Insolvency Oracle

Developments in UK insolvency by Michelle Butler


Leave a comment

GDPR: Ready or Not!

Compared to the Insolvency Rules, getting to grips with the GDPR has felt a lot more painful.  Personally, I have struggled with the GDPR for two reasons: (i) the position of an IP working within a practice and having control over insolvent entities is so clearly a square peg in the GDPR’s round hole; and (ii) for anyone who has been treating personal data with respect already, it seems to be just lots more hassle, simply more documentation of no interest to anyone except the regulators and those who look for causes to complain.

But, if I have not persuaded you already to go off and do something far more interesting instead, here is a summary of an IP’s GDPR to-do list (or, hopefully, a “done” list).  My special thanks go to Jo Harris, who has endured the pain to get the Compliance Alliance’s packs GDPR-ready and whose webinar has informed most of the content of this blog.

(UPDATE 22/05/2018: far more authoritative than my blog is a fantastic FAQs written by the ICAEW and R3 and released just yesterday: https://bit.ly/2x7HPm2.  I think that this article is pretty-much aligned with the FAQs, but the ICAEW does provide more information on their expectations, particularly when taking on an appointment and in notifying creditors of the necessaries.)

 

Privacy Notices

Privacy Notices are probably the most obvious sign that you have prepared for the GDPR world.

Data controllers must provide privacy information to individuals when they collect personal data from them or, if the data is from another source, no later than one month of receipt.  Although the GDPR prescribes a long list of information that must be given, it also states that privacy notices must be concise and easy to understand – if only the GDPR were written so!

To draft a GDPR-compliant privacy notice, you need to have a clear picture of what personal data you hold and what you do with it… in your role as a data controller.

 

Who is a data controller?

The GDPR defines a data controller as:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Where an IP processes data as an office holder, they are clearly in control.  An IP deals with personal data on creditors, employees, directors, shareholders, debtors (i.e. insolvent ones and those who owe the insolvent), probably also debtors’ family members…  And we’re not just talking about individual creditors etc.: you will also process personal data on staff working within corporate entities, e.g. emails containing names, email addresses and telephone numbers, sufficient to identify the individual.

What about the personal data contained in the insolvent’s books and records?  Does the IP become the data controller for those on appointment?  I have not attended a GDPR-for-IPs event without the case of Re Southern Pacific Personal Loans Limited ([2013] EWHC 2485 (Ch)) being mentioned.  Although of course this was a decision about the application of the Data Protection Act 1998, it has given many people comfort that at least a liquidator is not considered to be the data controller in relation to data processed by the company prior to liquidation.

So, for practical purposes (unless/until it is overturned), it is probably safe to draw a distinction between data processed by the IP and the insolvent’s data that just sits in a storage facility in case it is needed one day.  This fairly clean line probably doesn’t exist however for a trustee in bankruptcy, as the agency relationship is absent.  Also, at what stage does an IP begin “processing” data in their own right: what if you only review some company records in your possession?  What if you hold electronic data on your system, but never use it?

These fuzzy lines aside, how does understanding when we are a data controller help us draft our privacy notices?

 

The legal basis for processing

For the most part, privacy notices are pretty standard text.  But you do need to hang your flag on a mast when it comes to describing your legal basis/bases for processing the data.

Here are the options:

  • the data subject’s consent – not something that we associate with being in office
  • necessary to perform a contract – again, not something for an office holder, but it may be relevant for work we do (i.e. personal data we process) outside a formal appointment
  • necessary for compliance with a legal obligation – yep, this one is clearly relevant to office holders
  • necessary to protect individuals’ vital interests – nope
  • necessary to perform a task in the public interest – I have heard some say this is relevant for office holders, but it seems to have fallen out of favour more recently
  • necessary for legitimate interests – creditors and others have a legitimate interest in keeping informed and engaging in an insolvency process, so this is relevant

So there are at least two legal bases that are relevant to IPs’ work.

 

The purposes of the processing

Your privacy notice also needs to describe the purposes for which you will be processing data.  It is worth remembering that an insolvency practice will process data for a wide range of purposes: not only formal appointments, but also to deliver other services to clients, and you will also hold data for marketing purposes, for running your business…

Therefore, you might want to consider: should you have one privacy notice covering every purpose or do you want several privacy notices?  A third way, which I’ve seen work well for a particularly large accountancy/insolvency practice, is a single privacy notice with links leading to the descriptions of their processing activities relating to different groups of data subjects.

Taking a look at other firms’ privacy notices might also bring to mind other, less obvious, purposes for processing data, such as carrying out AML due diligence, detecting or preventing crime or fraud.

 

What do you do with the privacy notice?

