An interesting discussion arises from the recent judgment of Justice David Richards in the case of Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (CH) where the judge drew a distinction between the obligations of liquidators under the Data Protection Act 1998 (the Act) as principal of the liquidated company and where the liquidator is a Data Controller under the Act as opposed to obligations as agent of the company where the liquidator is deemed a Data Processor. The issue is that as a Data Processor, the liquidator is not directly subject to the obligations of a Data Controller to comply with the 8 Data Protection Principles.
In this case, the liquidators in the voluntary winding up of the company were inundated with data subject access requests (DSARs) under s7 of the Act in relation to whether customers of redeemed loans had previously been mis-sold personal protection insurance. The personal data pertaining to such customers was stored within and processed by an associated company. The costs of complying with such requests were escalating to such a level that the liquidators were concerned that it would have a material impact on the distribution of funds to creditors. Accordingly, they requested an opinion on whether they were ‘data controllers’ for the purposes of the Act and if so, whether they could dispose of all personal data in their control.
Justice Richards stated that it was important to differentiate between the activities of the liquidators performed by virtue of their office as liquidators (i.e. as principal) and activities performed in the capacity as agents of the company. All insolvency practitioners taking office are required to be registered as Data Controllers under the Act due to the fact that personal data will be processed and retained by them during the course of performing their duties. The issue was whether they were data controllers with regard to the data processed by the Company in respect of the redeemed loans. The Judge held that in the context of processing such data, the liquidators were acting as agents of the Company not as principal (as they would be if they were processing a creditor’s claim for example) and they were not data controllers. It followed that the liquidators were not personally responsible for responding to the DSARs.
Looking at whether the liquidators were entitled to dispose of the personal data relating to the redeemed loans, the Judge looked at the Fifth Data Protection Principle which provides that data shall not be kept for longer than is required for the purposes for which it was processed. The liquidators were entitled to dispose of the personal data provided that they retained sufficient data to enable them to respond to DSARs and to deal with any claims in the liquidation. The liquidators were required to advertise for PPI claims against the Company, inviting proofs by a certain date. Provided that sufficient publicity was given to such advertisement, the liquidators could proceed with distributing the assets of the Company without regard to those claims which had not been notified to them by the closing date and were able to dispose of the remaining data.
The key issue arising from this case is the distinction between a liquidator’s activities as Principal of the company in liquidation – in which case the liquidator is a Data Controller under the Act and obliged to comply with the 8 Data Protection Principles – or his/her activities as Agent of the company, in which case the liquidator is merely a Data Processor.