This document sets out in detail the policy of Insolvency Support Services Ltd (“the Company”) on the protection of information relating to directors, shareholders and owners of insolvent businesses (“Corporate Clients”). Protecting the confidentiality and integrity of personal data is a critical responsibility that the Company takes seriously at all times. The Company will ensure that data is always processed fairly, in accordance with the provisions of relevant data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding information, or carrying out any operation or set of operations, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Personal data is any information by which a living person to whom the data relates can be identified. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour, such as a disciplinary record. There are also “special categories” of more sensitive personal data which require a higher level of protection.
The Company necessarily collects personal data about its Corporate Clients and this Privacy Notice explains how we treat that personal data and your rights in relation to it.
This document is the Company’s Directors, Shareholders and Owners of Insolvent Businesses Privacy Notice, it explains your rights in detail. This notice, together with the information contained in the Data Processing Register sets out the information the Company holds about Corporate Clients, the purpose for which this data is held and the lawful basis on which it is held. The Company may process personal information without the client’s knowledge or consent, in compliance with this policy, where this is required or permitted by law.
The Directors, Shareholders and Owners of Insolvent Businesses Privacy Notice and the Data Processing Register will be made available by way of a link contained within our first communication with the Corporate Client. If the purpose for processing any piece of data about the Corporate Client should change, the company will update the Directors, Shareholders and Owners of Insolvent Businesses Privacy Notice and Data Processing Register with the new purpose(s) and the lawful basis for processing the data and will notify the Client by email.
FAIR PROCESSING PRINCIPLES
In processing Corporate Clients’ personal data, the following principles will be adhered to. Personal data will be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes;
- Relevant to specific purposes and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the specified purposes; and
- Kept securely.
COLLECTION AND RETENTION OF DATA
How is your personal information collected?
The Company will collect personal information about Corporate Clients through the advice process, directly from Corporate Client themselves, and also through accessing publicly available information, such as that held at Companies House. We will be the Data Controller of the information that we collect in this way and are responsible for its security and privacy.
Where we are asked to provide restructuring advice to a business, we will necessarily take steps to identify the owners and controllers of that business, in accordance with the Anti Money Laundering legislation. This process may take place without the knowledge or consent of those persons, where the instructions are received from those with management responsibility for the business’s operations (typically the directors of the business that approach us for the initial advice).
When appointed as an insolvency Office Holder in respect of an insolvent business, the Office Holder will also have access to the information contained in the business’s books and records, though in respect of this information, the Office Holder will not generally be a Data Controller of it, but will be acting as agent on behalf of the business. We may however be subject to a duty of confidentiality in respect of this information (see our Confidentiality and Data Security Policy).
Additionally, in a formal insolvency process, information may be provided to us by the Accountant in Bankruptcy (in Scotland), the Official Receiver (in England, Whales and Northern Ireland) and in all cases from the creditors, debtors and employees of the insolvent business, and/or other stakeholders in the insolvency process that make such information available to us in the course of administering the affairs of the insolvent business.
From time to time, the Company may collect additional personal information in the course of its investigations into a Corporate Client’s business affairs. These investigations may involve contacting third parties that are known or suspected to have had business or financial dealings with the Corporate Client, where we consider that the information they may provide could assist us to properly administer the affairs of the insolvent business.
What information is collected about you?
We may collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
- Date of birth;
- Marital status, co-habitees/co-occupants and dependents;
- National Insurance number;
- Occupation and function within the insolvent business;
- Bank account details, payroll records and tax status information;
- Location of employment or workplace;
- Salary/wage details;
- Pension arrangements and benefits;
- Details of any vehicle provided to you by the insolvent business;
- Details of any other valuable property (assets) that you have acquired from the insolvent business;
- Amounts of any bonuses, dividends or other financial benefits received by you from the insolvent business;
- Photo ID produced to confirm your identity;
- Details of any personal guarantees or indemnities you may have given in respect of the insolvent business’s liabilities
- Any explanation you provide of the reasons for your business’s insolvency;
- Details of any proposed role or function you may undertake in respect of a successor business;
In limited circumstances, we may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions (where you volunteer this information, though we will not ask you for it);
- Trade union membership (where you volunteer this information, though we will not ask you for it);
- Information about your health, including any medical condition, health and sickness records, particularly as it may impact on the manner in which we administer the affairs of the insolvent business (in accordance with our Vulnerable Customers Policy);
- Information about criminal convictions and offences where these may be relevant to our investigations into the assets or liabilities of the insolvent business or the circumstances leading up to its insolvency;
How is information about you used?
