The Data Protection Act is widely drafted and complex legislation aimed at protecting the privacy of people in the UK. It is legislation that affects insolvency practitioners and this email just gives information about the Data Protection Act in relation to insolvency practitioners.
The Data Protection Act requires every data controller (ie organisation, sole trader) who is processing personal information to register with the Information Commissioners Office (ICO). This is a straightforward process that can be done online at https://ico.org.uk/for-organisations/register/.
There are exemptions from the requirement to register with the ICA but insolvency practitioners are extremely unlikely to be able to rely on these exemptions. Dear IP 49 advised in 2000 that IPs ‘may’ be data controllers but the understanding of the Data Protection Act has since developed. It is understood that regulators expect insolvency practitioners to be registered as data controllers with the ICO.
‘Personal information’ is any information about an individual that could be used to identify that individual. Insolvency practitioners will have such personal information about many people including directors, sole traders who are also debtors or creditors, employees and people with financial problems who have sought advice about bankruptcy or individual voluntary arrangements. The personal information concerned is that held, or intended to be held on computers or in a filing system.
Those dealing with personal information in this way must follow the eight ‘data protection principles’ of ensuring that the information is:-
- Used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Kept for no longer than necessary
- Handled according to Data Protection legislation
- Kept safe and secure
- Not transferred outside of the UK without adequate protection
There is sometimes confusion about the need to obtain the consent of an individual to the holding of personal information. Consent is indeed part of the ‘fairly and lawfully’ principle but consent is not necessary if processing the personal information is necessary for compliance with a legal obligation of the data controller or the exercise of any function conferred on any person by any enactment.
All insolvency practitioners can check their systems to ensure that personal information is properly managed and that their staff are aware of the requirements of the Data Protection Act and how it could affect their work. Particular reference should be given to whether people are told why their personal information will be held and whether systems are in place to make sure that information is not kept for longer than necessary. It is difficult to come up with a convincing reason why employees’ home addresses should be kept after a case has been closed, for example.
The Data Protection Act also gives an individual the right of access to personal information about him or herself that is held by a data controller. The only exception to this is if the information involves a third party, in which case the consent of the third party is needed to disclose the information although the Criminal Justice and Data Protection Regulations 2014 now give data controllers the right to refuse to provide personal information if the refusal is necessary to avoid obstructing a legal enquiry or procedure.
It is suggested that particular care is taken to comply with the principles of using personal information in a way that is adequate, relevant and not excessive and ensuring that it is accurate. The opinion of your manager about a delinquent director may be amusing but if it is on email or on file then the director is likely to have the right of access to it. It may be possible to claim that personal information about a director that was used for a CDDA report should not be disclosed as to do so would obstruct a legal enquiry. Insolvency practitioners would however be best advised to avoid the need to rely on this uncertain defence.
The Data Protection Act is particularly complex legislation and this email just gives an outline of the sections that are of particular relevance to insolvency practitioners.
Caroline Clarks insolvency career started over 30 years ago and since 1994 RMCS has been handling insolvency compliance, specialising in regulation and compliance.
Contact: Caroline Clark
M: 07854 967976