We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Liquidators’ duties under the Data Protection act 1998

9 January 2014

Ian Oakley Smith, Julian Guy Parr v The Information Commissioner In Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch)

The High Court rules that the liquidators are not personally liable for compliance with the Data Protection Act 1998.

In this age of social media, the processing of personal data is an important part of the business of many, if not all, companies. The question for insolvency practitioners is whose obligation it is to comply with the Data Protection Act 1998 (DPA) in relation to the personal data that a company has collected and retained prior to going into administration or liquidation.

A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed is defined as a "data controller" by the DPA. Data controllers are obliged to comply with the Data Protection Principles, which include requirements not to retain personal data for longer than is necessary for the purpose for which it was processed, and for personal data to be processed in accordance with the rights of the data subject ie the person to whom the data belongs, which cover the right to access his or her personal data held by a data controller by way of a data subject access request (DSARs).

Insolvency practitioners often had to be registered as data controllers under the DPA with the Information Commissioner (ICO) in order to perform the duties of their office, although the registration is not specific to an appointment.

The High Court in the case of Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch) provided important guidance for insolvency practitioners.

Facts of the case

Southern Pacific Personal Loans Limited (SPPL) was a member of the Lehman Brothers group of companies. It was in the business of providing personal loans to individuals secured by way of a second charge on their homes. During the course of its trade, SPPL collected and retained a vast amount of personal data from its borrowers and was therefore a data controller within the meaning of DPA. In September 2012 it entered Creditors' Voluntary Liquidation. Subsequently, a high number of DSARs were made against SPPL (in liquidation) by claims management companies seeking to determine whether the borrowers had viable claims against SPPL in relation to the loans. 

The liquidators of SPPL faced the following problem: the total estimated liabilities of SPPL was around £10.3m but there was only £3m available for distribution. However, based on the volume of DSARs they received, they estimated that the costs of dealing with the DSARs extrapolated over a year would be approximately £589,000. If these requests and the related costs were to continue at this rate and level, it would accordingly have a material impact on the available distribution of funds to the creditors.

The liquidators therefore sought the Court's directions on two key questions:

  1. whether they are data controllers within the meaning of the DPA, and
  2. if they were, whether they could dispose of all the personal data under their control.

Guidance for Insolvency Practitioners

Liquidators are not data controllers of the data processed by the company

The Court distinguished between the activities performed by the liquidators:

  1. those performed as part of their office as principal ie not undertaken on behalf of the company in liquidation, and
  2. those performed as agents of the company in liquidation.

Liquidators are registered as data controllers in relation to their activities in the first category, for example, receiving a proof of debt which contains personal data. However, activities in relation to the data processed by a company in liquidation fall within the second category. This is because the beneficial ownership of the assets of a company remain vested in the company following its liquidation (albeit not for the benefit of the company but for its creditors), and the liquidators do not hold these assets as principal. Such assets include the intellectual property rights of the data processed by the company. Accordingly, the Court determined that the liquidators were not data controllers within the meaning of the DPA in respect of the data processed by the company.

Liquidators are not personally obliged to respond to DSARs

It follows that the liquidators were not held personally liable for compliance with the DPA for activities in the second category, meaning that they are not obliged to respond to DSARs against the company. This analysis also applies to liquidators in a compulsory winding up.

The statutory obligation to respond to the DSARs, properly made, however still remains with the company, and enforcement action might still be taken despite it being in liquidation.

The liquidators may dispose of the data retained by the company subject to certain conditions

The court held that liquidators may dispose of the data retained by the company in a matter which is consistent with the DPA, subject to two further qualifications:

  1. they must retain sufficient data to enable responses to DSARs, and
  2. they must also retain sufficient data to deal with any claims arising in the liquidation such as, in this instance, PPI mis-selling claims.

The judge directed the liquidators to first advertise and invite claimants to submit proofs within a specific period before disposing of the data. He also directed that they need not retain data so that it would be available to be "mined by former customers or claims handling companies with a view to making claims against third parties."


This case is one of the few cases dealing with the crossover of insolvency and data protection, an emerging area both in terms of growing legislative attention both in the UK and at European level and increased enforcement from the ICO.

As mentioned above, liquidators do not have to comply with the obligation under the DPA to respond to DSARs but the obligation remains with the company. The judge in this case had refused to give binding direction as to whether liquidators could ultimately refuse to respond. He likened such direction to the liquidators to that given to trustees in a Beddoes application, which is an exercise of the court's discretion.

Therefore, although this case appears to offer some guidance and certainty to insolvency practitioners, it still leaves unanswered the question of how to deal with DSARs made against company in liquidation; it also highlights that data protection issues for insolvency practitioners are often very case-specific. Accordingly, when faced with a large number of DSARs, insolvency practitioners are best advised to seek the Court's directions as to how to proceed.

For more information please contact Edith Lai, Associate

+44 (0)20 7427 6692