A balancing act – navigating GDPR in insolvency

In a post-GDPR world, where businesses and individuals have a heightened awareness of data, a question we are frequently asked by our insolvency practitioner ("IP") clients is essentially "Are we covered on data?" This article considers what an IP's role is in respect of data protection, some of the issues which arise when IPs have to balance the interests of creditors with those of data subjects and provides some practical considerations for IPs when managing personal data.

Types of Data and Data Controllers 

Upon appointment, an IP is responsible for reviewing, managing, dealing, securing and sometimes transferring the personal data of the Company. GDPR has broadened the definition of personal data to include online and device identifiers, IP addresses and cookie IDs.Broadly there are two capacities in which IPs are managing data:

1. Company's Data: the IP acts as agent for the data controller, much in the same way that the directors of the Company acted as the Company's agents. The Company therefore remains as the data controller following its insolvency (Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch)).

2. Administration Data: An IP and employees of their firm will bedealing with creditors' information generated throughout the course of their appointment. Who acts as data controller in respect of this data seems to be approached differently across the market. We have reviewed privacy policies published on websites for 6 major accountancy firms in respect of how data will be processed in a corporate insolvency. Each firm approached the analysis of data controller and data processor for the purposes of Administration Data differently. The most cautious approach would be to consider the IP or the IP's firm as the data controller, but whatever approach is taken, it is critical to be entirely transparent with all creditors in respect of the privacy policy governing the use of their data and ensure that all relevant obligations are complied with.

Selling a Marketing Database 

A customer marketing database can be one of the most valuable assets of the Company; therefore a significant offer for such a database will be given substantial consideration. Balancing the interests of creditors with those of the underlying data subjects when considering such an offer can often be challenging for IPs. From a data protection perspective, consideration should be given to the reasonable expectations of the individuals whose personal data formed the marketing database when the individuals signed up to receive marketing from the Company. For example, an individual who has signed up to receive marketing emails from a now insolvent insurance company is unlikely to expect (or have given consent where required) to receive marketing materials from a firm asking them whether they want assistance with a claim against said company or against the Financial Services Compensation Scheme.

Recent guidance from the Information Commissioner's Office ("ICO") suggests that a marketing list of a Company should only be sold to an organisation to use it for the same purpose for which the data was collected. Practically, from an IP's perspective, the risk of selling to an organisation with a different purpose can be mitigated to a certain extent, by making clear to the purchaser that the marketing database can only be used for the same purpose for which it was collected by the Company. The purchaser will therefore need to obtain their own consent from the data subjects (or otherwise secure their own lawful basis) in order to market to them for a different purpose. But IPs should note, this is not a risk-free approach and the ICO could decide to take action particularly where there is any doubt about whether the purchaser intends to use the data to continue the same business or if the proposed use of the data is otherwise not fair, lawful or transparent.

Data Breaches, Marketing and Subject Access Requests

If a data breach occurs during an IP's appointment, the IP will take on the compliance role of dealing with those breaches. This may include having to carry out an investigation into the breach, taking appropriate mitigating actions and notifying the ICO and the data subjects involved. With regards to historic Company breaches, the IP is only likely to be required to take action (or even be aware of the historic breach) if a complaint is made during the time of the appointment. The ICO has the power to award material fines against the Company, but it does seem difficult to imagine a scenario where the ICO would enforce against an IP personally for failure to properly deal with a historic Company breach during their appointment. The more immediate risk for an IP would, in our view, be reputational.

The Privacy and Electronic Communications Regulations were updated in January 2019 to reflect changes made by GDPR, specifically addressing the rules around electronic marketing. Officers of an infringing company can be held personally liable for breaches of these regulations. Whilst these regulations have not been specifically tested in respect of IPs, the personal liability of "officers" would seem to increase the risk for IPs, even when acting as agents for the Company. Therefore, marketing activity carried out on behalf of the Company which continues to trade post-appointment should be considered very carefully.

