This document sets out the policy of Insolvency Support Services Ltd (“the Company”) on the confidentiality and security of the information which it deals with in the ordinary course of its business activities and the expectations it places upon employees, workers, contractors, volunteers and interns (collectively referred to as Staff Members) in respect of that information.
Acting lawfully and protecting the privacy of our Staff Members, prospective clients and those involved in the formal insolvency appointments that we deal with is a responsibility that the Company takes seriously at all times.
This policy applies to the confidentiality and privacy of the information that Staff Members deal with.
Insolvency Practitioners as licensed professionals must observe a Code of Ethics. That Code includes the fundamental principle of confidentiality:
An Insolvency Practitioner should respect the confidentiality of information acquired as a result of professional and business relationships and should not disclose any such information to third parties without proper and specific authority unless there is a legal or professional right or duty to disclose. Confidential information acquired as a result of professional and business relationships should not be used for the personal advantage of the Insolvency Practitioner or third parties.
All Staff Members are required to observe this obligation in all of their dealings for or on behalf of the Company and its insolvency practitioners.
Staff Members who are in any doubt about whether a proposed course of action would constitute a breach of the fundamental principle of confidentiality should discuss the proposed course of action with their Line Manager.
Individuals, companies, partnerships and other artificial legal persons all have rights to confidentiality that Staff Members must respect.
The nature of insolvency practice is such that confidential information (some of which may also be described as personal data) will come into the hands of Staff Members in the ordinary conduct of the Company’s business activities. This will include circumstance such as:
A duty of confidentiality always applies to client information. Additionally, there may be further legal obligations in respect of the various types of personal data that comes into our possession.
Legal requirements around data protection apply to information that relates to an individual, which is identifiable to them. While companies, (such as the Company itself), may have rights to confidentiality in respect of their business information, the data protection framework relates to information about living persons (i.e. their personal data).
Examples of personal data that the Company holds include (but are not limited to) an individual’s name, address, date of birth, who they worked for or how much money they are owed by someone else, depending upon which category of individual we are dealing with (e.g. debtors, creditors, employees of insolvency companies or our own employees).
A list of the different types of personal data (“data categories”) that we deal with in respect of different individuals (“data subjects”), can be found in our Data Processing Register.
The Data Protection framework provides safeguards to protect the privacy of individual’s data.
More stringent requirements exist in respect of personal data that is considered to be particularly sensitive, known as special category data (see our Special Category Data Policy). These additional requirements that protect the privacy of data subjects are reflected by the Company throughout its approach to data access and security.
For each category of person that we deal with, there is a relevant Privacy Notice, which describes what personal data we may hold about them, why we consider it to be lawful for the Company to hold that data, how long we intend to hold it for and for what purpose(s) it will be used. In some instances, individuals are afforded rights to object to our processing of their data and in others they are not. Full details are set out in each of the Privacy Notices for:
With the exception of the Staff Member and Job Applicant Privacy Notice, all privacy notices are located on our website. These documents contain details of the rights of each category of persons and when the policy should be highlighted to the individual concerned (which is typically, at the first available opportunity, or within one month of our starting to deal with their personal data).
Individuals have legal rights that their personal data is processed fairly and in a way that protects their privacy. Staff Members are required to adhere to the terms of this and other relevant policies in order not to breach those rights.
This policy sets out the practical measures and internal processes that the Company has put in place to ensure confidentiality and data privacy.
The Company will be responsible for ensuring that:
Staff Members are responsible for ensuring that all computers and other portable devices such as smartphones, tablets and laptops (collectively referred to as computer equipment) that may contain or provide access to confidential information or personal data are protected from loss, theft and unauthorised access, in accordance with this policy.
Practical steps to ensure the protection of computer equipment and the confidential information and personal data that it may contain or be used to access, include:
Hard copy documents belonging to the Company or its clients are to be maintained at Company controlled premises. Staff Members should only remove hard copy documents from Company controlled premises with appropriate permission, in accordance with the Company’s Off-Site Working Policy and when it is necessary for the Company’s business activities for them to do so.
Where hard copy documents are required to be removed from Company controlled premises (for instance, while homeworking), they should be retained for only so long as is necessary and returned to the Company’s premises as soon as is reasonable practicable.
Practical steps to ensure the protection of hard copy documents and the confidential information and personal data they may contain, include:
Staff Members should not disclose confidential information and/or personal data about the Company, colleagues or third parties unless that disclosure is fair and lawful. Doing so may constitute a breach of the duty of confidentiality and/or the data subject’s privacy.
To protect against a breach of confidentiality or data privacy:
The rights of data subjects to access the personal data that the Company processes about them are described in the relevant Privacy Notices and within the Company’s Data Subject Access Policy. The subject themselves may be authorised recipients, in accordance with that policy.