Do administrators have to comply with subject access requests?
As a reminder, under GDPR, individuals have a right, subject to certain exceptions, to access their personal data held by a controller.
If the controller fails to comply with that request, unless they fall within one of the exceptions, the individual can go to court to enforce their rights and bring a statutory compensation claim. Also, the Information Commissioner has powers to issue an enforcement notice and impose financial penalties.
Administrators as controllers
Administrators (or liquidators) will be controllers for data they hold while performing duties where they are not acting as agent of a company, but as principal (see Re Southern Pacific Personal Loans  2485 (Ch)).
For example, where the officeholder receives and adjudicates on proofs of debt, the administrator does so as “administrator” and not as agent of the company. In fulfilling this task, the administrator will possess and retain data about the individuals claiming to be creditors, some of which will be personal data. The administrator will be a controller of that data. As controller, the administrator will have GDPR obligations, and must comply with any subject access requests for that data.
Insolvent company is controller
Well, until recently, the courts had not considered this. In the Southern Pacific case, this was the question the liquidators had asked the court. There they faced the competing issues of lack of funds and the high cost of complying with the requests. However, the Court left the question open for another day. The Judge decided the liquidators did not need the records in question for the purposes of the liquidation and destroying the records was the solution to avoiding the costs of compliance with future subject access requests in this case. He did confirm that:
“[office holders] are not personally responsible for compliance with the provisions of the [Data Protection Act] in respect of the data processed by the company, including but not limited to [SARs] made under section 7"
Recent Judicial Guidance
In the recent hearing arising out of the administration of the Cambridge Analytica group, the Court had faced this question. Here, the company had not complied with a subject access request from the claimant and the ICO issued an enforcement notice to the company in administration. The administrators did nothing to comply with the enforcement notice, nor did they seek to set it aside through an appeal. They did this because:
- the enforcement notice was addressed to the company as controller (rather than the administrators);
- the ICO in fact previously seized and had custody of the servers on which the data was held; and
- the company had no staff to comply with the request.
The claimant, a data protection campaigner complained to the court. The court recognised the practical ramifications for office holders of the Southern Pacific decision are not “worked through”.
The court said the question was not: "What as [SIC] do we as administrators have to do [SIC] meet our obligations under the Enforcement Notice?” Southern Pacific answers that question. Instead, the administrators should have asked: "What does [the company] have to do to meet its obligations under the Enforcement Notice? What can we, within our powers of management as administrators, do to enable [the company] to meet those obligations? Is it in the interests of the creditors as a whole that we should bring about those actions?"
In this case, although the Court decided the administrators had asked themselves the wrong question, it did not criticise their decision. All the evidence suggested the costs of compliance were disproportionate to the benefit to creditors as a whole. What the administrators needed to do is exercise commercial judgement, considering the ease and costs of compliance, the scope of their statutory duties to all creditors and the need not to cause unfair harm to a data subject as creditor.
So it’s not black and white, but the Court has given some sensible guidance to work within. Administrators (or liquidators) should not automatically disregard a DSAR just because the company in administration or liquidation is the controller.
From an insolvency law perspective, if compliance, or even partial compliance, can be achieved without too much disruption or cost, it should be in all cases. If the cost of compliance is great (like in Southern Pacific), they must weigh up that against the potential detriment suffered by the individual in not having that information.
Where the individual is a creditor and they will lose out through non-compliance, the administrator has to balance their rights under paragraph 74 schedule B1 and that may tip the balance in favour of the request.
R3’s guidance [only available to R3 members] confirms that officeholders can’t disclaim data as “onerous property” simply because it imposes GDPR obligations. R3’s guidance also confirms that administrators and liquidators should not destroy any personal data needed to support claims to creditors and employees for the life of the case. The usual retention policy for documents or records is in Section 5.6 R3 Technical bulletin 104.
Office holders should be wary of disposing of relevant data after subject access requests have been received because of potential criminal sanctions and it’s best to take specific advice in each case.
First published in the Autumn 2019 edition of RECOVERY magazine and reproduced with the permission of R3 and GTI Media
Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.