The impact of Covid-19 and stricter infection control measures makes it seem increasingly likely that the workload of insolvency practitioners (IPs) will increase. In addition to rising numbers of insolvencies, IPs also face greater challenges around personal data. This is due to an increasing ‘digital first’ culture and the use of a wider range of digital data processing devices and services across many businesses. It’s now more important than ever that IPs and their suppliers have robust processes in place that allow them to retain and destroy personal data appropriately, and minimise the risk of any data breaches.
The GDPR outlines that personal data shouldn’t be stored for any longer than is necessary for its processing purpose (Article 5(e)).
It states that the data controller is responsible for compliance with this principle (known as the accountability rule).
The GDPR also gives data subjects the ‘right to be forgotten’, which allows individuals to ask for their personal data to be erased. This is not intended to be an absolute right, and data subjects will only be able to request it in certain circumstances, such as when the retention of the personal data is no longer necessary for its original purpose; a controller is relying on consent as its lawful basis for processing and the data subject withdraws that consent, or the personal data has been processed unlawfully. Importantly, any obligations IPs are required to adhere to as part of the insolvency process will override the subject’s right to deletion. This could include reasons such as retaining necessary documentation to be able to support any claims the estate has against any parties or to defend any potential legal action.
It’s sensible for IPs to put a record management and retention/destruction policy in place at the start of the insolvency proceedings, and to carry out a records management audit as they go along. These policies will allow them to clearly set out any legal or regulatory requirements to retain records for certain periods of time.
Not all records will have to legally be retained. An IP’s policy should also set out reasonable data retention periods for business and operational purposes. These periods are likely to differ depending on the type or class of record, so it’s important to adjust the policy for each one. It’s also very important to carry out an ongoing audit because it’s likely there will be a number of long-stop dates, depending on the type of data being held.
If an IP enlists the help of other service providers, such as solicitors or debt collectors, these individuals could become a data processor for the IP or a data controller in their own right. Despite this, it’s the IP’s obligation as data controller to ensure that any additional data controllers and data processors follow the regulations. As a result, it’s vital IPs only use data processors who can guarantee their technical and organisational policies allow them to process, protect and ultimately delete or destroy personal data in a GDPR-compliant way.
To make sure they’re protected, IPs may also wish to include provisions within their contracts with any third-party service providers to indemnify themselves against any third-party breaches of data protection requirements. At the very least, the contract should include a statement explaining that nothing within the contract relieves the third-party data processor of its own direct responsibilities and liabilities under the GDPR.
When it comes to personal data processed by a company before insolvency proceedings begin, any subsequently appointed IP becomes the company's agent. They will not become the principal. In most circumstances, an IP will be a data processor rather than a data controller in relation to any data that has already been processed.
On the other hand, the IP’s position is different if they are processing personal data in their own right, e.g. data that is generated from the receipt and adjudication on proofs of debt. In these cases, an IP will be acting as a data controller.
Although it’s important to understand the distinction between data controller and data processor status, its significance has reduced since GDPR came into force in 2018. Now, data subjects are able to take action directly against data processors if they believe GDPR has been breached.
The key takeaway here is that, even in the midst of a complex case where saving jobs and striking a deal is the priority, an IP should always have compliance with data protection legislation in mind when processing personal data, regardless of whether they’re acting as processor or controller.
There are a number of occasions when an IP could securely destroy personal data. These include:
As we’ve explained, the timing of data deletion will depend on the legal/regulatory and business/operational requirements for each data set. We’ve set out a number of documents that IPs are likely to deal with and have offered our suggestions for potential retention periods below.
|Document||Appropriate deletion/ retention period|
|Books and records||In the case of administrations moving to dissolution or voluntary liquidations, these documents can be destroyed 12 months after the company's dissolution.
In bankruptcies and compulsory liquidations, on the authorisation of the Official Receiver, at any time (usually after a year).
|Employees, creditors, and/or directors/officers||Ideally for at least 6 years (5 in Scotland) to cover for the time limit for responding to any civil legal action.|
|Health & Safety / medical records||Generally for at least 40 years from the date of last entry, because often there is a long period between exposure and the onset of ill health.|
It’s important to put a level of security in place that’s appropriate to the nature of the information you hold and the harm it could cause if used improperly. Destruction is defined as putting data ‘beyond any possible reconstruction’. It’s easier to securely destroy hard copy documents using reliable shredding systems than it is to delete digital data. The latter can often be recovered, especially if the device on which the digital data was stored isn’t also destroyed.
If it’s not possible for digital data to be deleted, you can take a pragmatic approach to protecting data subjects – for example, replacing data by anonymising it, or restricting processing of the data by making it inaccessible.
The consequences of not complying with data protection legislation can be significant. They range from hefty administrative fines issued by the ICO and the internal costs of rectifying any breach, through to civil claims for damages from individuals and the costs of negative impact on reputation. Consequently, it’s important that IPs take their role as data controllers/processors seriously and remember their obligations regarding personal data (and its retention/destruction) at every stage of their appointment.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
The disputes landscape in Scotland post-Covid webinarRead more
Data protection, fraud and cybersecurity update webinarRead more
Happy Diwali 2020Read more
New ICO guidance on handling DSARsRead more
TLT expands restructuring and insolvency team in ScotlandRead more
Brexit: transition & beyondRead more
TLT grows Legal 500 rankingsRead more
Uber case highlights risks of automated decisions about employeesRead more
Termination for insolvency: how can suppliers protect their position?Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. ThisRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Acting on all sizes of instructions, from large restructurings to individual creditors.Read more