In his latest Coffee Break Briefing webinar, Frettens’ own Insolvency Guru Malcolm Niekirk gave a refresher on GDPR for office holders and outlined the importance of compliance.
This is the summary of that briefing.
If you'd like to watch the webinar back, you can do so below, if not, read on for our summary...
Quick Links
- GDPR – The Basics
- Management issues and training
- What are the different types of data in GDPR?
- GDPR in professional services firms
- Step-in GDPR issues
- How does GDPR affect office holders?
- Subject access requests (SARs)
- Error reporting
- Notable policies
- For the compliance partner/director
GDPR – The Basics
What is GDPR?
GDPR is the General Data Protection Regulation, a European regulation.
This combined with the:
- Data Protection Act 2018 (DPA’18), as well as the
- Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019 (which I’ll refer to as the ‘Brexit regulations’ from here),
forms the basis of data protection law in the UK.
How did Brexit affect GDPR?
‘UK GDPR’, introduced post-brexit, has not made anything easier to understand (if anything it has made things more complicated)!
At its core, GDPR is human rights legislation. The idea behind it is that all of us have a right to privacy and a degree of control over information kept on file about us.
What was new in GDPR?
GDPR introduced a lot of extra paperwork and required better compliance records to be kept. It also, marginally, improved rights for people; so people are now entitled to:
- Better information on their rights
- Better information about files kept on them
- And businesses now have to record their reasons for using information about people
Management issues and training
Under GDPR, you should train your data protection partner and anyone who handles ‘personal data’ in compliance.
The legislation came into force in May 2018, so training would’ve likely occurred at that time. You may need to schedule a refresher, perhaps in the next few months and then every couple of years after that?
GDPR should also be a part of your induction programme.
What should GDPR training include?
It should include:
- The basic principles, which are as follows:
- Take only what you need
- Keep only what you’re allowed to use
- Record your right to use it
- Consent is not the only way to authorise use
- Treat others’ information the same way that you would like information about you treated (‘the golden rule’)
- Your own policies, procedures and documents
- How to identify sensitive (‘special category’) data
What are the different types of data in GDPR?
These categories of data are listed from least to most protected.
- Anything that is not personal data
(Not protected by GDPR, but professional and contractual duties of confidence may still apply)
- Personal Data
Information about an identifiable, living human (Covered by GDPR)
- Financial and identification data
This is not in a different category under GDPR or DPA, but you may want to put it in a higher category than other personal data.
- Sensitive (‘special category’) personal data
- Criminal records
What is sensitive personal data?
Sensitive (‘special category’) personal data consists of information about
- Health
- Sexual life
- Religion
- Political opinions
- Racial and ethnic origins
- Trade union membership
- Biometric and genetic data
Criminal records
These don’t just include records of convictions, but also include crimes that have been alleged, prosecuted, convicted or sentenced.
‘Alleged’ is important here, as it means that your file about CDDA investigations, and other liquidation files, may contain information about alleged crimes.
These could also be in a personal insolvency context, allegations of bankruptcy offences or fraud.
GDPR in professional services firms
There are three areas where GDPR affects professional services firms:
- Marketing
- I didn’t cover this in detail as GDPR applies to professional services firms in a similar way as it does to other businesses. There is plenty of guidance available.
- HR Records
- Your HR records will likely contain sensitive information, possibly even criminal allegations
- Client files
- You need to distinguish between the files that the firm is keeping and the files that you are keeping in your personal capacity as an office holder
Step-in GDPR issues
There are separate responsibilities for the company (in administration or liquidation) and for you as office holder (and its administrator or liquidator).
Most notably:
- The bust company is the data controller – even after your appointment
- You are agent for the bust company, as liquidator or administrator
- You may have responsibilities as data processor – a question of fact
You should:
- Ensure that you have a good pre-appointment risk assessment, and do a further review on day one of your appointment
- Consider trading issues in trading administrations; you will need to run another risk assessment
- Consider data security and GDPR issues around HR records, customer and marketing database when selling the business
How does GDPR affect office holders?
In many circumstances, probably most appointments, you will be data controller. You will be using personal data as office holder.
In personal insolvency cases, you’ll have information about the bankrupt, their family and associates.
In corporate insolvency cases, you’ll have information about the directors, their family and associates.
Authority to use personal data
This means you’ll need to identify the legal basis for you to collect, hold and use personal data.
The most relevant bases for insolvency practitioners to use personal data are as follows:
- Consent
- (May be difficult in bankruptcies and some liquidations)
- Performance of a contract
- (Useful for IVAs, less so for corporate appointments)
- Legitimate interest
- (Requires you to carry out and record a balance of interests)
- To perform legal obligations
- (Not a catch-all, but very useful. Check the detail in DPA’18)
- If in the public interest or the exercise of official authority
- (Again, not a catch-all but useful. Check detail in DPA’18.)
In each case you have to identify which of these bases you are using for the personal data that you are collecting. Record that on file.
Authority to use sensitive data
You may sometimes need sensitive data on the debtor and directors.
