The impact of Covid-19 and stricter infection control measures makes it seem increasingly likely that the workload of insolvency practitioners (IPs) will increase. In addition to rising numbers of insolvencies, IPs also face greater challenges around personal data. This is due to an increasing ‘digital first’ culture and the use of a wider range of digital data processing devices and services across many businesses. It’s now more important than ever that IPs and their suppliers have robust processes in place that allow them to retain and destroy personal data appropriately, and minimise the risk of any data breaches.
Why is personal data deletion important?
The GDPR outlines that personal data shouldn’t be stored for any longer than is necessary for its processing purpose (Article 5(e)).
It states that the data controller is responsible for compliance with this principle (known as the accountability rule).
The GDPR also gives data subjects the ‘right to be forgotten’, which allows individuals to ask for their personal data to be erased. This is not intended to be an absolute right, and data subjects will only be able to request it in certain circumstances, such as when the retention of the personal data is no longer necessary for its original purpose; a controller is relying on consent as its lawful basis for processing and the data subject withdraws that consent, or the personal data has been processed unlawfully. Importantly, any obligations IPs are required to adhere to as part of the insolvency process will override the subject’s right to deletion. This could include reasons such as retaining necessary documentation to be able to support any claims the estate has against any parties or to defend any potential legal action.
It’s sensible for IPs to put a record management and retention/destruction policy in place at the start of the insolvency proceedings, and to carry out a records management audit as they go along. These policies will allow them to clearly set out any legal or regulatory requirements to retain records for certain periods of time.
Not all records will have to legally be retained. An IP’s policy should also set out reasonable data retention periods for business and operational purposes. These periods are likely to differ depending on the type or class of record, so it’s important to adjust the policy for each one. It’s also very important to carry out an ongoing audit because it’s likely there will be a number of long-stop dates, depending on the type of data being held.
If an IP enlists the help of other service providers, such as solicitors or debt collectors, these individuals could become a data processor for the IP or a data controller in their own right. Despite this, it’s the IP’s obligation as data controller to ensure that any additional data controllers and data processors follow the regulations. As a result, it’s vital IPs only use data processors who can guarantee their technical and organisational policies allow them to process, protect and ultimately delete or destroy personal data in a GDPR-compliant way.
To make sure they’re protected, IPs may also wish to include provisions within their contracts with any third-party service providers to indemnify themselves against any third-party breaches of data protection requirements. At the very least, the contract should include a statement explaining that nothing within the contract relieves the third-party data processor of its own direct responsibilities and liabilities under the GDPR.
When it comes to personal data processed by a company before insolvency proceedings begin, any subsequently appointed IP becomes the company’s agent. They will not become the principal. In most circumstances, an IP will be a data processor rather than a data controller in relation to any data that has already been processed.
On the other hand, the IP’s position is different if they are processing personal data in their own right, e.g. data that is generated from the receipt and adjudication on proofs of debt. In these cases, an IP will be acting as a data controller.
Although it’s important to understand the distinction between data controller and data processor status, its significance has reduced since GDPR came into force in 2018. Now, data subjects are able to take action directly against data processors if they believe GDPR has been breached.
The key takeaway here is that, even in the midst of a complex case where saving jobs and striking a deal is the priority, an IP should always have compliance with data protection legislation in mind when processing personal data, regardless of whether they’re acting as processor or controller.
Practicalities of deleting data
There are a number of occasions when an IP could securely destroy personal data. These include:
- At the start of the insolvency process – As the agent of a company, IPs still need to take an informed view of data risks and ensure the company remains GDPR complaint. For example, the company may have left records in an empty property without making arrangements for secure destruction. In this case, it’s the IP’s responsibility to securely get rid of the data.
- During the insolvency – IPs are obliged to make sure personal information is deleted as soon as it is no longer needed. They must also make sure a deletion process is in place. If there is information that could support employee and creditor claims, IPs should clearly retain this data until the case is resolved. They should also keep data for the usual retention periods; this is where a good record management and destruction policy will prove useful. IPs should be selective in their actions at this stage to make sure all classes of data are destroyed at the right time, if at all. IPs should also take great care when considering selling the insolvent business’s databases containing personal data. It’s vital they only do so responsibly – you’ll find more information on this issue in our article [see link above*].
- When the term of the contract has expired/the liquidation has completed – IPs should erase all personal data unless there’s still a legal reason for retaining it. IPs should also ensure that any third party suppliers comply with any agreement to destroy data (including the cost of doing so).
When should data deletion happen?
As we’ve explained, the timing of data deletion will depend on the legal/regulatory and business/operational requirements for each data set. We’ve set out a number of documents that IPs are likely to deal with and have offered our suggestions for potential retention periods below.
|Document||Appropriate deletion/ retention period|
|Books and records||In the case of administrations moving to dissolution or voluntary liquidations, these documents can be destroyed 12 months after the company’s dissolution. In bankruptcies and compulsory liquidations, on the authorisation of the Official Receiver, at any time (usually after a year).|
|Employees, creditors, and/or directors/officers||Ideally for at least 6 years (5 in Scotland) to cover for the time limit for responding to any civil legal action.|
|Health & Safety / medical records||Generally for at least 40 years from the date of last entry, because often there is a long period between exposure and the onset of ill health.|
The best method of destruction
It’s important to put a level of security in place that’s appropriate to the nature of the information you hold and the harm it could cause if used improperly. Destruction is defined as putting data ‘beyond any possible reconstruction’. It’s easier to securely destroy hard copy documents using reliable shredding systems than it is to delete digital data. The latter can often be recovered, especially if the device on which the digital data was stored isn’t also destroyed. If it’s not possible for digital data to be deleted, you can take a pragmatic approach to protecting data subjects – for example, replacing data by anonymising it, or restricting processing of the data by making it inaccessible.
The consequences of getting it wrong
The consequences of not complying with data protection legislation can be significant. They range from hefty administrative fines issued by the ICO and the internal costs of rectifying any breach, through to civil claims for damages from individuals and the costs of negative impact on reputation. Consequently, it’s important that IPs take their role as data controllers/processors seriously and remember their obligations regarding personal data (and its retention/destruction) at every stage of their appointment.