Wednesday, October 24, 2018

Personal data in the Statement of Affairs

IPs are cautious about unwittingly breaching the new Data Protection Act 2018 (DPA) that came into force in May this year and implemented the Global Data Protection Regulations (GDPR). That caution is especially apparent when it comes to the Statement of Affairs and what should, or should not, be included in it when sending it to creditors and Companies House. We regularly hear of creditors asking why their details have been issued “in contravention of GDPR”, often using templates that they have obtained from the internet to help them raise a GDPR breach. While IPs should take care, and we can understand a creditor’s concerns, this Blog post will explain why some disclosure is not a GDPR breach at all.

Section 8 of the Data Protection Act 2018 expands on the GDPR to say what, in English Law, the “lawful processing” of data is that would not require consent. It says:

“In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for— 

  (a) the administration of justice, 
  (b) the exercise of a function of either House of Parliament, 
  (c) the exercise of a function conferred on a person by an enactment or rule of law,
  (d) the exercise of a function of the Crown, a Minister of the Crown or a government       department, or
  (e) an activity that supports or promotes democratic engagement.”

Under (c), if you are carrying out a required statutory function, therefore, the DPA restrictions regarding the use of personal data do not apply.

When it comes to sending the statement of affairs to creditors on behalf of the director to seek a decision on the appointment of a liquidator in a CVL, that is required to be done by rule 6.14, and section 99(2) says that “the statement of affairs must include the names and addresses of the company’s creditors”. Rule 6.4(3) requires you to split out the employees and consumer deposit creditors into separate schedules, but Rule 6.3(6) only excludes those schedules from the copy filed at Companies House. Therefore, the requirement to send a statement of affairs to creditors pre-appointment is the full statement of affairs, including full details of the names, addresses and amounts owed to employees and consumer deposit creditors, not the redacted version. As a result, since you are carrying out a required statutory function you do not need the permission of any individuals to include their personal data, i.e. names, addresses and levels of debt, in the statement of affairs and are not in breach of the GDPR.

In contrast, because the legislation only requires you to send the redacted version to Companies House, it is only the redacted version that is made available to the wider public, not the full version that you originally issued to creditors, including all the names, addresses and amounts owed to employees and consumer deposit creditors. 

Watch out also for rule 1.57 (2)(a), which says that you only have to provide a list of creditors when requested by a creditor until a copy has been filed at Companies House, so once you are in office and have filed the statement of affairs, creditors would only have access to the redacted version. It is then at this point that you would be breaching the GDPR if you sent creditors a copy of the full unredacted version of the statement of affairs, or made it available on a website, post appointment. There is, however, one exception to this, since rule 6.15(1) requires the liquidator to send a statement of affairs, or summary of it, to any creditors on appointment to whom the notice regarding the decision to appoint a liquidator under rule 6.14 was not sent. Again, there would be protection from sending out a copy of the full statement of affairs including the personal data of employees and consumer deposit creditors since it is being done as a result of a statutory requirement to do so.

Feedback from clients is that directors have been questioning the need to include personal data of employees and consumer deposit creditors in the unredacted statement of affairs sent to creditors, but if they fail to provide the full statement of affairs, it is an offence, punishable by a fine under section 99(3) and as stated above it is a statutory requirement that must be complied with.

There are a couple of other instances where you are required, by statute, to provide the creditors’ names and addresses. In the proposals for CVAs (rule 2.25(3)(d)) and IVAs (rule 8.22(6)), you have to include the statement of affairs, or a summary of it that includes the names and addresses of creditors. In both of those situations, therefore, you are not breaching GDPR by issuing the required information.

While that should reassure you that you are protected legally, we’ve been doing some thinking about how you might deal with this practically. After all, unless someone has quite detailed knowledge of Data Protection and Insolvency law or reads the odd excellent Blog article on the subject, they are likely to be alarmed to see their details circulated. It might help, therefore, to include a brief explanatory note when sending lists of creditors out in VAs or issuing statements of affairs in CVLs. On one hand, such a notice may simply bring the issue to the attention of creditors who had never considered it, but on the other hand it may help to explain the situation to those who have concerns so that they feel less inclined to write a strongly worded letter of protest.

You will also need to be careful how you deal with those who complain. They may not be too impressed with a legal answer, when they are already annoyed, however unjustified. It might help, instead, to email the explanation, but tell them at the start that it is a rather legalistic explanation and that you are happy to explain more on the phone. It may be that talking on the phone could allow you to explain how little impact the SA disclosure is likely to have at this stage. Realistically, the only harassment most creditors are likely to suffer is from ambulance chasers and other IPs trying to pinch the job off you! This could be a chance for you to gather more information about the case and ensure that the creditor understands your duty to do your best for all creditors, protecting you from the poachers.