Your bases for being authorised to use it might be:
- Use in legal proceedings (criminal allegations)
- Substantial public interest – in which case you will need to follow your own internal policy document – for other sensitive data
Privacy notices – how and when to use them
The general rule is that you should issue a privacy notice to everybody on whom you are collecting information.
The privacy notice has to follow a statutory checklist. There are, broadly speaking, two checklists depending upon whether you are collecting information directly or from a third-party.
You should issue the notice at the earliest opportunity.
Who must a privacy notice be issued to?
Probably:
- The debtor (IVA or bankruptcy)
- The directors (all corporate procedures)
- The debtor’s associates (family & business)
- The directors’ associates (family & business)
- The shareholders
Are there exemptions for privacy notices?
There are exemptions. But it is not clear how far they do extend. It may be better, as a matter of routine practice, to issue privacy notices rather than to rely on exemptions.
You may not need to issue privacy notices:
- For investigating the bankrupt’s conduct
- For investigating the directors’ conduct for CDDA
- For privileged information
- If doing so might prejudice negotiations with that person
Each of the people that you are keeping information about, have rights under GDPR including the right to receive a privacy notice. So, keep that in mind.
Investigations
It may be good practice to keep investigations as self-contained sub-files within the main sub-file, particularly if sensitive data is involved.
Consider issuing privacy notices or relying on exemptions.
Following those tips may make your life easier if you receive a subject access request.
Subject access requests (SARs)
Subject access requests are people exercising the right they have to know:
- Whether you have any information about them on file
- Why you have it
- What sort of information it is
- Who it is being shared with
- How long you will keep it
- And more
They also have a right to receive a copy of that information. You cannot charge for it. They should receive it within a month of request.
In addition, they have the right to:
- Request mistakes are righted
- Have their data deleted (in some circumstances)
- Insist, in some circumstances, that the information should not be used
When can you deny a subject access request?
- If the information is being used to investigate the bankrupt or directors for CDDA purposes
- If the information is protected by legal professional privilege
- If releasing it might damage your negotiations with that person
Consider ordering your files by these categories.
Error reporting
Another occasional issue with GDPR is error reporting. It should be a part of any training.
An error occurs where:
- Data is lost
- Data passes to the wrong hands
- Data is received which should not have been
- Data is kept which you don’t need/shouldn’t have
You have a legal duty, as data controller, to:
- React quickly to any error
- Assess how serious it is
- Potentially report it to the ICO and tell the people affected
Notable policies
Training should be conducted, and policies should be in place regarding:
- Physical and digital data security
- File management
- Legal compliance
- Consent forms
- Privacy notices
- Error reporting
- Subject access requests
- Corporate appointments (as liquidator or administrator, for example)
For the compliance partner/director
- You don’t need a statutory data protection officer
- Compliance should match the law (includes GDPR, DPA’18 etc.)
- If you’re looking for specific, tailored advice on this; I’d be happy to have a conversation with you. You can get in touch with me by using the contact details at the end of this article.
- Ensure that you are registered, registration fee is paid annually. Both you and your firm will need to be registered.
Additional questions
Following my briefing, I received a couple of questions regarding my presentation which I have answered below.
Can you charge the estate for the cost of dealing with an SAR?
Yes, you can charge the estate for dealing with a SAR. It’s a legal obligation on you, as office holder, to deal with it.
It’s a bit different if it’s a SAR directed to the bust company, rather than to you as office holder. In that case, it’s sometimes legitimate to say that the costs of compliance are disproportionate.
You can then decide that, as administrator, you won’t be ‘making funds available’ to the bust company to cover the costs of complying with the SAR.
The bust company will then default on its duty, but you as its agent are not personally responsible for the consequences. That can be useful for those cases where there are limited funds.
If a creditor or director issues a subject access request which relates to the data held in the company's books and records (pre-appointment company records) - do you have to comply - if it means retrieving the archived records to comply?
Good question. This shows why it’s so important to draw the line between your responsibilities as a data controller and office holder, and the responsibilities of a bust company as a data controller.
In your example, the bust company is the data controller; the liquidator is not. In this case, you would be entitled to ask (the person making the request) what harm they think they will suffer if you are unable to release the information.
Once you hear back from them, you can decide if it’s reasonable to refuse to release the information on cost (or other) grounds. If cost is the only reason for refusing to release the information, you can ask them to pay the cost of finding it for them.
That’s a legitimate response because the bust company – and not the liquidator – is the data controller. It actually puts the bust company in breach of the law, but that doesn’t put personal liability on the liquidator.
Downloads
A copy of the full presentation can be downloaded here.
Stay up to date
Thank you for reading this summary. You can watch back our previous briefings and read back previous summaries here.
To keep informed on upcoming Coffee Break Briefings, events and insolvency news you can sign up to our email list for free here.
Specialist Insolvency Solicitors
If you have any questions after reading this article, please don’t hesitate to get in touch with our bright and experienced team.
Call us on 01202 499255, or fill out the form at the top of this page, for a free initial chat.
Comments