Privacy series part three: Privacy in tax litigation
Krishna Mahajan
Our series focused on privacy and transparency considers issues encountered by practitioners across a range of different dispute resolution specialities. This article provides a reminder for Insolvency Practitioners about their obligations when processing personal data.
Insolvency Practitioners (“IPs”) are obliged to retain records which are distinct from the records of an insolvent company or an individual bankrupt. These records will include personal data and typically include data in respect of employees, lists of customers, debtors and creditors of the insolvent entities/persons over which they’re appointed, in addition to dividend distribution information that could also contain personal data.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) apply to any Data Controller, including IPs, who process “personal data” (any information relating to a living individual), and provides rights to those whose data is processed (called Data Subjects).
“Processing” is defined in the UK GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” which can include collection, recording, storage, use, destruction”.
It is therefore essential IPs and their staff understand the extent of the personal data they hold and how to deal with the same, as they are only permitted to process personal data if they do so in accordance with the law. For example, when the processing is in compliance with a legal obligation, when it is necessary for the performance of a task carried out in the public interest, or it is in the vital interests of the Data Subject. Consequently, on appointment, it would be wise for an IP to:
- undertake a data audit (both electronic and hard copy) to establish any personal data they now control, in addition to the source of the data and current location (including where stored by a third party);
- ensure that all data is securely held by implementing safeguards, for example, by storing hard copy documents in locked cabinets and electronic documentation being accessible via password;
- where consent has been obtained for the processing of personal data, retain records as to how the consent was obtained, whether it was freely given and whether the individual was fully informed;
- ensure clear policies are in place to deal with (1) any data subject access requests (DSARs) that are received, and (2) any data breach which may occur involving the personal data being processed (including considering whether or not such a breach needs to be reported to the Information Commissioner’s Office (ICO) – for which there is a requirement to report within 72 hours – and/or to the individual Data Subjects impacted.
- in the event of a sale of a business which includes personal data, such as customer or employee lists, IPs ought to ensure the sale agreement imposes an obligation on a purchaser to comply with the UK GDPR in respect of the data;
- where an IP is engaged in litigation requiring the disclosure of personal data, such as customer lists, consideration ought to be given to how that data is dealt with. For example, where it is necessary to disclose the list of creditors and their personal data in an exhibit, or whether creditor details could be limited to abbreviated names, plus the value of the claim, with a second unredacted version being filed on a “confidential” basis at Court.
By understanding their obligations and implementing robust data protection measures, IPs can ensure compliance while safeguarding the personal data they handle. This not only protects the rights of individuals but also the IPs who could otherwise face the risk of regulatory action by the ICO in the event of a breach or other non-compliance.
Further information
If you have any questions or concerns about the topics raised in this blog, please contact Roz Gergees.
About the author
Roz is a Senior Associate in the Dispute Resolution team and specialises in restructuring and insolvency matters.
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
You may also be interested in:
Privacy series part four: Protecting confidential information - An overview of injunctions
Privacy series part five: Ways to protect your witness
Chantelle Tang
Share insightLinkedIn X Facebook Email to a friend Print