This document sets out in detail the policy of Insolvency Support Services Ltd (“the Company”) on the protection of information relating to creditors, book debtors, employees and other stakeholders (“Stakeholders”) of insolvent entities whose affairs the Company is administering. Protecting the confidentiality and integrity of personal data is a critical responsibility that the Company takes seriously at all times. The Company will ensure that data is always processed fairly, in accordance with the provisions of relevant data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding information, or carrying out any operation or set of operations, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Personal data is any information by which a living person to whom the data relates can be identified. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour, such as a disciplinary record. There are also “special categories” of more sensitive personal data which require a higher level of protection. Information about criminal convictions is also afforded higher levels of protection.
The Company necessarily collects personal data about its Staff Members and Job Applicants and this Privacy Notice explains how we treat that personal data and your rights in relation to it.
This document is the Company’s Stakeholders Privacy Notice, it explains your rights in detail. This notice, together with the information contained in the Data Processing Register set out the information the Company holds about Corporate Clients, the purpose for which this data is held and the lawful basis on which it is held. The Company may process personal information without the client’s knowledge or consent, in compliance with this policy, where this is required or permitted by law.
The Stakeholders Privacy Notice and the Data Processing Register will be made available by way of a link contained within our first communication with Stakeholder. If the purpose for processing any piece of data about the Corporate Client should change, the company will update the Stakeholders Privacy Notice and Data Processing Register with the new purpose(s) and the lawful basis for processing the data and will notify the Stakeholder by email.
FAIR PROCESSING PRINCIPLES
In processing Staff Members’ and Job Applicants’ personal data, the following principles will be adhered to. Personal data will be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes;
- Relevant to specific purposes and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the specified purposes; and
- Kept securely.
COLLECTION AND RETENTION OF DATA
How is your personal information collected?
When the Company provides advice to an individual or business about its financial difficulties, they will be asked to provide us with certain information in order that we can get a full picture of their circumstances. When an individual or business is subject to formal insolvency proceedings, the individual or controllers of the business are required to provide certain information.
During the course of administering an insolvency case, we will also be provided with information from a number of other sources, such as the Accountant in Bankruptcy (in Scotland), the Official Receivers (in England, Whales and Northern Ireland) and in all cases from the creditors, debtors and employees of the insolvent business, and/or other stakeholders in the insolvency process that make such information available to us in the course of administering the affairs of the insolvent business. We will typically be the Data Controller in respect of the information contained in our files.
When appointed as an insolvency Office Holder in respect of an insolvent business, the Office Holder will also have access to the information contained in the business’s books and records, though in respect of this information, the Office Holder will not generally be a Data Controller of it, but will be acting as agent on behalf of the business. We may however be subject to a duty of confidentiality in respect of this information (see our Confidentiality and Data Security Policy), and will at all times act lawfully in relation to this data.
What information is collected about you?
Creditors: If you are owed money as an individual (for instance, because you are a sole trader who has not been paid for work you have conducted), we need to know your name, address, contact email (if you have one) and confirmation of the amount you are owed. This is so that we can contact you with notification about the case and provide you with an opportunity to exercise your rights, as a creditor in an insolvency. We will be unlikely to hold any other personal information about you.
Book Debtors: If you are a customer of a business that is insolvent and haven’t paid for the product or service you received, it is likely that we will hold details of your name, address, contact email (if you have one) and confirmation of the amount you owed to the insolvent business. We need this information so that we can collect any amounts that are due to the business. We will be unlikely to hold any other personal information about you.
Employees: If you were employed by a business that has become insolvent, the insolvency Office Holder has a number of responsibilities in relation to money that the business owes you. We are likely to be processing the following information:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
- Date of birth;
- National Insurance number;
- Occupation and function within the insolvent business;
- Bank account details, payroll records and tax status information;
- Location of employment or workplace;
- Salary/wage details;
- Record of your holiday entitlement and other absence information.
We may also have access to your full personnel file, although this will be information we have access to as agent on behalf of your former employer and we do not consider ourselves to be the Data Controller of it, although will use our best endeavours to ensure that it is only processed in accordance with the legislation.
Other Stakeholders: An insolvency Office Holder will interact with various parties in the course of their investigations into and administration of the affairs of an insolvent entity (whether that be an insolvent individual or business).
In the course of that work, we may come into possession of various items of personal data, such as (but not limited to):
- Share ownership information;
- the contents of wills;
- the details of beneficiaries under a trust;
- the beneficiaries under assurance and insurance policies;
- vehicle ownership details;
- the details of joint owners of property or other assets;
- the spouses, co-habitees and dependents of insolvent individuals and their financial contribution to shared expenditure;
- details of parties jointly liable for any debts owed by the insolvent entity;
- any other information that is relevant to the assets, liabilities of causes of failure of the insolvent entity
How is information about you used?
