Part 4 Handling personal data
The official receiver will only incur responsibilities under the DPA for the personal data held by an insolvent company or bankrupt where the bankrupt, company or company director is a ‘data controller’ of that data under the DPA. It should be noted that an individual, company or company director may not be registered with the ICO as a data controller, but will still have the responsibilities as the controller of personal information i.e. they would be the de facto data controller without registration with the ICO, and these responsibilities under DPA devolve to the official receiver.
References to data will include records of employment for ex-employees of the insolvent, and in relation to personal data, obtaining or recording the information contained in the data will be considered as processing of the data.
The definition of processing is very broad and therefore likely that the official receiver would be deemed to be the person processing the data by virtue of his appointment. On appointment as liquidator of a company, the official receiver, will become the data processor for any personal data held by the company. On the making of a bankruptcy order the official receiver will become the data controller for personal data held by the bankrupt.
For the purposes of complying with the DPA the official receiver should treat sub-contractors and casual employees of insolvents in the same way as employees since the DPA makes no distinction as to the employment status where personal data is held.
Where the official receiver has collected employee records (with or without trading records) he becomes the data controller and therefore responsible for meeting the requirements of the DPA with regards to the processing, storing and destruction of personal data. Assuming the trading records (and/or employee records) are in off-site storage The Service is conforming to the requirements of the DPA in both the security and destruction of those records. However consideration must be given to Schedule 1(5), that states that personal data shall not be kept for longer than is necessary than the original purpose. Destruction of such data will need to be considered as soon as the purpose for which it was obtained is finished.
While the official receiver is holding employee records Redundancy Payments Service and HMRC may have legitimate requirements to access those records but once HMRC has been notified of the intention to destroy the records the storage company can be instructed to destroy the records as part of the normal file destruction procedure.
In the case of a company, whilst the corporate personality of a company and the majority of its powers would remain unaffected (including that of being the data controller), the control of the company passes from the directors to the official receiver. An important task of a liquidator is to take custody, or control, of all the property to which the company is, or appears to be, entitled. This includes a duty to immediately take possession of the company books, deeds and documents.
Any personal data held by a company prior to insolvency should not be left in the control or custody of the director/s of the company following the winding-up order. Whilst the company may remain as the data controller the official receiver will be regarded as the data controller (with the same obligations under DPA) pending any appointment of an insolvency practitioner as liquidator, whether or not he/she chooses to make any positive action with regard to that personal data.
In the case of personal insolvencies the official receiver acts as a receiver and manager of the bankrupt's estate until the trustee in bankruptcy is appointed. The official receiver’s appointment prevents the bankrupt dealing with any assets in the estate, and the official receiver has a duty to protect the estate pending the appointment of the trustee.
Where the official receiver is acting as receiver and manager and becomes aware that an insolvent has held personal data (including employment records), the insolvent will no longer be the data controller and the data will instead be covered by the official receiver’s registration for the duration of his appointment. Accordingly, the official receiver must comply with the Data Protection Principles, by ensuring that all the personal data is collected from the insolvent and dealt with in compliance with the DPA. This must happen irrespective of whether other (trading) records are collected or left in the control of the insolvent.
In all the scenarios above advice should be sought from the FOI/DPA Team where necessary.
Changes brought about under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) means that in some instances a new business may adopt the employment contracts of employees of an insolvent company. Further details of the arrangements under TUPE may be found in Chapter 4 of the Technical manual.
In the event that a transfer of employment contracts takes place under the TUPE Regulations, employee records should be passed to the new trading company or business. Such transfer conforms to the requirements of Schedule 2 of the DPA. [note 1]
Many businesses maintain customer and supplier information in computerised systems in spreadsheets or database format. A database may be an asset in the insolvency even though it will contain personal data. Where a business is insolvent the DPA will not prevent the sale of a database containing the details of individual customers, clients or suppliers providing certain requirements are met. The official receiver must draw the potential buyer's attention to their obligations as a data controller under the DPA when purchasing personal data.
When personal data covered by the DPA is collected from individuals it must be made clear to them what it will be used for. When a database is sold, the seller must make sure that the buyer understands that they can only use the information for similar purposes for which it was originally collected e.g. any use of the personal information should be within the ‘reasonable expectations’ of the individuals concerned. For example, if the database contains information obtained for insurance, the database should only be sold to another insurance-based business providing similar insurance products. Selling it to a business for a different use is likely to be incompatible with the original purpose and likely to go beyond the expectations of the individuals.
The buyer of any database should be made aware that they could only use the personal data in line with the purposes for which it was originally collected. They need to know what these purposes were when they buy the database.
If the buyer wants to use the personal data for a new purpose, they will have to get consent for this from the individuals who’s personal data is contained in the database.
The buyer of the database is required to make sure that all the affected individuals are told who now holds their personal data (the new data controller). This should be done as soon as practicable, giving contact details for the new data controller and confirming that the personal data will only be used for similar purposes. If the buyer wants to use the data in a new way then this will also provide an opportunity to ask individuals for their consent.
The buyer of a database often wants to use it to send marketing material. Whether they will be able to do so will depend on the basis on which the personal data was collected. The general rule is that unsolicited marketing can be sent to individuals where they have agreed to this or where this is within their reasonable expectations. For example, if an individual goes on holiday with a particular travel company then it is reasonable for that company to send brochures advertising similar holidays the next year, unless the individual has made clear that they do not wish to receive such marketing. Therefore, the buyer should check the basis on which the information was collected and whether any of the individuals have objected (opted out). The buyer should also establish whether the individuals would only expect to receive marketing via a particular medium, for example by mail.
When the buyer (new data controller) has established that they can use the personal data for marketing the buyer should only market products and services which are similar to those that been marketed previously.
The DPA requires that any personal data held should be adequate, relevant and not excessive, and that it should not be kept for longer than is necessary. The new owner of a database must decide how much of the information they need to keep. Any unnecessary personal data should be deleted. Personal data should not be held simply on the basis that it might become useful one day.
Some insolvents hold contracts with Primary Care Trusts (PCT) or other data controllers who are responsible for sensitive personal information as defined by the DPA. Examples include doctors, dentists, private ambulance service providers etc. Where the insolvent’s trading records include medical records or medical information the data controller for these records is the PCT and official receivers must notify the local PCT immediately that the records exist. Medical records and information belong to, and are the responsibility of, the PCT. Where trading records have been collected from an insolvent, and these contain sensitive personal data, the PCT must be advised and requested to collect the records. In the event that the records are not collected storage of such records at the official receiver’s off-site storage contractors will meet the security, storage and retention requirements of the DPA.
Where an insolvency practitioner is subsequently appointed trustee of the bankrupt’s estate or liquidator of the company or partnership, the official receiver should make them aware of the existence and nature of any personal data held by the insolvent. The insolvency practitioner will need to have his own notification under the DPA to deal with the data.