Privacy of employee and consumer information under The Insolvency (England & Wales) Rules 2016
This article forms part of a series looking at the significant changes to insolvency procedures being brought in from 6 April 2017. In this article, David Menzies looks at the changes relating to the disclosure of employee and consumer information.
The issues of identity theft, personal data and a right to privacy are found in many walks of life. When a company or business enters insolvency those issues are as relevant as ever.
The right to have personal details limited from disclosure has been set out in insolvency legislation for some time. This, however, is limited to when there is information to suggest that there are reasonable grounds to expect that a person is at harm from risk of violence. In those circumstances a court order is required to be obtained to limit disclosure.
The Insolvency (England and Wales) Rules 2016 (the 2016 Rules) introduce some new requirements in this area. These aim to ensure names and addresses of private individuals do not routinely enter the public domain.
Statement of affairs
Where a statement of affairs is being prepared, then this is required to included details of each creditors name and address together with the amount owed to that creditor, among other information.
The 2016 Rules require that for employees (which will also include former employees) and consumers who have paid for goods and services in advance, their details should be set out on separate schedules and the statement of affairs should instead set out the number of creditors in each category and the total amount due for each category.
Filing on public record
Where the statement of affairs is required to be filed with Companies House the office holder is required to remove the schedules relating to employees and consumers from the statement of affairs filed.
The possibility to seek a court order limiting disclosure where there are grounds to believe that disclosure of information might reasonably lead to violence against any individual remains.
The changes made in the 2016 Rules are eminently sensible. They do, however, come with some risk for an office holder.
Where the schedules are inadvertently not removed from the statement of affairs filed with Companies House, this is likely to result in a breach of the Data Protection Act 1998.
The first data protection principle set out in the Data Protection Act 1998 is that personal data should be processed ‘fairly and lawfully’. The sending of personal data to Companies House when legislation requires an office holder not to do so is therefore likely to be a breach of that principle.
In addition, there may also be a breach of the seventh data protection principle, information security. This includes the requirement that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data.
The Information Commissioners Office expect that serious breaches of information security will be reported to them. Depending on the specific factors, such as the number and value of debt relating to those individuals, the sending of the schedules to Companies House may result in a breach having to be reported.
The management of a data protection breach is beyond the scope of this article, however, the implication of reputational damage from having to contact those employees or consumers to advise them of the breach, the regulatory impact with your authorising body and of course the possibility of fines up to £500,000 (which is due to increase to the higher of €20m or 4% of global annual turnover from 25 May 2018 under the EU General Data Protection Regulation) should be understood.
It is therefore essential that staff training is undertaken and procedures are put in place to ensure that this simple change is appropriately managed.