As mentioned at the start, the GDPR puts data controllers under a requirement to provide the privacy information to all data subjects.  This can seem onerous for an IP: do we really need to send a copy of the privacy notice to all individuals whose data we hold and how can we comply with those timescales, especially on existing cases?

There are a couple of ways you can make life much easier for yourself:

  • Put your privacy notice on your website, preferably on a page with a very simple www address, because…
  • Then you can add the link/address to your email footers and letterhead, so that the next time you email or write to an individual, you have brought the privacy notice to their attention.

 

What about existing cases?

Does the GDPR mean that we must have notified every person whose data we hold of our privacy notice by 25 June?  I would like to think that the regulators – the RPBs and the ICO – might be prepared to give us some slack on this requirement.  Would a more manageable approach be to ensure that such notifications are made, say, at the time of the next progress report?

If this is acceptable, then how about the interaction with R1.50?  Where we have already issued to creditors (and members) a notice stating that every other document will be uploaded to our website without further written notice, would this suffice such that we only need to ensure that the website contains the privacy notice or a link to it?  Or, because R1.50 only provides website-only delivery for documents “required to be delivered in the insolvency proceedings”, does this mean that the privacy notice required to be delivered under the GDPR cannot be delivered by website?

Of course, the requirement stretches further than creditors and members.  For some people, you might like to make an extra-special effort to contact them asap to prove compliance with the GDPR, perhaps those who are most likely to complain – bankrupts and other individual debtors, perhaps.

 

What about closed cases?

Under the GDPR, “storage” is a form of processing.  Therefore, IPs will be continuing to “process” personal data long after a case has closed.  Do we need to contact individuals on closed cases?  Isn’t this taking things too far?!

The new Data Protection Act (currently still a Bill) may help us (thanks, JN, for highlighting this).  S93(4)(b) states that we need not notify data subjects where it “would be impossible or involve disproportionate effort”.  This must apply to closed cases, surely!

 

Privacy notices: is there more?

Oh yes, indeed!

Another meaty requirement of the GDPR is that data processors’ work must be governed by a contract with the data controller.  What data processors does an IP instruct?  And if someone is instructing an IP, does this need to be governed by a contract?

 

Who is a data processor?

The GDPR’s definition of a data processor is someone who “processes personal data on behalf of the controller”.  But a data processor’s activities may mean that they become a controller in their own right.  As I set out above, according to the GDPR’s definition, a data controller determines the purposes and means of processing data.  So logically, if someone has no control over either the purposes and/or the means of processing the data, they must be a processor, right?  For example, you instruct a debt collector to use debtors’ personal data solely to pursue debts – this sounds like a data processor, doesn’t it?

So who might an IP instruct that is not a data processor?  Surely every instruction defines at least the purposes of processing data, doesn’t it?

The ICO has provided guidance on the distinction between processors and controllers (https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf), which, although it was seemingly published in 2014, we understand is still considered relevant by the ICO for the post-GDPR world.

Paragraph 45 is interesting: “Where specialist service providers are processing data in accordance with their own professional obligations they will always be acting as the data controller”.  This is written in the context of an accountant, who will have obligations on detecting malpractice.  The guidance similarly singles out solicitors who “determine the manner in which the personal data obtained from the [client] will be processed” (paragraph 44).

 

And IPs?

Of course, I wouldn’t expect the ICO to mention IPs in their guidance (they don’t).  But I think the ICO’s guidance leads to the logical conclusion that usually IPs/insolvency practices will become data controllers in their own right when processing data on behalf of a client, e.g. when they’re instructed to help put a company into CVL.

 

Controller-processor contracts

But for anyone whom we instruct who is a data processor, we need to ensure that a GDPR-compliant contract is in place with them.  And even though you may personally be acting as agent of a company that continues to trade post-appointment, you will want to ensure that the company trades in a compliant fashion with appropriate contracts in place with their suppliers/service-providers… although remember that it’s only where the supplier/service-provider is processing personal data.

The GDPR sets out what must be included in such a contract and model clauses are widely available (although of course you may like to engage a solicitor to help).

 

Data sharing agreements

Although not mandatory, you may want to consider entering into data sharing agreements with parties who you instruct who are data controllers in their own right – the ICO guidance recommends this where you are sharing large-scale or particularly risky data.

