Data Protection (Partial) Good News for Insolvency Practitioners

Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch), [2013] All ER (D) 63 (Aug)

After a company had entered voluntary liquidation, liquidators were appointed. The company continued to receive subject access requests (SARs) under DPA 1998. The cost of processing these applications was depleting the funds available for distribution. The liquidators applied to the court for declarations as to their responsibilities under DPA 1998 in their role as liquidators for the company. The Companies Court decided the liquidators were not data controllers within the meaning of DPA 1998, s 1(1) in respect of the data processed by the company prior to its liquidation and, subject to certain qualifications, the liquidators could dispose of all personal data in respect of which the company was the data controller, so long as the disposal was effected in a manner which complied with DPA 1998.

Frances Coulson and Graham McPhie of Moon Beever look  at this case and ask how this might affect office holders subject to SAR's in future?

How does the Data Protection Act affect insolvency practitioners?

The Data Protection Act 1998 imposes many obligations upon those who collect, store and process data from which an individual can be identified. Not only are their obligations on the security, use and time period for the data but an individual is entitled to details of the data held relating to him or her. Where does this leave an office holder?

What happened in this case?

Southern Pacific went into Voluntary Liquidation after Lehman Bros opted to close it in 2007. Liquidators were appointed. The company continued to receive data subject access requests, (many surrounding mass PPI claims), the cost of processing which was depleting the funds available for distribution. It can be readily understood why the liquidators would want there to be no depletion in the funds in the estate but how is this to be balanced against the interests and rights of the individual regarding any data held?

The liquidators applied to the court for declarations as to their responsibilities under the Data Protection Act 1998 in their role as liquidators for the company. The Companies Court held that the liquidators were not data controllers within the meaning of s 1(1) of the DPA in respect of the data processed by the company prior to its liquidation and, subject to certain qualifications, the liquidators could dispose of all personal data in respect of which the company was the data controller, so long as the disposal was in a manner which complied with the DPA in other words confidential disposal.

What was interesting about this case?

Great weight was attached to the fact that the Liquidators are agents of the company and that no company property vested in them. Furthermore the 5th Data Protection Principle states that "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.". What was clear was that there was no need for the data to be kept other than for two possibilities. The first was to retain sufficient data to enable it to deal with any access requests made pending destruction and the second was to enable it to deal with any claims that were to be filed as proofs of debt in the liquidation. In considering this David Richards J ordered the liquidators to advertise for claims to be made in the liquidation and for proofs of debt to be filed within a given time period. In the meantime, it would be the case that any access requests would have to be dealt with. This would allow a period for requests before confidential destruction of records. As the 5th principle is non specific about how long is ‘necessary’, in a given case, practitioners may still consider it advisable to seek court direction as to the practicalities.

What should office holders going forward?

Office holders on company appointments who find themselves in possession of personal records in all sorts of businesses can dispose of them and not fall foul of the DPA provided that disposal is dealt with properly and securely. If records do exist the office holder has to consider the justification for retaining data and if it is necessary to do so. Data should not be kept for longer than is necessary. For example because it is too early in investigations to destroy records, or if the insolvent estate were a firm of solicitors trading as an LLP with client files, firstly other duties may dictate retention of the data and if the records exist presumably subjects can still seek access which the company must comply with by its Liquidator agent at the company's expense. Likewise if the data has been processed by the liquidator post liquidation the Liquidator may become a data controller. In some circumstances a practitioner may wish to sell data as an asset in the estate and should in any event look at the ability to do that under the company's DPA license.

One aspect that needs to be considered is the position of a trustee in bankruptcy. This case gives no guidance in that area as it did not need to do so but the weight attached to the fact that there was no vesting of the estate in the liquidator must be considered. In bankruptcy, of course, the data will have vested in the trustee and so it must follow that the trustee is a data controller. Some comfort can be taken from the fact that the court does give guidance and reinforces the 5th Data Principle of not keeping data for longer than necessary but a trustee would need to consider at the early stages of an appointment as to how the data is his or her possession should be dealt with, how long it should be retained and, depending on the nature of the data and the potential claims in the estate, what would be the appropriate notice period to give for claims before that data is destroyed.

 

 

 

Relevant Articles
Area of Interest