Personal information will only be processed when there is a lawful basis for doing so. Most commonly, the Company will use personal information collected in connection with insolvency proceedings for the proper performance of the statutory functions of an insolvency Office Holder and/or where it is necessary to do so in respect of legal claims.
A list of each category of personal data we hold and the lawful basis we believe the Company to have for processing it may be found in the Data Processing Register.
The situations in which we envisage using your personal information are as follows:
- • to notify you of your rights as a creditors or former employee;
- to adjudicate on the amounts you claim to be owed by an insolvent entity;
- to recover money that you owe to an insolvent entity;
- in pursuance of the lawful functions of an insolvency Office Holder in investigating the affairs of the insolvent and the causes of their insolvency;
- in the recovery of any assets that you have acquired from the insolvent entity in a manner which may be challengeable under law;
- when selling or otherwise disposing of the assets of the insolvent business;
- • when reporting periodically to the people the insolvent business owes money to;
- • when gathering evidence for possible legal proceedings;
- • when reporting upon directors’ conduct in relation to the insolvent business, as required by the Company Directors Disqualification Act 1986;
- • to prevent fraud, Money Laundering or Terrorist Financing;
- any other purpose as may be required by relevant legislation in connection with the administration of the affairs of the insolvent entity.
If you fail to provide personal information
If you fail to provide certain information when requested, you may be unable to asset your rights in the insolvency proceedings. In some instances, the insolvency Office Holder may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer the affairs of the insolvent business from third parties.
Change of purpose
Information provided by you or collected from third parties will only be used for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Special categories (sensitive) personal data
Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as “special categories” of personal data. These relate to a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.
What constitutes special categories of data and how it is processes and protected is explained in greater detail in our Special Category Data Policy and Vulnerable Clients Policy.
There are a limited number of situations where we might possess special categories of data about Stakeholders:
When we are administering the affairs of an insolvent business entity we made need to assess whether as Stakeholder is subject to a particular circumstance, vulnerability (including a lack of mental capacity) or any other special factor which should be taken into account by us when making decision about how we administer the affairs of the insolvent entity. This information may have been provided by you directly, or may have been brought to our attention by a third party (such as the Accountant in Bankruptcy, Official Receiver, a relative or family member, or someone the business owes money to). Depending upon the nature of the information we receive, we may not need you consent to have or use this information, where it is relevant to the performance of our functions as an insolvency Office Holder;
We may possess special category information where it is needed in relation to legal claims or proceeding relating to the affairs of the insolvent business. Depending upon the nature of the information we receive, we may not need you consent to have this information.
We consider it unlikely that we will be routinely processing special categories of personal data, other than in relation to the claims of employees as against their former employer. In this regard, we will generally be acting as agent on behalf of the insolvent business, rather than as Data Controller.
Information about criminal convictions
The Company envisages that it may hold information about criminal convictions where these are relevant to the causes of failure of the insolvent business or the performance of the functions of an insolvency Office Holder. If it becomes necessary to do so, the Company will only use this information where it has a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an insolvency Office Holder.
The Company may also use information relating to criminal convictions where:
- it is necessary in relation to legal claims;
- it is necessary to protect a person’s vital interests and they are not capable of giving consent;
- it is relevant to the statutory reporting obligations of an insolvency Office Holder;
- the information is already in the public domain.
The Company will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring advisor or insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.
How long is information about you kept?
The Company will only retain personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out in the Data Processing Register and Data Retention and Destruction Policy.
In most insolvency matters, there is a statutory retention period of 6 years from the conclusion of the administration.
When determining the appropriate retention period for personal data that is not fixed by statute, the Company will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether the Company can achieve those purposes through other means, and the applicable legal requirements.
Consent to data processing
The Company does not require consent from Stakeholders to process most types of personal data, as where we are administering a formal insolvency, we will be performing the statutory function of an insolvency Office Holder and/or are acting in pursuit or defence of legal claims.
The Company will not usually need consent to use special categories of personal data or information about criminal convictions in order to carry out legal obligations or exercise specific rights in the field of insolvency administration.
Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. The Company does not envisage that any decisions will be taken about Stakeholders using automated means, however they will be notified if this position changes.
DATA SECURITY AND SHARING
The Company has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are contained in our Confidentiality and Data Security Policy.
In summary, access to personal information is limited to those Staff Members, agents, contractors and other third parties who have a business need to know. They will only process personal information on the Company’s instructions and are subject to a duty of confidentiality. The Company expects Staff Members handling personal data to take steps to safeguard personal data of Corporate Clients in line with this and the Confidentiality and Data Security Policy.