As an IP receiving instructions, you are unlikely to want to volunteer a data sharing agreement.  However, you should amend your engagement letters, not only to refer to your privacy notice, but also to confirm your position as a data controller and remind the client of the need to comply with the GDPR and DPA.  ICAS has suggested some appropriate wording at: https://www.icas.com/regulation/preparing-for-gdpr

 

Fuzzy lines

I confess to remaining confused about the boundary between controllers and processors.  After all, wouldn’t following the GDPR definitions and ICO guidance lead us to a different conclusion from that arising from Re Southern Pacific Personal Loans Limited?  Doesn’t an IP store company records in accordance with their own obligations and doesn’t the IP decide the purposes and means of processing that data?  If so, why are they considered only a data processor?

In addition, different instructions may lead to different levels of control by the third party.  For example, on one case we may ask an agent simply to help us return items to their owners, but on another case the agent may be managing a marketing and sale process, dealing with RoT claims, wiping hardware clean…

Where these fuzzy lines exist, would it be an idea to engage with third parties via a catch-all controller-processor/data-sharing agreement?

 

Managing instructions

If you haven’t already set up a system, perhaps you might start a central register to help you record who has signed up an agreement.  Then, whenever you come to instruct a third party who will be processing personal data provided by you, you can check whether they have already signed up and, if not, you can set the ball rolling.

 

Ok, is that everything?

Nope.  There’s a whole host of additional items on the to-do list, including:

  • If you haven’t already got them, generate policies and procedures to cover areas such as data security, retention, dealing with breaches and subject access requests;
  • Before processing data on a new engagement/appointment, assess the risks associated with the proposed processing, and keep it under review during the engagement (yep, another checklist!); and
  • For each engagement/appointment, document the data held and the reasons why it is held – the ICO has produced 30-column wide spreadsheet for each data controller (and another one for a processor), so admittedly it is stupidly cumbersome for each case, but once completed for one case, there will be little variation needed for the next. But of course, it is worth giving every case a bit of thought, just in case there are some unusual considerations arising from, e.g., a novel business or an entity holding data in different countries.

Certain other aspects of our insolvency work require careful attention:

  • On (or preferably before) appointment, we will need to gather information on what data the insolvent holds and where/how it is stored and accessed;
  • If we are contemplating trading-on, we will need to review carefully the business’ data processing practices and documentation and identify whether any changes need to be made to bring them into line with the GDPR;
  • We should perhaps take more care in deciding what data we need to collect post-appointment and what happens to any data that we choose not to collect (also having regard, of course, to the recent Dear IP on collecting books and records);
  • Although generally databases and customer lists can continue to be sold in an insolvency process, we can expect to be asked more questions by potential purchasers about the insolvent’s data processing (will sale prices decrease and will sales to unconnected parties be less common as a consequence?) and some additional clauses will be required in agreements; and
  • We will want to have a good understanding – and ensure that staff have also – of our obligations on identifying a data breach.

 

Will it all become second nature?

It is a shame that the regulatory current seems to flow to ever more requirements for documentation and disclosure.  The regulatory burden never seems to lighten up, but personally I struggle to see how business or the economy is any better for it.

There remain a number of unanswered questions, some of which I’ve mentioned above, about how the GDPR works practically for IPs.  I’m sure that over time most of these will be resolved, hopefully with pragmatic solutions acceptable to the regulators.  One day, perhaps GDPR-compliance will become second nature.

 

 

 

Advertisements


Leave a comment

Hats Off

0520 Goblins

Having recently spent a week or so in Somerset enjoying the unseasonal blue skies (but yes, you’re right, the photo is not Somerset!), I’ve managed to accumulate quite a pile of BAILII reports. I don’t want to skip them entirely, as one day I do want to create a searchable index of my posts, so I’ve tried to give credit where I can to other write-ups of the judgments. Much is old news, therefore, but if you missed them the first time around…

Olympic Airlines – failure to meet “establishment” test of European Insolvency Regulation rules out secondary insolvency proceedings.
Jetivia v Bilta – argument that the company, by its liquidators, could not pursue claims based on a fraud to which it was party failed.
Tchenguiz v SFO – liquidators’ reports not subject to litigation privilege, as litigation was not the dominant purpose for their production.
Southern Pacific Personal Loans – liquidators were not data controllers for data processed by company pre-liquidation and, subject to certain conditions, they could destroy the data.
JSC BTA Bank v Usarel Investments – useful comments regarding the absence of inevitable bias of court-appointed receivers when faced with prospect of taking action against party that sought their appointment.
Bestrustees v Kaupthing Singer – reversal of administrators’ part-rejection of pension scheme claim, as changes in assets and liabilities after the actuary’s certificate “irrelevant”.
Wood & Hellard v Gorbunova – receivers’ indemnity out of assets restricted, as respondent’s costs increased due to receivers’ “inappropriate conduct of the application”.
JSC BTA Bank v Ablyazov – subject’s drawing down of £40m loans not “assets” for the purposes of a freezing order.

