The High Court has confirmed that all rights relating to the control of data belonging to, or being controlled by, a company at the time it entered into liquidation remain vested in the company at and following its liquidation. Liquidators are therefore not personally liable for compliance with the Data Protection Act 1998 in respect of this data as they will be viewed as agents acting for the company rather than as 'data controllers'.
The case concerned the liquidation of Southern Pacific Personal Loans Limited, which entered creditors' voluntary liquidation in September 2012. The Company, a member of the Lehman Brothers group of companies, had provided loans to individuals resident in Great Britain, secured by way of second charge on their homes. By the time of the liquidation, the Company's business had ceased and the benefit of all outstanding loans had been transferred to a third party.
The case was heard following an application to the High Court by the liquidators of the Company under section 112(1) of the Insolvency Act 1986. The primary matter put to the Court was whether the commencement of liquidation and the appointment of liquidators rendered the liquidators, in place of or in addition to the Company, a 'data controller' in respect of data processed by the Company. A 'data controller' is personally responsible for determining the purposes for which, and the manner for which, any personal data is processed. In processing such data, the 'data controller' must comply with all obligations under the Data Protection Act 1998, including the data protection principles set out in Schedule 1 of that Act. Failure to comply with the Act can result in criminal as well as civil liability, as well as inevitable accompanying negative press.
The Court determined, in relation to the data that belonged to, or was under the control of, the Company when it went into liquidation, that all rights to control the data remained vested in the Company at and following its liquidation. The Court confirmed that the liquidators were not personally liable for compliance with the Data Protection Act 1998 in respect of that data. Therefore, in exercising any rights in respect of the data, the liquidators would be acting as the agents of the Company rather than as 'data controllers'. The liquidators also sought clarification from the Court in respect of the disposal of data, pursuant to the fifth data protection principal under Schedule 1 of the Data Protection Act 1998. The principal states that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes".
In order for the Company to comply with the fifth data protection principle the liquidators were given permission to dispose of the data as soon as possible, as retention was no longer necessary to administer the loans. This was subject to two qualifications. First, that the Company should retain sufficient data to enable it to respond to any data subject access requests which had been made before the disposal of the data and, second, that the liquidators should retain sufficient data to enable them to deal with any claims that may be made in the liquidation.
The Court stated that when data subject access requests are served on a company it remains under a statutory obligation to deal with them, provided that they are properly made. The Court further stated that enforcement action might be taken and orders might be made against a company, notwithstanding that it was in liquidation.
The Court indicated that the position would have been the same if the Company had been in compulsory liquidation rather than creditors' voluntary liquidation, although it did not turn its attention to administrations.