In a test case which gives important guidance on the inter-relationship between the Data Protection Act 1998 (the DPA) and the winding-up of insolvent companies, the High Court has ruled that liquidators are not to be viewed as ‘data controllers’ and are under no personal duty to respond to requests for information.
A loans company had gone into liquidation with liabilities of more than £10 million and assets of about £3 million. Since it became insolvent it had received a deluge of data access requests from claims handling firms seeking to investigate potential payment protection insurance (PPI) mis-selling claims. The cost of dealing with those requests was almost £600,000-a-year and threatened to greatly reduce sums available for distribution to creditors. In those circumstances, the company’s liquidators sought the Court’s guidance as to their duties under the DPA.
In ruling that the liquidators were not ‘data controllers’ within the meaning of the DPA, the Court found that title to the company’s assets remained with the company notwithstanding its liquidation and that, in taking control of those assets, the liquidators were acting not as principals but as the company’s agents, effectively replacing the control formerly exercised by the company’s board. Ownership and control over the relevant data also remained with the company and the liquidators were not personally responsible for compliance with the provisions of the DPA.
The Court noted that the company itself remained subject to a duty to deal with the data in accordance with the DPA. However, the liquidators were entitled to proceed with the distribution of the company’s assets without regard to any possible claims which had not yet been notified to them. Although there was a duty to retain any data required to deal with such claims as may be lodged, the liquidators were not obliged to retain data so that it would remain available to be mined by former customers or claims handling firms with a view to making claims against third parties.
Noting that the company had not itself sold PPI, and that it had divested itself of its active loan book and retained data only in respect of redeemed loans, the Court ruled that the company, acting by its liquidators, was entitled to dispose of all the relevant personal data in a manner which complied with the safeguards contained within the DPA.