Data Protection and Freedom of Information
The recent implementation of the Freedom of Information Act 2003 ("the FOIA") on 1st January 2005 has caused a number of businesses and insolvency practitioners to cast their minds to the way in which information is processed or accessed by companies. This is mainly attributable to the Data Protection Act 1998 which has been in force since March 2000. However, both pieces of legislation are key to businesses whether insolvent or otherwise and therefore of relevance when an office holder is appointed either as an administrative receiver, administrator or liquidator.
The aim of this article is to revisit the obligations a company owes under the Data Protection Act and to highlight the ways in which a business or an office holder may take advantage of the FOIA.
Dealing first with the Data Protection Act ("The Act"). An office holder can in certain circumstances incur personal liability for breaching the Act. It is also in the office holder's interest to ensure that the Act is observed from the debtor company's perceptive as breaches of the Act can lead to financial penalties and compensatory awards being made against the debtor company. This would obviously reduce the pool of funds available to the office holder in the event of a distribution to the debtor company's creditors.
The Act's main purpose is to safeguard the way in which information is held by a "Data Controller", which is defined as the person who determines the manner in which and purposes for which the Personal Data will be processed. This can be an individual or a company (acting by its board). The key test is who determines the purposes for and the way in which the data is processed. Significantly, in the case of an insolvency appointment where the business is traded, the office holder can come within the definition of a Data Controller personally if he can be shown to determine the purposes for and the manner in which any Personal Data can be processed.
Other significant definitions used within the Act include "Personal Data." This refers to data that can identify an individual. Finally, "Data Subject" is the individual who is the subject of the Personal Data such as an employee, creditor or a debtor of the company.
The Act has eight governing principles that Data Controllers are obliged to honour. This article will not deal with all of these but will briefly discuss the most relevant from a business and office holder's perspective. Firstly, Personal Data must be processed both "fairly and lawfully." Essentially this means that the Data Controller is required to justify the processing of Data under one of six conditions. For example, the Data Controller must be able to justify and show that the Data Subject has given his consent or show that the processing of the Data is necessary for the purposes of the legitimate interests pursued by the Data Controller. The legitimate interests have been shown to be justified on the basis that the processing of the Data is in the Data Controller's "commercial or business interests." However, as there is a lack of guidance generally on what constitutes "commercial or business interests," it is advisable to obtain the Data Subject's consent in the first instance rather than seeking to rely on the "commercial or business interests" test.
A further principle is that Personal Data should be kept "accurate and up-to-date." This is very much in the Data Controller's own business interests. For example marketing information that is not kept up-to-date can be sent to the old address of a customer or client and can be a waste of time and money as well as causing embarrassment on the Data Controller's part.
Finally, appropriate technical and organisational measures must be implemented. It would follow that the office holder needs to ensure that sufficient safety and security measures are continued (or indeed implemented) upon his appointment.
Office holders frequently have regard to the Act in the context of an asset sale, as the customer list of a business forms an integral part of the goodwill. Well-drafted asset sale agreements will seek to impose obligations on the purchaser in relation to further use of any data which is to be transferred and a requirement to notify the Data Subjects that a new Data Controller is now in control of the Personal Data.
The Act affords Data Subjects a host of rights in relation to the processing of Personal Data. Firstly, the Act gives the Data Subject a right to access Data via a Subject Access Request which (assuming the correct procedure is followed by the Date Subject) entitles the Data Subject to a description of the Personal Data held by the Data Controller. The rights survive an insolvency. General public awareness of these rights is on the increase. Therefore an office holder needs to know when a request must be met and when it can be refused. As office holders wish to protect asset values they are usually reluctant to release sensitive information into the public domain. As stated below there are a number of exemptions afforded to a Data Controller which allow him to refuse a Subject Access Request.
Secondly, where the processing of Personal Data causes or is likely to cause unwarranted and substantial stress to a Data Subject, the Data Subject is entitled to require the Data Controller to stop processing unless the Data Subject is to rely upon a specific justification listed in the Act for example, that the Data Subject has consented to the processing.
