This document sets out the policy of Insolvency Support Services Ltd (“the Company”) on the retention of personal data and the timing and manner of its destruction.

It should be noted that processing or storing personal data for longer than is necessary can constitute a personal data breach to which fines and penalties may be applied.

This policy applies to the retention and destruction of all person data processed by the Company, whether in relation to its Staff Members, clients or prospective clients or others whose data the Company processes in connection with formal insolvency appointments.

Data Privacy

Individual living persons (as opposed to companies) have rights to data privacy in respect of their personal data, contained in the data protection legislation. These include a right that their data only be processed for as long as is necessary to fulfil the lawful purpose for which it was obtained.

The nature of insolvency practice is such that personal data will come into our possession in the ordinary conduct of the Company’s business activities.
A list of the different types of personal data (“data categories”) that we deal with in relation to different individuals (“data subjects”), can be found in our Data Processing Register.

Timely destruction of person data that is no longer required is an important protection afforded to individuals. Destruction also assists in reducing the possibility of inadvertent disclosure.

Data Retention Policy

In accordance with the data protection legislation, the Company only retains personal data for as long as is necessary. That period will vary depending upon:

  • The type of the data subject;
  • The capacity in which the Company is holding the data;
  • Statutory and regulatory requirements placed upon the Company or its insolvency practitioners to retain data for specified periods;
  • Any contractual obligations placed upon the Company when performing outsourced work;
  • The manner of receipt of the personal data (digital or physical copy).

Staff Members

Most of the data we hold about staff members is required to be held for tax purposes for 6 years following termination of employment.

There are some exceptions to this, for example information about your pension entitlements, which may be retained for significantly longer periods (up to 75 years). Bank details and contact details will be retained for 2 years from the termination of employment, unless there are unresolved claims or legal proceedings between the employee and the Company, in which case, they will be held until the later of 2 years from the termination of employment or the resolution of the claim or proceedings.

Advice Clients

The period for which we retain the personal data of clients that approach us for advice about their debt problems, or those of their business, will depend upon whether they decide to proceed with a debt solution which utilises our services. Where a formal debt solution is taken up, see the policy below concerning insolvency appointments.

When we are approached for advice, but a client does not return to us immediately, personal data contained in the fact find and any meeting notes taken will be retained for 6 months. We consider this to be a reasonable period of time as it is not uncommon for clients to return after a period of reflection, or if their circumstances deteriorate. Retaining their information in this way enables us to assist them more efficiently. The Client may object to our retaining their personal data in this way.

FCA regulations in relation to Debt Counselling activity require the Company to maintain a record for the grounds of being satisfied that the recipient of the service is not going to enter into a contract with us. That record and will state only the name of the Client, date of the advice and the grounds for being satisfied (e.g. a referral to an alternative source of advice or assistance). There is no statutory retention period for that record, and our policy is that a record will be kept for the current and two preceding calendar years. This will ensure that appropriate records are available for regulatory compliance purposes.

Additionally, where Money Advice has been provided to an individual by the Company, a record of that advice is required to be retained for a period of 2 years. The record contains the evidence of your income and expenditure that you supplied and a record in relation to the advice given to you. The record of Money Advice is retained in connection with a statutory function that has been undertaken and therefore cannot be erased at the Client’s request.

Insolvency Appointments

  • Office Holder appointments: Where one of our insolvency practitioners is legally appointed as the Office Holder in an insolvency case, there is a statutory requirement upon the insolvency Office Holder to maintain a record sufficient to explain their administration of the insolvent’s affairs for a period of 6 years from the conclusion of the administration. This record forms part of the formal record of the legal proceedings and its retention is a legal requirement.
  • Accountant in Bankruptcy Contract Cases: Where the Company has been appointed to administer an estate on behalf of the Accountant in Bankruptcy, we are contractually obliged to maintain our records for the longest period of: 5 years from date of award or 2 years from the date of the closure of the case.
  • Outsourced work for other Office Holders: Where the Company is conducting case administration services for insolvency practitioners from other firms, personal data will be securely transferred back to the appointed Office Holder, as Data Controller, upon the conclusion of the contract. In such instances, we will retain a record of the cases administered by us for 2 years from the date of conclusion of our function. The Office Holder themselves will be responsible for maintaining the statutory record for the mandatory retention period of 6 years.

The personal information contained in an insolvency case file may be substantial and can include special category and criminal conviction information. Data subjects will not generally be entitled to request the early destruction of this information, as it is being held to fulfil statutory retention requirements.

For further details about the types of information which may be contained in a formal insolvency case file, please refer to the relevant Privacy Notice that described your relationship with us.

Business Contacts and Customers

In addition to its functions as an insolvency practice, the Company supplies training and compliance services to other practices. In the course of this activity, the Company will hold the contact details of course attendees, participants in in-house training sessions or other contacts that have purchased our products or services or expressed an interest in doing so. Such information will be ordinarily retained for a period of 3 years for the purposes of fulfilling our legitimate commercial interests.

Additionally, we hold contact information pertaining to business contacts and potential customers for email marketing purposes. This data is held with the data subject’s consent and will be deleted from mailing lists upon request.

Paperless office / correspondence received by post

The Company operates a paperless office system and the majority of the personal data we process is supplied and stored digitally. Incoming postal correspondence is scanned and allocated to the appropriate folder. Correspondence may contain personal data relating to any of the above data subjects or capacities.

Our process for the hard copies of all correspondence is that the hard copy is stored securely, chronologically by data of receipt and retained for a period of 12 months.

Communications received by email

All communications sent and received by email are securely archived 12 months from sending or receipt. Digital copies may be retained for the purposes and durations described above depending upon the nature of the communication and the nature of any data subject to whom it relates.

Destruction of Data

Personal data held by the company, either digitally or physically, will be routinely and securely destroyed within 6 months of the expiry of the stated data retention period, without further reference to the data subject.

It is the responsibility of Line Managers to ensure that procedures are in place within their teams to ensure that all copies of such information, including but not limited to those which may be contained in our cases management, email and hard copy systems, are destroyed in accordance with this policy.

Requirements on Staff Members

Staff Members are expected to comply with this policy and implement any destruction procedures of which they are advised by their Line Manager, in respect of all copies of personal data in their possession. Deliberate and unauthorised retention of personal data is a matter the Company will take very seriously.

In the event that a Staff Member becomes aware of a failure to destroy data in accordance with this policy, they must report it to their Line Manager immediately on becoming aware, as unnecessary retention may constitute a data breach to which the Data Breach Policy will apply.

Any failure to follow the procedures and guidance laid out in this Policy may lead to disciplinary action which could result in termination of employment.

The Company reserves the right to pursue a claim for recovery of costs incurred where a Staff Member fails to adhere to this policy and the Company suffers loss or damage.