This document sets out in detail the policy of Insolvency Support Services Ltd (“the Company”) on the protection of information relating to creditors, book debtors, employees and other stakeholders (“Stakeholders”) of insolvent entities whose affairs the Company is administering. Protecting the confidentiality and integrity of personal data is a critical responsibility that the Company takes seriously at all times. The Company will ensure that data is always processed fairly, in accordance with the provisions of relevant data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding information, or carrying out any operation or set of operations, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Personal data is any information by which a living person to whom the data relates can be identified. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour, such as a disciplinary record. There are also “special categories” of more sensitive personal data which require a higher level of protection.
Company necessarily collects personal data about Stakeholders in insolvency proceedings and this Privacy Notice explains how we treat that personal data and your rights in relation to it.
This document is the Company’s Stakeholders Privacy Notice, it explains your rights in detail. This notice, together with the information contained in the Data Processing Register set out the information the Company holds about Corporate Clients, the purpose for which this data is held and the lawful basis on which it is held. The Company may process personal information without the client’s knowledge or consent, in compliance with this policy, where this is required or permitted by law.
The Stakeholders Privacy Notice and the Data Processing Register will be made available by way of a link contained within our first communication with Stakeholder. If the purpose for processing any piece of data about the Corporate Client should change, the company will update the Stakeholders Privacy Notice and Data Processing Register with the new purpose(s) and the lawful basis for processing the data and will notify the Stakeholder by email.
In processing Stakeholders’ personal data, the following principles will be adhered to. Personal data will be:
When the Company provides advice to an individual or business about its financial difficulties, they will be asked to provide us with certain information in order that we can get a full picture of their circumstances. When an individual or business is subject to formal insolvency proceedings, the individual or controllers of the business are required to provide certain information.
During the course of administering an insolvency case, we will also be provided with information from a number of other sources, such as the Accountant in Bankruptcy (in Scotland), the Official Receivers (in England, Whales and Northern Ireland) and in all cases from the creditors, debtors and employees of the insolvent business, and/or other stakeholders in the insolvency process that make such information available to us in the course of administering the affairs of the insolvent business. We will typically be the Data Controller in respect of the information contained in our files.
When appointed as an insolvency Office Holder in respect of an insolvent business, the Office Holder will also have access to the information contained in the business’s books and records, though in respect of this information, the Office Holder will not generally be a Data Controller of it, but will be acting as agent on behalf of the business. We may however be subject to a duty of confidentiality in respect of this information (see our Confidentiality and Data Security Policy), and will at all times act lawfully in relation to this data.
Creditors: If you are owed money as an individual (for instance, because you are a sole trader who has not been paid for work you have conducted), we need to know your name, address, contact email (if you have one) and confirmation of the amount you are owed. This is so that we can contact you with notification about the case and provide you with an opportunity to exercise your rights, as a creditor in an insolvency. We will be unlikely to hold any other personal information about you.
Book Debtors: If you are a customer of a business that is insolvent and haven’t paid for the product or service you received, it is likely that we will hold details of your name, address, contact email (if you have one) and confirmation of the amount you owed to the insolvent business. We need this information so that we can collect any amounts that are due to the business. We will be unlikely to hold any other personal information about you.
Employees: If you were employed by a business that has become insolvent, the insolvency Office Holder has a number of responsibilities in relation to money that the business owes you. We are likely to be processing the following information:
We may also have access to your full personnel file, although this will be information we have access to as agent on behalf of your former employer and we do not consider ourselves to be the Data Controller of it, although will use our best endeavours to ensure that it is only processed in accordance with the legislation.
Other Stakeholders: An insolvency Office Holder will interact with various parties in the course of their investigations into and administration of the affairs of an insolvent entity (whether that be an insolvent individual or business).
In the course of that work, we may come into possession of various items of personal data, such as (but not limited to):
Personal information will only be processed when there is a lawful basis for doing so. Most commonly, the Company will use personal information collected in connection with insolvency proceedings for the proper performance of the statutory functions of an insolvency Office Holder and/or where it is necessary to do so in respect of legal claims.
A list of each category of personal data we hold and the lawful basis we believe the Company to have for processing it may be found in the Data Processing Register.
The situations in which we envisage using your personal information are as follows:
If you fail to provide certain information when requested, you may be unable to asset your rights in the insolvency proceedings. In some instances, the insolvency Office Holder may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer the affairs of the insolvent business from third parties.
Information provided by you or collected from third parties will only be used for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as “special categories” of personal data. These relate to a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.
What constitutes special categories of data and how it is processes and protected is explained in greater detail in our Special Category Data Policy and Vulnerable Clients Policy.
There are a limited number of situations where we might possess special categories of data about Stakeholders:
We consider it unlikely that we will be routinely processing special categories of personal data, other than in relation to the claims of employees as against their former employer. In this regard, we will generally be acting as agent on behalf of the insolvent business, rather than as Data Controller.