The Trustees of the Olympic Airlines SA Pension & Life Insurance Scheme v Olympic Airlines SA (6 June 2013) ([2013] EWCA Civ 643)

http://www.bailii.org/ew/cases/EWCA/Civ/2013/643.html

A successful appeal against a secondary winding-up in England provides clarification of the meaning of “establishment” of the European Insolvency Regulation, but makes it difficult to call on the PPF where a scheme is exposed to an insolvency with main proceedings in another EU/EEA state.

A couple of good summaries (although with differing views on how things may change on the revision of the EIR) are provided by Malti Shah of Taylor Wessing (http://goo.gl/0m0aDZ), and Justin Briggs & Charles Crowne of Burges Salmon (http://goo.gl/P0I3G4).

(UPDATE 07/08/14: The enactment of the Pension Protection Fund (Entry Rules) (Amendment) Regulations 2014 have opened the way for this scheme to access the PPF. The Regulations cease to have effect on 21 July 2017 and set down such specific criteria that it seems unlikely that it will help many more schemes access the PPF. For a more detailed analysis, see Mayer Brown’s article at: http://goo.gl/Xzyx5q)

(UPDATE 21/05/15: the Supreme Court considered an appeal and swiftly dismissed it, endorsing the Court of Appeal’s earlier decision that having three employees in the country involved only in winding up the company’s affairs did not amount to “economic activity”.  The judgment, given on 29 April 2015, can be found at: http://www.bailii.org/uk/cases/UKSC/2015/27.html)

Jetivia SA & Anor v Bilta UK Limited (in liquidation) & Ors (31 July 2013) ([2013] EWCA Civ 968)

http://www.bailii.org/ew/cases/EWCA/Civ/2013/968.html

Bilta, by its liquidators, brought claims for conspiracy and dishonest assistance against the appellants, who sought to defeat the claims on the basis that, as Bilta was party to the illegal act, it could not bring the claims (the ex turpi causa principle). The appeals were dismissed.

Tom Henderson of Herbert Smith Freehills LLP has produced a good summary of the case, I think: http://www.lexology.com/library/detail.aspx?g=ead603c4-454c-4d19-ae54-4ed2196ec771

Tchenguiz & Ors v Director of the Serious Fraud Office & Ors (26 July 2013) ([2013] EWHC 2297 (QB))

http://www.bailii.org/ew/cases/EWHC/QB/2013/2297.html

The court found that the joint liquidators’ reports were not subject to litigation privilege, as the judge was not convinced that the dominant purpose for which the reports were originally produced was for obtaining information or advice in connection with pending or contemplated litigation, or for conducting or aiding in the conduct of such litigation.

Timothy Wright and Nicholas Greenwood of Morgan Lewis & Bockius LLP – http://www.lexology.com/library/detail.aspx?g=c1be8860-2d7d-466b-a1b7-3d3be7b93431 – have produced a pretty good summary of the case.

(UPDATE 15/10/13: this decision is subject to an appeal by the liquidators.)
(UPDATE 16/03/14: the liquidators’ appeal, heard on 20/02/14, was dismissed: http://www.bailii.org/ew/cases/EWCA/Civ/2014/136.html. As in the first instance, the judge emphasised “the need to establish which of dual or even multiple purposes was dominant if a plausible claim to privilege was to be made out” (paragraph 22), and felt that the appellants had not demonstrated that the dominant purpose of the communications was for use in actual or anticipated litigation. He agreed with Counsel for the respondents that, even with liquidations of this nature, it cannot be right to assume that everything that a liquidator does is in contemplation of litigation.)

Re. Southern Pacific Personal Loans Limited (8 August 2013) ([2013] EWHC 2485 (Ch))

http://www.bailii.org/ew/cases/EWHC/Ch/2013/2485.html

Liquidators estimated that the costs of responding to data subject access requests (“DSARs”) on a case amounted to £40,000 per month. Thus, they sought directions on whether there was a way of avoiding this ongoing expense.

Mr Justice David Richards concluded that the rights to control the data remained vested in the company and the company remained under a statutory obligation to deal with the DSARs. He stated that, as the liquidators acted as agents of the company, they were not data controllers in respect of the data processed by the company prior to liquidation.

In considering application of the fifth data protection principle – that personal data should not be kept for longer than is necessary for the purposes for which it was processed – David Richards J directed that the liquidators might dispose of all personal data in respect of which the company is the data controller subject to two qualifications: (i) that the company retained sufficient data to enable it to respond to DSARs made before the disposal of data; and (ii) that the liquidators retained sufficient data to enable them to deal with any claims that might be made in the liquidation.