The Company requires third parties to respect the security of personal data and to treat it in accordance with the law. Personal data about Stakeholders will only be shared to the it is lawful and necessary.
There are a number of instances where the insolvency legislations requires an insolvency Office Holder to share a list of the names, addresses and amounts owed to the creditors with the other creditors of the company, and in company insolvency, may also be filed at Companies House.
Some of your personal data may be shared with the Redundancy Payments Service in order that they can make payments to you.
The Company may share Stakeholder’s data with third-party service providers where it is necessary to administer an insolvent estate, in connection with legal claims or where the Company has another legitimate interest in doing so (subject at all times to Client confidentiality).
The following activities are commonly carried out by third-party service providers:
- Legal services
- Debt collection
- Valuation services
- Asset uplift and sale at public auction
- Securing trading premises
- Specialist industry support (eg veterinary services/quantity surveying services)
Occasionally, we may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Transfer of data outside the EU
We do not anticipate the transfer of your data outside the EU. The Company holds personal data in its physical files and on its internal servers, which are located at the Company’s registered office. Our servers are subject to off-site backup to a cloud service provider which is based within the EEA (in the Republic of Ireland). You will be notified in the event the Company intends to transfer your data outside of the EU.
STAKEHOLDERS’ CLIENT’S RIGHTS
Accuracy of data
Stakeholders should to inform the Company of any changes to their contact information or the amount they believe to be owed to them. Where a Stakeholder has concerns regarding the accuracy of personal data held by the Company, they should contact their Case Administrator to request an amendment to the data.
Under certain circumstances, Stakeholders have the right to:
• Request access to personal information (commonly known as a “subject access request”).
• Request erasure of personal information.
• Object to processing of personal information where the Company is relying on a legitimate interest (or those of a third party) to lawfully process it.
• Request the restriction of processing of personal information.
• Request the transfer of personal information to another party.
If a Stakeholder wishes to make a request on any of the above grounds, they should contact their Case Administrator, in writing (email is acceptable for this purpose). You will usually be entitled to know what personal information we hold about you.
Please note that, depending on the nature of the request, the Company may have good grounds for refusing to comply. If that is the case, you will be given an explanation by the Company.
Where we are administering the affairs of an insolvent entity, there are certain periods that the law requires us to maintain information about the case (typically 6 years from the conclusion of the administration). Full details of relevant retention period are listed in our Data Processing Register. In insolvency cases, we are unlikely to be able to agree to a request to erase, restrict or transfer your information, but will explain this to you in further detail should such a request be made.
Where legal claims are involved, we may not be able to provide you with access to all of the information we hold, as some of it will be subject to legal professional privilege.
Accessing the information we hold
Stakeholders will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, the Company may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, the Company may refuse to comply with the request in such circumstances.
The Company may need to request specific information from the Stakeholder to help confirm their
identity and ensure the right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
COMPLIANCE WITH DATA PROTECTION
The Company’s responsibility for compliance
Given the size of the Company, it has not been deemed necessary to formally appoint a Data Protection Officer. Oversight of data privacy throughout the Company and its operations rests collectively with our Directors. In insolvency cases, ultimate responsibility rests with the named Licensed Insolvency Practitioner that has been appointed in respect of an insolvent entity’s affairs.
If Stakeholders have any questions about this policy or how the Company handles personal information, they should contact the Case Administrator at first instance. If they are dissatisfied with the response they receive (or no response is received) stakeholders should contact the Licensed Insolvency Practitioner appointed in respect of the case.
Stakeholders have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Data security breaches
The Company has put in place procedures to deal with any data security breach and will notify Stakeholders and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are contained in the Company’s Data Breach Policy.
In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach.
If you have any concerns about the security of the personal data we hold about you, or suspect that a data breach has occurred, you should contact the Case Administrator at first instance. If you are dissatisfied with the response they receive (or no response is received) Stakeholders should contact the Licensed Insolvency Practitioner appointed in respect of the case.
Privacy by design
The Company will have regard to the principles of this policy and relevant legislation when designing or implementing new systems or processes (known as “privacy by design”). The importance of data privacy has already been reflected and incorporated into all of our policies, processes and notices, including those in respect of:
- Confidentiality and Data Security Policy
- Data Breach Policy
- Data Retention and Destruction Policy
- Data Subject Access Policy
- Privacy Notices
- Special Category Data Policy
- Supplier Oversight Policy
- Vulnerable Clients Policy
CHANGES TO THIS PRIVACY NOTICE
The Company reserves the right to update this privacy notice at any time, and we will provide you with access to a new privacy notice when we make any substantial updates.