prior to those proceedings.

When requesting information from third parties using the section 35 exemption the information request will need to provide the same type of information as listed in paragraph 81A.61.

A template for requesting personal information under this section is available HERE.

81A.70A Gambling and the (Gibraltar) Data Protection Act 2004

Where a bankrupt has used an online casino based in Gibraltar for gambling the official receiver may need to make enquiries with them. There the 19 registered on-line casinos that operate in Gibraltar, 18 are registered as data controllers with the Information Commissioners Office of Gibraltar.

The (Gibraltar) Data Protection Act 2004 provides a legislative basis that enables an official receiver to obtain personal information about a bankrupt from a casino registered in Gibraltar, when the consent of the bankrupt has been given. The request for information must be signed by the bankrupt concerned, and any failure by the casino to respond by providing the information requested within 28 days would enable a complaint to be referred to the (Gibraltar) Information Commissioner. A request letter has been produced for this purpose and is provided HERE[#33], the letter must be adapted for the particular case and signed by the bankrupt.

Examiners should use the business/trading address and contact name (if available) and the business email details to submit their enquiries to the casino, details are provided in. spreadsheet [#35] The original consent letter should be scanned and attached to an email (together with a scan of the bankruptcy order). The consent letter should be on unheaded paper, as it is in effect a request being made by the bankrupt. The bankrupt’s signature, address, account ID and the bankruptcy order should be sufficient information from which the casino can be satisfied as to the bankrupt’s identity.

The (Gibraltar) Data Protection Act 2004 requires that the data controller (the casino) must provide a written response within 21 days, confirming that they hold personal data, and provide copies of all the information requested within 28 days. If a casino does not respond positively to the response the examiner should refer to the FOI/DPA Team who can assist in referring the matter to Gibraltar’s Information Commissioner under the Dispute Resolution Process.

Where a bankrupt is uncooperative or unavailable to sign the consent letter, official receivers should consider enforcement action under section 366 IA86 to obtain the bankrupt’s consent.

81A.70B Gambling and Channel Island based casinos

Where a bankrupt has used an online casino based in the Channel Islands (CI) for gambling the official receiver may need to make enquiries with them to obtain personal information in support of a potential BRO allegation or evidence of the cause of insolvency.

It should be noted that the CIs consist of two separate administrations (Bailiwicks), each with different administrations and legislative provisions. The two administrative Bailiwicks are:

Bailiwick of Guernsey, consisting of Guernsey, Alderney, Herm, Jethou, Brecqhou, Burhou, Lihou and Sark.

Bailiwick of Jersey, consisting of Jersey and a small group of uninhabited islands.

Both Bailiwicks have their own data protection legislation based on the provisions found in the UK Data Protection Act 1998. The Bailiwick of Guernsey legislation is called The Data Protection (Bailiwick of Guernsey) Law 2001. The Bailiwick of Jersey legislation is called the Data Protection (Jersey) Law 2005.

The data protection legislation is very similar for both Bailiwicks and is based on the UK legislation. Official receivers can use the template texts listed below to request personal information quoting the correct legislative authority. Where possible the bankrupt should be requested to sign the consent and this can be scanned and sent to the data controller at the casino. A scanned copy of the bankruptcy order should be included with the request for information.

Where consent cannot be obtained official receivers can seek to engage the exemption provided under section 35(2) of the DPA.

Guernsey (and other CIs in this Bailiwick) casinos - data subject consent (to be signed by bankrupt) is available HERE[#36].

Guernsey (and other CIs in this Bailiwick) casinos – information request (engaging section 35) is available HERE[#37].

Jersey based casinos – data subject consent (to be signed by bankrupt) is available HEREl#38].

Jersey based casinos – information request (engaging section 35) is available HERE[#39].

In the event that a casino fails to respond to a request, or refuses to provide the information requested, the matter should be referred to the FOI/DPA Team for advice. In particular where a bankrupt’s consent has been obtained the matter may be referred to the Information Commissioner using a template text available from the Team.

Where a bankrupt is uncooperative or unavailable to sign the consent letter, official receivers should consider enforcement action under section 366 IA86 to obtain the bankrupt’s consent.

81A.71 Enforcement action (UK based data controllers)

There are no provisions in insolvency legislation which entitle the official receiver to require a third party make disclosure to him/her, so that if the third party is still unwilling to provide the information requested the official receiver should consider obtaining an order from the court under section 366(1) of the Insolvency Act 1986 requiring the disclosure of information.

81A.72 Requests to HMRC

In most cases a bankrupt signs a form of consent (TNIDIS) to enable the official receiver to obtain personal details about the bankrupt’s tax affairs where necessary. The original signed consent is usually forwarded to the tax office and enables HMRC to disclose details of a bankrupt’s tax affairs in support of the official receivers enquiries. The disclosure authority is limited at present to disclosures ‘within bankruptcy’ and HMRC will usually refuse requests for information after the bankrupt’s discharge.

In cases where a bankrupt has been discharged or is not willing to sign the consent, the official receiver should consider writing to HMRC quoting section 35(2) DPA provided the case is on the investigations register.

HMRC may still refuse to provide the information where the legislation under which they operate does not permit disclosure.

Where information is still refused the official receiver should first consider enforcement action against the discharged bankrupt under section 366 of the Insolvency Act 1986. Alternatively, the official receiver could consider an application under section 369 of the Insolvency Act 1986 for an order of production against HMRC.

81A.73 Other exemptions

Personal data are exempt from various other provisions of the Act but are unlikely to have any application to The Service. These include:

Disclosure required for the purpose of safeguarding national security. [note 9]

The Secretary of State may, by order, exempt certain personal data required for the purposes of health, education, social work from the subject information provisions or modify those provisions in relation to this personal data. [note 10]

Data processed by an individual only for the purpose of his personal, family or household affairs. This includes the rights of subject access and notification requirements. [note 11]

Other exemptions from provisions of the Act are found in Schedule 7 and include confidential references given by (but not where they are received by) the data controller, judicial appointments and honours, Crown or Ministerial appointments, management forecasting or planning, negotiations, corporate finance, legal professional privilege and self-incrimination. [note 12]

81A.74 Other disclosures

Guidance on disclosure of various types of information is given in Chapter 47, but this should be read subject to the guidance in this chapter whenever the disclosure relates to personal data.

81A.75 Sale or disposal of computer equipment

This information should be read in conjunction with Technical Manual paragraph 66.49 – Destruction of computer equipment and imaged copy media.

Where the official receiver intends to dispose of computer equipment which he/she is aware contains personal data, he/she should, unless the disposal takes place as part of a sale of the data, ensure that the personal data is permanently erased from the equipment prior to the sale. In order to remove all traces of data from the system it is necessary to use a special process - it is not sufficient to simply delete the files. In the first instance the CWS security team should be contacted for advice.

The Service are in the process of arranging contracts with a specialist contractor who will be able to carry out data deletion/destruction/recycling work to the required specification for all digital media collected from insolvent estates.

Digital media that has been sent to off-site storage with other books and records should remain in such storage until the destruction date set for the records. At the time when the official receiver instructs the storage contractor to destroy the records, and he/she is aware that digital media is contained in the records stored, the advice of the CWS must be sought.

[Back to Part 5 – Limits and restrictions]

Further Information

Notes to Part 6