Personal information will only be processed when there is a lawful basis for doing so. Most commonly, the Company will use personal information in the following circumstances:
• to provide you with advice about possible restructuring solutions for your insolvent business;
• to fulfil the legal obligations placed upon an insolvency Office Holder in administering the affairs of the insolvent business;
• in connection with legal proceedings (either the insolvency proceeding themselves, such as Liquidation, Administration or Company Voluntary Arrangement, or proceedings related to a formal insolvency, such as the recovery of an asset from a third party);
The Company may also use personal information in the following situations, which are likely to be less common:
- when it is necessary to protect your interests, if you are identified as being subject to a vulnerability (in accordance with our Vulnerable Clients Policy);
- when it is necessary to protect someone else’s interests (for instance, if you have or have been alleged to have acted in a violent or abusive manner toward our staff); or
- when it is necessary in the public interest or for official purposes as an Insolvency Office Holder (such as in connection with any corporate governance offences that have or are alleged to have been committed).
A list of each category of personal data we hold, and the lawful basis we believe the Company to have for processing it, may be found in the Data Processing Register.
The situations in which we envisage using your personal information are as follows:
- To formulate any recommendations we may provide about the recovery solutions which may be available to your business;
- Making a decision about the amount you may owe to or be owed by the insolvent business;
- Making decision about what assets you may be required to return to the insolvent business;
- Selling or otherwise disposing of the assets of the insolvent business;
- When reporting periodically to the people the insolvent business owes money to;
- Liaising with any persons that have or may have had dealings with you which are relevant to the administration of the affairs of the insolvent business;
- Gathering evidence for possible legal proceedings;
- Reporting upon your conduct in relation to the insolvent business, as required by the Company Directors Disqualification Act 1986;
- To prevent fraud, money laundering or terrorist financing;
- Any other purpose as may be required by relevant legislation in connection with your insolvency and the administration of your estate.
If you fail to provide personal information
If you fail to provide certain information when requested, we may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer the affairs of the insolvent business from third parties.
Change of purpose
Information provided by you or collected from third parties will only be used for which the reason we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Special categories (sensitive) personal data
Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as “special categories” of personal data. These relate to a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.
There are a number of situations where we might possess special categories of data about you:
- When advising you about the suitability of a possible recovery solution, you will be invited to provide us with any special category information that you would like to be taken into account by us in providing you with our advice. In particular, you may wish to provide us with information about any health, social or other personal issue that has had an impact upon your ability to continue to manage a business or to repay money that you own to an insolvent business, or under a guarantee or indemnity in respect of that business’s debts. Such information is provided voluntarily by you and with your explicit consent. This information is only disclosed to third parties with your express permission and your consent to our holding or using this information can be withdrawn at any time.
- When you want the people that the insolvent business owes money to, to take your personal circumstances into account when deciding upon a restructuring proposal you wish to put to them, you may be asked if you would like to consent to the disclosure of special category information to them. In these circumstances, your express permission to making this disclosure may be sought, which you may wish to refuse.
- When we are administering the affairs of an insolvent business (in Liquidation, Administration, Administrative Receivership, Receivership or Company Voluntary Arrangement), we made need to assess whether you are subject to a particular circumstance, vulnerability (including a lack of mental capacity) or any other special factor which should be taken into account by us when making decisions about how we administer the affairs of the insolvent business. This information may have been provided by you directly, or may have been brought to our attention by a third party (such as the Accountant in Bankruptcy, Official Receiver, a relative or family member, or someone the business owes money to). Depending upon the nature of the information we receive, we may not need you consent to have or use this information, where it is relevant to the performance of our functions as an insolvency Office Holder.