With the heightened awareness around data protection, it is foreseeable that an IP could receive an increased number of subject access requests ("SAR") or other rights requests for Company data or Administration data, in particular from disgruntled employees, directors or creditors. Destroying or changing data when a SAR is received is a criminal offence. There is a strict (albeit extendable in limited circumstances) deadline to reply to a SAR, being one month from the day after the request has been made (instead of 40 days under the old legislation). Whilst there is clearly a cost implication for the administration in addressing a significant number of SARs, this must be balanced with the risk of an ICO fine for non-compliance, which may rank as an expense in the administration, although the treatment will very much depend on the facts of each case. Whilst Re Southern Pacific touched on this point, it did not specifically address whether an IP would be personally liable for non-compliance.

Practical Tips 

Active Management and Governance of Data – during the pre-appointment stage you should carry out as much due diligence as time permits on the Company's data protection position. Establish what personal data the Company holds, where it came from, the basis for processing the data it has and whether there have been any data breaches. This will give you an overview as to the Company's current GDPR health status. As soon as possible after appointment, you should restrict access to the Company data to those that need access to it (think about who can still log on to the Company's IT system) and ensure that all data is kept secure when on Company premises and when you travel. In respect of Appointment Data, be alive to the need to demonstrate compliance, communicate clearly with data subjects, keep adequate records of what personal data is collected, the lawful basis for processing it, how long it is retained and considerations if it is transferred outside of the EEA. Ensure your staff are trained and that you have appropriate policies and processes in place.

Subject Access Requests  – As soon as possible following appointment, establish whether any SARs or other rights requests have been received prior to or since the appointment. Make sure that you are able to recognise a SAR, they can come in any form (such as email, letter, over the phone, via social media). There is no longer any right to charge a fee for dealing with a SAR. Note that marking something as confidential or private does not make something exempt from disclosure under a SAR, for example commentary about an individual employee among the IP team in the context of redundancy or cooperation with the IP. This includes all statements made about people involved in the insolvency. There are a number of exemptions to disclosure under a SAR but you may be required to set out why certain documents have not been disclosed if the data subject requests it, therefore ensure you consider the disclosure process properly.

Selling a Database – Be aware of the balancebetween the best interests of the creditors and the rights of the data subjects. Make it clear to the purchaser that they are responsible for obtaining their own consent to send marketing communications where applicable. Ensure that your sale agreement places the onus on the purchaser to notify the data subjects that they are the new data controller of their personal data as soon as possible and indemnifies the IPs and the Company in respect of breaches of data protection legislation. Our experience is that whilst robust provisions are usually included in the sale agreement this is the area where a purchaser's lawyer often seeks to reduce the obligations and care is needed.

Disclosure and Data Breaches – Carefully consider disclosure of creditor information, including the content of your proposals and progress reports at Companies House. Only set out what information you are required to provide under the Insolvency Act 1986 and the Insolvency Rules (England and Wales) 2016. Whether in respect of Company data or Appointment data, if there has been a data breach during your appointment take immediate steps to mitigate this and consider your obligations as to whether to notify the ICO. We have seen breaches of this nature often where the responsibility for filing at Companies House is passed down the team to someone dealing with process and that individual does not fully understand the nature of what is filed. IPs should think carefully about whether there is a training need within their teams.

Retention – Under GDPR, personal data should only be retained for as long as you have a legal basis for doing so. IPs regularly take copies of Company databases from the outset of the insolvency and they retain this data as they might require it to complete their investigations on the Company and its directors. When retaining data for these reasons, we would advise that this is not kept beyond the limitation period for a claim to be brought (six years). When retaining personal data in this way, you have an obligation to ensure that the data is kept appropriately secure for the duration of this retention period. You also need to consider the rights of data subjects, such as the right to be forgotten and SARs, which are balanced against your SIP 2 duties to investigate the conduct of directors and the failure of the Company. Once the data is removed from the Company's system, this second set of data is likely to be classed as Administration Data. Given the lack of clarity around responsibility for controlling this data, whilst the onus for managing it will practically most likely fall on the IP firm, care needs to be taken about where and how that data is then held and managed.

Thinking about data as a whole in the insolvency should ensure that IPs can successfully continue to achieve the purposes of insolvency and at the same time balance the rights of the individuals whose data is held. 

If you would like more information about insolvency and data protection please contact Joanne Rumley or Alexandra Leonidou.