Thirdly, a Data Subject is entitled to give notice in writing to a Data Controller requiring it to stop processing Personal Data for direct marketing purposes.
A Data Subject who has suffered damage or distress as a result of a breach of any provision in the Act may be entitled to compensation. However, it is a defence for the Data Controller to show that in all the circumstances reasonable care has been taken to comply with the relevant provisions.
As referred to above, the Act contains a number of exemptions to the requirement that Personal Data must be processed in accordance with the Act (i.e. the requirement to honour a Subject Access Request). Unfortunately the exemptions regarding the processing of Data cannot easily be categorised into separate classes enjoying the same type of exemptions. On close examination however, there are a number of exemptions that an office holder can utilise. For example, if the company or office holder is processing Data for the purposes of making information available to the public under statutory requirements the office holder will not have to follow the principles or observe the rights of Data Subjects contained within the Act. Therefore, if the administrator discloses the personal details of the company director (such as his assets) for the purposes of a DTI report, he could seek to rely on the exemption that he is acting under a statutory requirement in the event that the director makes a complaint under the Act. This exemption can therefore be utilised in addition to the existing insolvency legislation available to the office holder. Other heads under which a Subject Access Request can be resisted include if the disclosure would involve the direct or indirect disclosure of the identity of a third party.
The Act requires Data Controllers to notify the Information Commissioner ("the Commissioner") that they are processing Personal Data. This is aimed at providing transparency about the way in which an organisation processes Data and makes it available on a public register.
Of particular relevance to the office holder is that notification to the Commissioner must be renewed annually. It is an offence to continue processing Personal Data once a notification has expired. Proceedings can be brought against a company for failing to notify. So although it is unlikely that an office holder will incur personal liability, it should be noted that a firm of solicitors was recently fined over £6,000 for a failure to notify. An office holder in a similar situation may therefore incur liability that would reduce the funds available on distribution.
The recent Court of Appeal ruling in the case of Durrant v Financial Services Authority has had a significant impact on the way Data Controller's process Data. The ruling was seen as a victory for Data Controllers as the definition of what amounted to Data appears to have been Controller is required to justify the processing of Data under one of six conditions. For example, the Data Controller must be able to justify and show that the Data Subject has given his consent or show that the processing of the Data is necessary for the purposes of the legitimate interests pursued by the Data Controller. The legitimate interests have been shown to be justified on the basis that the processing of the Data is in the Data Controller's "commercial or business interests." However, as there is a lack of guidance generally on what constitutes "commercial or business interests," it is advisable to obtain the Data Subject's consent in the first instance rather than seeking to rely on the "commercial or business interests" test.
A further principle is that Personal Data should be kept "accurate and up-to-date." This is very much in the Data Controller's own business interests. For example marketing information that is not kept up-to-date can be sent to the old address of a customer or client and can be a waste of time and money as well as causing embarrassment on the Data Controller's part.
Finally, appropriate technical and organisational measures must be implemented. It would follow that the office holder needs to ensure that sufficient safety and security measures are continued (or indeed implemented) upon his appointment.
Office holders frequently have regard to the Act in the context of an asset sale, as the customer list of a business forms an integral part of the goodwill. Well-drafted asset sale agreements will seek to impose obligations on the purchaser in relation to further use of any data which is to be transferred and a requirement to notify the Data Subjects that a new Data Controller is now in control of the Personal Data.
The Act affords Data Subjects a host of rights in relation to the processing of Personal Data. Firstly, the Act gives the Data Subject a right to access Data via a Subject Access Request which (assuming the correct procedure is followed by the Data Subject) entitles the Data Subject to a description of the Personal Data held by the Data Controller. The rights survive an insolvency. General public awareness of these rights is on the increase. Therefore an office holder needs to know when a request must be met and when it can be refused. As office holders wish to protect asset values they are usually reluctant to release sensitive information into the public domain. As stated below there are a number of exemptions afforded to a Data Controller which allow him to refuse a Subject Access Request.
