This document sets out the policy of Insolvency Support Services Ltd (“the Company”) on the way we oversee the data processing activities of our suppliers.
Why is oversight required?
The Company takes data privacy seriously. When we share personal data with a supplier, we require assurance that they operate to the same high standards that we apply internally.
Suppliers of Professional Services – (Joint) Data Controllers
In some instances, when we share the personal data we control, the party we share it with will be the provider of a professional service to us, for example in our role as an employer, or in connection with a formal insolvency appointment. In such instances, that supplier will generally be a data controller in their own right, as a result of the nature of the service they are supplying to us and the level of control they have over the data they hold.
While we still expect such parties to fully comply with both confidentiality requirements and data protection privacy legislation, they will themselves be legally responsible for the data we have shared with them, as a Data Controller of that data. The Company retains its own responsibility as a Data Controller.
Examples of professional services providers that we consider will be acting as Data Controller include:
- Counsel, barristers, solicitors, recruitment consultants, HR consultants or other legal advisers engaged and instructed by the Company in its capacity as an employer;
- Accountancy service providers to the Company;
- Professional services providers instructed by an insolvency Office Holder to assist them in their capacity as such:
- Legal advisers;
- Debt Collection Agents;
- Professional Valuers;
- Forensic Accountants;
- Customer Due Diligence Service Providers.
- Regulatory authorities with statutory or regulatory rights to employee and/or client information.
Such suppliers are expected to notify us in the event of a Data Breach, in accordance with the provisions of the legislation.
Suppliers of Other Services – Data Processors
From time to time we will use the services of other businesses, in relation to the administration of our own Company and/or in the course of acting as an insolvency Office Holder. Where these parties are instructed by us in relation to their processing of the personal data we control, they will be “Data Processors”.
The types of business we anticipate instructing as Data Processor include:
- In any case:
- Outsourced printing services;
- Courier and mail delivery services;
- Record storage services;
- Cloud service providers;
- In relation to the conduct of our business:
- Marketing consultants;
- IT service providers;
- Payroll services;
- Generic HR services;
- Website developers;
- In relation to our acting as an insolvency Office Holder
- Data reconstruction specialists;
- Non-professional agents;
- Compliance service providers;
Oversight of Data Processors
Where we use a data processor, the Company ensures it has a written contract in place which sets out:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The types of personal data ad categories of data subjects; and
- Our obligations and rights as the Data Controller
Our contracts require the Data Processors we use to:
- Only act on the written instructions of the Company;
- Ensure that people processing the data are subject to a duty of confidence;
- Take appropriate measures to ensure the security of processing;
- Only engage sub-processors with the prior consent of the Company and under a written contract;
- Assist the Company in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- Assist the Company in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- Delete or return all personal data to the Company as requested at the end of the contract;
- Submit to audits and inspection;
- Provide the Company with whatever information it needs to ensure that we are both meeting their Article 28 obligations;
- Tell the Company immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
We expect processors to provide sufficient guarantees that the requirements of GDPR will be met and the rights of data subjects protected. Data processors are reminded that they must:
- not use a sub-processor without the prior written authorisation of the Company;
- co-operate with supervisory authorities (such as the ICO);
- ensure the security of their processing;
- keep records of their processing activities;
- notify any personal data breaches to the Company;
If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
The Data Processors used by the Company are registered in our Register of Data Processors.
Processing Sensitive Personal Information
The Company will seek to ensure that the processing activities of its suppliers (whether as Data Controllers or Data Processors) in relation to sensitive personal information are lawful, fair, transparent and in accordance with our Special Category Data Policy.
Access to sensitive personal information is restricted to those suppliers of services that have a specific and identifiable need to access it. Most commonly, sensitive personal information may be made available to legal representatives in connection with legal proceedings or where it is otherwise relevant to the performance of the statutory functions of an insolvency Office Holder.