JSC BTA Bank v Usarel Investments Limited (24 June 2013) ([2013] EWHC 1780 (Ch))

http://www.bailii.org/ew/cases/EWHC/Ch/2013/1780.html

The circumstances of this case – involving a litigation receiver seeking a ruling that his appointment to defend an action gave him power to conduct an appeal (which was not granted) – are unlikely to arise often, if at all, but I thought that Mr Justice Warren’s comments on the integrity of court-appointed receivers were worth repeating.

Warren J felt that the receivers and managers (who were appointed after the litigation receiver) were just as competent to decide on whether an appeal should be pursued as the litigation receiver. He stated: “I do not consider that it can be said that, whenever the Court appoints a receiver and manager nominated by an applicant for such an appointment, there is inevitably a justified perception of bias if the appointed nominee needs to consider whether to pursue litigation against the person who applied for his appointment. His position, as an officer of the Court, is different from that of a receiver or manager appointed for instance by the holder of a charge over the company’s assets. A perhaps justified perception of bias in relation to a receiver or manager appointed out of Court should not be allowed to infect the perception of an officer of the court” (paragraph 37).

Bestrustees Plc v Kaupthing Singer & Friedlander Limited (in Administration) (31 July 2013) ([2013] EWHC 2407 (Ch))

http://www.bailii.org/ew/cases/EWHC/Ch/2013/2407.html

Bestrustees appealed against the Administrators’ decision to reduce its proof of debt by £2 million. The Administrators’ reason for reducing the proof was because the actuary had certified that the deficit of the occupational pension scheme (“the section 75 debt”) was £74,652,000, but they had attributed no value to the £2 million deposited by the scheme with the company in a trust account, which at that time was subject to legal proceedings but the funds were paid to the scheme later.

The Administrators were ordered to reverse the £2 million reduction to the proof, primarily because they had not challenged the amount of the section 75 debt, as certified by the actuary, and they had not challenged the nil value attributed to the deposit subject to pending litigation at that time. The Chancellor of the High Court, Sir Terence Etherton, observed: “the Employer Debt Regulations require the assets and liabilities of a pension scheme to be valued, for the purposes of ascertaining the section 75 debt, in a notional exercise immediately before the trigger event, here KSF entering into administration on 8 October 2008. Changes in the value of assets or the extent of liabilities after that time are irrelevant. In the present case, just as the value of the £2 million deposit increased after 8 October 2008 as litigation progressively clarified the rights of those, including the Trustee, entitled to the money in the trust account, so the evidence also shows that the scheme’s ‘buy out’ liabilities, that is to say the notional cost of going into the market to purchase the annuities which would match the scheme’s liabilities to its pensioners and members, also increased substantially after that date” (paragraph 35).

Wood & Hellard v Gorbunova & Ors (5 July 2013) ([2013] EWHC 1935 (Ch))

http://www.bailii.org/ew/cases/EWHC/Ch/2013/1935.html

Receivers were indemnified out of the assets only to the extent of two thirds of the costs of one respondent (and 85% of another’s) on the basis that the respondent’s costs “increased by reason of the inappropriate conduct of the application by the receivers” (paragraph 66).

Mr Justice Morgan acknowledged the “difficulties the receivers found themselves in and their proper desire to get the receivership moving” (paragraph 68), but he felt that the receivers had been unwise in seeking wide-ranging orders, some elements of which were dropped later by the receivers, and that they had persuaded themselves that the respondent was being recalcitrant when the judge felt that the respondent had behaved properly throughout and simply had been subject to legitimate constraints in delivering up papers.

JSC BTA Bank v Ablyazov (25 July 2013) ([2013] EWCA Civ 928)

http://www.bailii.org/ew/cases/EWCA/Civ/2013/928.html

A freezing order was drafted in a standard form to prohibit Mr Ablyazov from in any way disposing of, dealing with, or diminishing the value of his assets. The bank sought to persuade the court that the loan facility agreements entered into by Mr Ablyazov, which enabled him to instruct the lenders to pay £40 million direct to third parties, were “assets” for the purposes of the freezing order.

The court at first instance agreed that they were choses in action, but its decision that not all choses in action were assets was appealed by the bank. Lord Justice Beatson agreed with the earlier judgment: “a man who is entitled to borrow and does so ‘is not ordinarily to be described as disposing of or dealing with an asset’. As Sir Roy Goode has stated, albeit in the context of section 127 of the Insolvency Act 1986, ‘[i]f there is one thing that is still clear in the increasingly complex financial scene … it is that a liability is not an asset and that an increase in a liability is not by itself a disposition of an asset’” (paragraph 72).