Secondly, where the processing of Personal Data causes or is likely to cause unwarranted and substantial stress to a Data Subject, the Data Subject is entitled to require the Data Controller to stop processing unless the Data Subject is to rely upon a specific justification listed in the Act for example, that the Data Subject has consented to the processing.
Thirdly, a Data Subject is entitled to give notice in writing to a Data Controller requiring it to stop processing Personal Data for direct marketing purposes.
A Data Subject who has suffered damage or distress as a result of a breach of any provision in the Act may be entitled to compensation. However, it is a defence for the Data Controller to show that in all the circumstances reasonable care has been taken to comply with the relevant provisions.
As referred to above, the Act contains a number of exemptions to the requirement that Personal Data must be processed in accordance with the Act (i.e. the requirement to honour a Subject Access Request). Unfortunately the exemptions regarding the processing of Data cannot easily be categorised into separate classes enjoying the same type of exemptions. On close examination however, there are a number of exemptions that an office holder can utilise. For example, if the company or office holder is processing Data for the purposes of making information available to the public under statutory requirements the office holder will not have to follow the principles or observe the rights of Data Subjects contained within the Act. Therefore, if the administrator discloses the personal details of the company director (such as his assets) for the purposes of a DTI report, he could seek to rely on the exemption that he is acting under a statutory requirement in the event that the director makes a complaint under the Act. This exemption can therefore be utilised in addition to the existing insolvency legislation available to the office holder. Other heads under which a Subject Access Request can be resisted include if the disclosure would involve the direct or indirect disclosure of the identity of a third party.
The Act requires Data Controllers to notify the Information Commissioner ("the Commissioner") that they are processing Personal Data. This is aimed at providing transparency about the way in which an organisation processes Data and makes it available on a public register.
Of particular relevance to the office holder is that notification to the Commissioner must be renewed annually. It is an offence to continue processing Personal Data once a notification has expired. Proceedings can be brought against a company for failing to notify. So although it is unlikely that an office holder will incur personal liability, it should be noted that a firm of solicitors was recently fined over £6,000 for a failure to notify. An office holder in a similar situation may therefore incur liability that would reduce the funds available on distribution.
The recent Court of Appeal ruling in the case of Durrant v Financial Services Authority has had a significant impact on the way Data Controller's process Data. The ruling was seen as a victory for Data Controllers as the definition of what amounted to Data appears to have been narrowed. The Court ruled that it would be highly unlikely that material contained in a manual format could ever amount to "Data." Furthermore, the definition of Personal Data was confined to Data which is limited to the Data Subject himself and must be sufficiently personal.
By way of conclusion, the Act is a potential banana skin for both the company and an office holder and only by closely observing and implementing the Act can exposure to liability be avoided.
The FOIA allows members of the public to access information held by public bodies. However, the legislation can be used by businesses and office holders as a means of accessing information for a variety of reasons such as commercial gain. For example, tender documents submitted by a competitor for local authority work could potentially be accessed by the tender company's competitors. An office holder could take advantage of the FOIA where the insolvent company has supplied goods and services (on a subcontract basis) to a provider of goods and services to a public authority. In the context of any payment dispute the insolvency office holder could seek copies of the documents supplied by the debtor company to the public authority in relation to the disputed contract.
The FOIA could also be used for the purpose of an office holder's investigative work into the insolvent company. For example, the FOIA has recently been utilised by the administrators of Railtrack. They have obtained records of telephone notes from the rail regulator, Tom Winsor, in relation to conversations with Railtrack's directors on the eve of Railtrack being placed into administration. It is understood that the information is been used a part of a misfeasance claim against the government. It follows that the FOIA can be exploited to an office holder's advantage and be used in addition to the powers available to an office holder under the insolvency and other legislation currently available.
Therefore, in conclusion, the FOIA has already been utilised by practitioners in its short life and will obviously be exploited further in the future.