A judgment recently handed down from the High Court clarifies the obligations of liquidators under the Data Protection Act 1998, providing them with greater personal protection from fines or other sanctions.
Reed Smith acted for the liquidators in their application for directions.
The Data Protection Act 1998 (the “Act”) imposes various obligations on persons who collect, store and process individuals’ data. These obligations include making an individual’s information available to them upon their request (a data subject access request, or DSAR). Those persons classed as data controllers under the Act face penalties if DSARs are not responded to appropriately.
Until now, it has been largely accepted that upon taking office as a liquidator, the liquidator personally becomes a data controller in respect of any data held by the company and, therefore, assumes the statutory responsibilities as set out in the Act.
Southern Pacific Personal Loans Limited
Southern Pacific Personal Loans Limited (SPPL or the “Company”), a company within the Lehman Group of companies, entered voluntary liquidation in September 2012. SPPL, until it ceased originations in 2007, was in the business of providing personal loans to individuals resident in England, Wales and Scotland, and, therefore, held large amounts of personal information about these individuals.
Both prior to and after SPPL’s entry into liquidation, DSARs were being received each month. The cost of dealing with the DSARs during the liquidation has been depleting the funds otherwise available to distribute to SPPL’s creditors.
The liquidators applied to the court for directions as to their responsibilities under the Act, including a determination on whether they were data controllers in respect of data held by SPPL prior to its liquidation.
In his judgment, handed down last Thursday, David Richards J held that the liquidators were not data controllers in respect of such data. In reaching this decision, weight was given to the liquidators’ position as agents of the Company, rather than individuals acting in their own capacity, and the liquidators’ function replacing that of the directors of the Company, directors not being considered to be data controllers.
David Richards J went on to focus on what should be done with such data held by SPPL. In his considerations, weight was given to the fifth data protection principle; that personal data shall not be kept for longer than is necessary for the purpose or purposes for which it was processed. As SPPL now only holds data relating to fully redeemed loans, prima facie the information should be destroyed as soon as possible. However, two caveats to this general principle were expressed by the court: (i) that sufficient data should be retained to deal with DSARs that have been/are received in the liquidation; and (ii) that sufficient data should be retained to deal with claims that have been/are received in the liquidation, both prior to the disposal of such data.
This judgment has positive implications, and is good news for insolvency practitioners, who are no longer personally responsible for compliance with the provisions of the Act in respect of the data held, prior to liquidation, by the companies to which they are appointed. David Richards J made clear that his judgment was limited to liquidators under a voluntary liquidation, however he did comment that he did not see that there was any material difference in the case of a compulsory liquidation. Although this was not addressed by the judge, the position of an administrator is likely to be no different.
However, prior to disposing of data held by companies to which they are appointed, insolvency practitioners should still exercise caution. The fifth data protection principle does not give any guidance as to how long it is “necessary” to hold data, and insolvency practitioners will need to consider the particular circumstances of the company in question before taking steps to dispose of any personal data.