The Company envisages that it may hold information about criminal convictions where these are relevant to the causes of failure of the insolvent business or the performance of the functions of an insolvency Office Holder. If it becomes necessary to do so, the Company will only use this information where it has a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an insolvency Office Holder.
The Company may also use information relating to criminal convictions where:
The Company will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring advisor or insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.
The Company will only retain personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out in the Data Processing Register and Data Retention and Destruction Policy.
In most insolvency matters, there is a statutory retention period of 6 years from the conclusion of the administration.
When determining the appropriate retention period for personal data that is not fixed by statute, the Company will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether the Company can achieve those purposes through other means, and the applicable legal requirements.
The Company does not require consent from Stakeholders to process most types of personal data, as where we are administering a formal insolvency, we will be performing the statutory function of an insolvency Office Holder and/or are acting in pursuit or defence of legal claims.
The Company will not usually need consent to use special categories of personal data or information about criminal convictions in order to carry out legal obligations or exercise specific rights in the field of insolvency administration.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. The Company does not envisage that any decisions will be taken about Stakeholders using automated means, however they will be notified if this position changes.
The Company has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are contained in our Confidentiality and Data Security Policy.
In summary, access to personal information is limited to those Staff Members, agents, contractors and other third parties who have a business need to know. They will only process personal information on the Company’s instructions and are subject to a duty of confidentiality. The Company expects Staff Members handling personal data to take steps to safeguard personal data of Corporate Clients in line with this and the Confidentiality and Data Security Policy.
The Company requires third parties to respect the security of personal data and to treat it in accordance with the law. Personal data about Stakeholders will only be shared to the it is lawful and necessary.
Creditors: There are a number of instances where the insolvency legislations requires an insolvency Office Holder to share a list of the names, addresses and amounts owed to the creditors with the other creditors of the company, and in company insolvency, may also be filed at Companies House.
Employees: Some of your personal data may be shared with the Redundancy Payments Service in order that they can make payments to you.
Generally: The Company may share Stakeholder’s data with third-party service providers where it is necessary to administer an insolvent estate, in connection with legal claims or where the Company has another legitimate interest in doing so (subject at all times to Client confidentiality).
The following activities are commonly carried out by third-party service providers:
Occasionally, we may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
We do not anticipate the transfer of your data outside the EU. The Company holds personal data in its physical files and on its internal servers, which are located at the Company’s registered office. Our servers are subject to off-site backup to a cloud service provider which is based within the EEA (in the Republic of Ireland). You will be notified in the event the Company intends to transfer your data outside of the EU.
Stakeholders should to inform the Company of any changes to their contact information or the amount they believe to be owed to them. Where a Stakeholder has concerns regarding the accuracy of personal data held by the Company, they should contact their Case Administrator to request an amendment to the data.
Under certain circumstances, Stakeholders have the right to:
If a Stakeholder wishes to make a request on any of the above grounds, they should contact their Case Administrator, in writing (email is acceptable for this purpose). You will usually be entitled to know what personal information we hold about you.
Please note that, depending on the nature of the request, the Company may have good grounds for refusing to comply. If that is the case, you will be given an explanation by the Company.
Where we are administering the affairs of an insolvent entity, there are certain periods that the law requires us to maintain information about the case (typically 6 years from the conclusion of the administration). Full details of relevant retention period are listed in our Data Processing Register. In insolvency cases, we are unlikely to be able to agree to a request to erase, restrict or transfer your information, but will explain this to you in further detail should such a request be made.
Where legal claims are involved, we may not be able to provide you with access to all of the information we hold, as some of it will be subject to legal professional privilege.
Stakeholders will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, the Company may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, the Company may refuse to comply with the request in such circumstances.
The Company may need to request specific information from the Stakeholder to help confirm their
identity and ensure the right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Given the size of the Company, it has not been deemed necessary to formally appoint a Data Protection Officer. Oversight of data privacy throughout the Company and its operations rests collectively with our Directors. In insolvency cases, ultimate responsibility rests with the named Licensed Insolvency Practitioner that has been appointed in respect of an insolvent entity’s affairs.
If Stakeholders have any questions about this policy or how the Company handles personal information, they should contact the Case Administrator at first instance. If they are dissatisfied with the response they receive (or no response is received) stakeholders should contact the Licensed Insolvency Practitioner appointed in respect of the case.
Stakeholders have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
The Company has put in place procedures to deal with any data security breach and will notify Stakeholders and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are contained in the Company’s Data Breach Policy.
In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach.
If you have any concerns about the security of the personal data we hold about you, or suspect that a data breach has occurred, you should contact the Case Administrator at first instance. If you are dissatisfied with the response they receive (or no response is received) Stakeholders should contact the Licensed Insolvency Practitioner appointed in respect of the case.
The Company will have regard to the principles of this policy and relevant legislation when designing or implementing new systems or processes (known as “privacy by design”). The importance of data privacy has already been reflected and incorporated into all of our policies, processes and notices, including those in respect of:
The Company reserves the right to update this privacy notice at any time, and we will provide you with access to a new privacy notice when we make any substantial updates.