- We may possess special category information where it is needed in relation to legal claims or proceedings relating to the affairs of the insolvent business. Depending upon the nature of the information we receive, we may not need your consent to have this information.
- When such information is needed in the public interest, such as where you lack the mental capacity to deal with the affairs of the insolvent business/or where a lasting power of attorney has been provided to another person in respect of your affairs, we do not require your consent to have this information;
Information about criminal convictions
The Company envisages that it may hold information about criminal convictions where these are relevant to the causes of failure of the insolvent business or the performance of the functions of an insolvency Office Holder. If it becomes necessary to do so, the Company will only use this information where it has a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an insolvency Office Holder.
The Company may also use information relating to criminal convictions where:
- it is necessary in relation to legal claims;
- it is necessary to protect your vital interests (or someone else’s vital interests) and you are not capable of giving consent;
- Where it is relevant to the statutory reporting obligations of an insolvency Office Holder;
- you have already made the information public or the information is otherwise in the public domain.
The Company will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring advisor or insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.
How long is information about you kept?
The Company will only retain Client’s personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out in the Data Processing Register and Data Retention and Destruction Policy.
In most insolvency matters, there is a minimum statutory retention period of 6 years from the conclusion of the administration.
When determining the appropriate retention period for personal data that is not fixed by statute, the Company will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether the Company can achieve those purposes through other means, and the applicable legal requirements.
Consent to data processing
The Company requires your consent to process your data when you approach us for advice about restructuring solutions. In all other circumstances, the Company does not require consent from Corporate Clients to process most types of personal data, as there will either be a contractual requirement upon us (once you have appointed us to advise you) or where we are administering a formal insolvency, we will be performing the statutory function of an insolvency Office Holder.
The Company will not usually need consent to use special categories of personal data or information about criminal convictions in order to carry out legal obligations or exercise specific rights in the field of insolvency administration.
In limited circumstances, for example where you are asking the people the insolvent business owes money to take your personal circumstances into account, you may be asked for written consent to process sensitive data. In those circumstances, Corporate Clients will be provided with full details of the information that sought and the reason it is needed, so that you can carefully consider whether to consent. It is not a condition of us providing you with restructuring advice or insolvency services that you agree to any request for consent.
Where Corporate Clients have provided consent to the collection, processing and transfer of personal information for a specific purpose, they have the right to withdraw future consent for that specific processing at any time (although a consent to a prior disclosure cannot be withdrawn once the disclosure has been made). Once the Company has received notification of withdrawal of consent it will no longer process information for the purpose or purposes originally agreed to, unless it has another legitimate basis for doing so in law.
Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. The Company does not envisage that any decisions will be taken about Corporate Clients using automated means, however they will be notified if this position changes.
DATA SECURITY AND SHARING
The Company has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are contained in our Confidentiality and Data Security Policy.
In summary, access to personal information is limited to those Staff Members, agents, contractors and other third parties who have a business need to know. They will only process personal information on the Company’s instructions and are subject to a duty of confidentiality. The Company expects Staff Members handling personal data to take steps to safeguard personal data of Corporate Clients in line with this and the Confidentiality and Data Security Policy.
The Company requires third parties to respect the security of personal data and to treat it in accordance with the law. Personal data about Corporate Clients will only be shared to the it is lawful and necessary.
The Company may share Client’s data with third-party service providers where it is necessary to administer an insolvent estate, in connection with legal claims or where the Company has another legitimate interest in doing so (subject at all times to Client confidentiality).
The following activities are commonly carried out by third-party service providers:
- Legal advice
- Debt collection
- Valuation services
- Asset uplift and sale at public auction
- Securing trading premises
- Specialist industry support (e.g. veterinary services/quantity surveying services)
Occasionally, we may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Transfer of data outside the EU
We do not anticipate the transfer of your data outside the EU. The Company holds personal data in its physical files and on its internal servers, which are located at the Company’s registered office. Our servers are subject to off-site backup to a cloud service provider which is based within the EEA (in the Republic of Ireland). You will be notified in the event the Company intends to transfer your data outside of the EU.
