Southern Pacific Personal Loans Ltd, Re

Factual and Procedural Background

This application concerns the relationship between the Data Protection Act 1998 (DPA) and the winding-up of insolvent companies, specifically focusing on the duties of liquidators. The joint liquidators of Company A, appointed under a creditors' voluntary liquidation commencing on 4 September 2012, sought a court determination under section 112(1) of the Insolvency Act 1986 on several questions related to their status as data controllers under the DPA and their obligations regarding personal data held by the company.

Company A was a personal loans provider incorporated in October 2000, which ceased lending in about September 2007. It held personal data on borrowers, including names, addresses, loan amounts, repayment records, and legal proceedings. After transferring live loans to special purpose vehicles in 2010, Company A retained data only on redeemed loans. The data was stored and serviced by a related loan servicing company, which acted as a data processor.

Since liquidation, Company A has been receiving numerous data subject access requests (DSARs) under the DPA, resulting in significant costs that impact creditor distributions. The liquidators sought clarity on their status as data controllers and their obligations to retain or dispose of personal data.

Legal Issues Presented

1. Whether the joint liquidators are "data controllers" within the meaning of section 1(1) of the Data Protection Act 1998 in respect of data processed by Company A prior to liquidation.
2. If so, whether the liquidators may refuse to comply with data subject requests under section 7(1) of the DPA.
3. Whether the liquidators may dispose of all personal data in their control in their capacity as liquidators of Company A.
4. Whether the liquidators may disclaim the personal data in their control and thereby cease to be data controllers of the same.

Arguments of the Parties

Joint Liquidators' Arguments

• The liquidators contended they should not be required to hold data relating to redeemed loans or incur costs responding to DSARs after liquidation.
• They argued that the company, not the liquidators, remained the data controller for data processed prior to liquidation.
• They submitted that the company should be permitted to dispose of personal data no longer necessary for business or liquidation purposes, subject to retaining data needed to respond to existing DSARs and claims.
• Regarding refusal to comply with DSARs, they suggested that requests made primarily to enable claims for personal protection insurance (PPI) mis-selling might not be requests for purposes intended by the DPA.
• They also relied on the provision allowing refusal to supply data if doing so would involve disproportionate effort, though acknowledging its limited applicability.

Information Commissioner's Arguments

• The Commissioner accepted that the directors of a company are not data controllers by virtue of their position but contended that both the company and liquidators are data controllers following liquidation.
• He emphasized the liquidators' duty to take control of the company's property, including data, and suggested this could imply data controller status.
• The Commissioner recognized the need to retain data sufficient to respond to DSARs and any claims but accepted no special features justified retaining data beyond this.

Table of Precedents Cited

Court's Reasoning and Analysis

The court first distinguished the roles of company directors and liquidators, affirming that directors act as agents of the company and are not data controllers personally. The central issue was whether liquidators, upon appointment, become data controllers in respect of data processed by the company before liquidation.

Relying on statutory provisions and established case law, the court concluded that the company retains ownership and control of its assets, including data, even after liquidation. The liquidator acts as agent of the company rather than as principal or co-principal. Powers conferred on liquidators under the Insolvency Act 1986 are exercised on behalf of the company.

The court rejected the argument that the liquidators become data controllers in their own right for data processed by the company prior to liquidation. It emphasized that the liquidators' duty to take control of company property does not transfer ownership or data controller status to them personally.

Regarding disposal of data, the court held that the company must retain data sufficient to respond to existing DSARs and to handle any claims made in the liquidation. However, data no longer necessary for these purposes should be disposed of in compliance with the DPA, particularly the fifth data protection principle limiting retention to what is necessary.

The court declined to provide a final ruling on whether liquidators may refuse to comply with DSARs based on the purpose of the requests or whether they may disclaim data, as these issues were not essential to the present determination.

Holding and Implications

The court's final ruling was that the joint liquidators of Company A are NOT data controllers within the meaning of section 1(1) of the Data Protection Act 1998 in respect of data processed by the company prior to liquidation.

The court directed that the company, through its liquidators, may dispose of all personal data no longer necessary for responding to DSARs or dealing with claims, provided such disposal complies with the DPA. The liquidators are not personally responsible for compliance with the DPA in respect of this data.

This decision means that the statutory duties and liabilities under the DPA remain with the company notwithstanding liquidation. No new precedent was set on refusal to comply with DSARs or disclaimer of data as these questions were left open for future cases.