CORPORATE CLIENT’S RIGHTS
Accuracy of data
The Company will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. Corporate Clients should inform the Company of any changes to their current circumstances. Where a Corporate Client has concerns regarding the accuracy of personal data held by the Company, they should contact their Case Administrator to request an amendment to the data.
Under certain circumstances, Corporate Clients have the right to:
- Request access to personal information (commonly known as a “subject access request”).
- Request erasure of personal information.
- Object to processing of personal information where the Company is relying on a legitimate interest (or those of a third party) to lawfully process it.
- Request the restriction of processing of personal information.
- Request the transfer of personal information to another party.
If a Corporate Client wishes to make a request on any of the above grounds, they should contact their Case Administrator, in writing (email is acceptable for this purpose). You will usually be entitled to know what personal information we hold about you.
Please note that, depending on the nature of the request, the Company may have good grounds for refusing to comply. If that is the case, you will be given an explanation by the Company.
- Advice Clients: If we have provided you with advice about restructuring options, you will have a number of rights available to you, which may include access, restriction or transfer and to a lesser degree, erasure.
- Insolvency Clients: Where we are administering the insolvency of a business (in Liquidation, Administration, Administrative Receivership, Receivership or Company Voluntary Arrangement), there are certain periods that the law requires us to maintain information about the case (typically 6 years from the conclusion of the administration). Full details of relevant retention period are listed in our Data Processing Register. In insolvency cases, we are unlikely to be able to agree to a request to erase, restrict or transfer your information, but will explain this to you in further detail should such a request be made.
- Legal Claims: Where legal claims are involved, we may not be able to provide you with access to all of the information we hold, as some of it will be subject to legal professional privilege.
Accessing the information we hold
Corporate Clients will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, the Company may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, the Company may refuse to comply with the request in such circumstances.
The Company may need to request specific information from the Corporate Client to help confirm their identity and ensure the right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
COMPLIANCE WITH DATA PROTECTION
The Company’s responsibility for compliance
Given the size of the Company, it has not been deemed necessary to formally appoint a Data Protection Officer. Oversight of data privacy throughout the Company and its operations rests collectively with our Directors. In insolvency cases, ultimate responsibility rests with the named Licensed Insolvency Practitioner that has been appointed in respect of an insolvent business’s affairs.
If a Corporate Client has any questions about this policy or how the Company handles personal information, they should contact their Case Administrator at first instance. If they are dissatisfied with the response they receive (or no response is received) Corporate Clients should contact their Advising Director (for Advice Clients) or their Licensed Insolvency Practitioner (for Insolvency Clients).
Clients have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Data security breaches
The Company has put in place procedures to deal with any data security breach and will notify Corporate Clients and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are contained in the Company’s Data Breach Policy.
In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach.
If you have any concerns about the security of the personal data we hold about you, or suspect that a data breach has occurred, you should contact your Case Administrator at first instance If they are dissatisfied with the response they receive (or no response is received) Corporate Clients should contact their Advising Director (for Advice Clients) or their Licensed Insolvency Practitioner (for Insolvency Clients).
Privacy by design
The Company will have regard to the principles of this policy and relevant legislation when designing or implementing new systems or processes (known as “privacy by design”). The importance of data privacy has already been reflected and incorporated into all of our policies, processes and notices, including those in respect of:
- Confidentiality and Data Security Policy
- Data Breach Policy
- Data Retention and Destruction Policy
- Data Subject Access Policy
- Data Protection in Formal Appointments Policy
- Privacy Notices
- Special Category Data Policy
- Supplier Oversight Policy
- Vulnerable Customers Policy
CHANGES TO THIS PRIVACY NOTICE
The Company reserves the right to update this privacy notice at any time, and we will provide you with access to a new privacy notice when we make any substantial updates.