Ian Christopher Oakley Smith and Another v The Information Commissioner (Interested Party)
| Jurisdiction | England & Wales |
| Judge | Mr Justice David Richards |
| Judgment Date | 08 August 2013 |
| Neutral Citation | [2013] EWHC 2485 (Ch) |
| Docket Number | Case No: 4655 OF 2013 |
| Court | Chancery Division |
| Date | 08 August 2013 |
[2013] EWHC 2485 (Ch)
IN THE HIGH COURT OF JUSTICE
CHANCERY DIVISION
COMPANIES COURT
Royal Courts of Justice
7 Rolls Building
Fetter Lane
London EC4A 1NL
Mr Justice David Richards
Case No: 4655 OF 2013
In the Matter of Southern Pacific Personal Loans Limited
In the Matter of the Insolvency Act 1986
Lexa Hilliard QC (instructed by Reed Smith LLP) for the Applicants
Robin Hopkins (instructed by Richard Bailey, Information Commissioner's Office) for the Information Commissioner
Hearing date: 29 July 2013
This application raises issues concerning the relationship between the Data Protection Act 1998 and the winding-up of insolvent companies and the duties of liquidators.
The application is made by the joint liquidators of Southern Pacific Personal Loans Limited (the company) under section 112(1) of the Insolvency Act 1986 for the determination of certain questions and consequential directions. There is no respondent named to the application, but the Information Commissioner (the Commissioner) was notified of the application and provided with the application notice and supporting evidence. At the invitation of Roth J in a letter dated 9 July 2013 which drew attention to the potentially wide-reaching implications of any declaration the court might make, the Commissioner has appeared by counsel and made representations. I am very grateful to the Commissioner and his counsel for the assistance which they have provided.
Before referring to the detail of the issues raised for determination by this application, it is convenient to set out the circumstances in which they arise.
The company is a member of the Lehman Brothers group of companies. It did not go into any insolvency process at the time of the collapse of the Lehman group in September 2008, when the principal operating companies in the United Kingdom were placed in administration. It entered creditors' voluntary liquidation on 4 September 2012 and the applicants were appointed joint liquidators.
The company was incorporated in October 2000 and its business comprised the provision of personal loans to individuals resident in Great Britain, secured by way of second charge on their homes. It ceased making loans in about September 2007. It appears that all loans were provided through independent brokers who introduced borrowers to the company. Once loans were made, the company generally held the loans and supporting security on trust for various special purpose vehicles for inclusion in securitisation transactions. The special purpose vehicles were entitled to call for a transfer of the legal title to the loans and supporting security and did so in about August 2010. The company complied with those requirements and retained no further connection, legal or beneficial, with the transferred loans. The company continued to hold the legal title to loans and supporting security only in those cases where the loans had been redeemed prior to the date of the transfers (redeemed loans).
From the start of its business, the company collected and retained data relating to its borrowers. The data included names and addresses, the amount of loans, the borrowers' repayment records and details of proceedings brought against them by third parties. The data clearly comprises or includes "personal data" for the purposes of the Data Protection Act 1998 (the DPA). The company was a "data controller" within the meaning of the DPA and was and remains registered as such.
From 2006 the data in question was stored with a loan servicing company called Acenden Limited (Acenden), which is also a member of the Lehman group. Acenden continues to hold the data relating to the redeemed loans for the company. Acenden performed various servicing activities in respect of loans made by the company. They included dealing with customer enquiries, monitoring and collecting loan repayments, initiating legal action for loans in default, handling complaints, producing annual statements and quarterly arrears statements, retaining records of mortgage files and correspondence and processing data subject access requests (DSARs) made under the DPA. It was a "data processor" for the purposes of the DPA and was and remains registered as such.
Following transfer of the live loans to the special purpose vehicles in 2010, the data with respect to those loans has ceased to be retained by or for the company. Acenden continues to hold data in respect of the redeemed loans. This comprises approximately 50,000 files, of which approximately 32,000 are held both electronically and in paper form and the remainder are held in paper form only.
The data held for the redeemed loans is, of course, no longer required for the purpose of administering those loans. However, the company continues to receive DSARs made under section 7 of the DPA and other requests for information or copies of documents. Generally speaking, both the DSARs and the other forms of request are generated by claims handling companies on behalf of customers. They are usually blanket requests for a complete set of statements for the accounts held by the customer in question. All, or the great majority of, such requests appear to share the common purpose of enabling the claims management companies to determine whether or not they consider the customer to have any sort of viable claim, usually in the context of having taken out a personal protection insurance (PPI) policy in connection with the loans from the company. PPI policies were not sold by the company nor were they required by the company. But, in a number of cases, PPI policies were sold by the brokers to borrowers. When a DSAR or other request is received, Acenden forwards the relevant data to Solex Legal Services Limited (Solex) which provides legal processing services to the company.
The statutory fee payable on the making of a DSAR is £The cost of complying with each such request is approximately £455, exclusive of VAT and exclusive of any fee payable to Acenden which has yet to be negotiated and agreed. Since the date of its liquidation, the company has been receiving approximately 88 DSARs per month, resulting in an average monthly cost of over £40,000. Extrapolated over a year, and including a figure for Acenden's fee, this would involve a cost to the company of some £589,000. A continuation of costs at this level would have a material impact on the distribution of available funds to creditors of the company. The total estimated amount of liabilities, not all of which have yet been admitted to proof, is some £10,297,000 and the company currently has approximately £3,000,000 available for distribution.
The relevant provisions of the DPA may be summarised as follows. Section 1 contains definitions. "Data" extends to data held both in hardcopy and electronic form. "Data controller" is defined to mean
"a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."
A "data processor", in relation to personal data, means "any person (other than an employee of the data controller) who processes the data on behalf of the data controller". "Processing" includes "obtaining, recording or holding the information or data". A "data subject" is an individual who is the subject of personal data.
Section 4(4) of the DPA provides that it is the duty of a data controller to comply with "the data protection principles" in relation to all personal data for which he is the data controller. The data protection principles are set out in part 1 of schedule 1 to the DPA. They include that personal data must be processed fairly and lawfully, that it shall be obtained only for one or more specified and lawful purposes and not further processed in any manner incompatible with such purpose or purposes, that it shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed, and that it shall be accurate and, where necessary, kept up to date. Principles 5 and 6 are as follows:
"5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act."
Section 7 sets out the rights of access that individuals enjoy as regards personal data held in respect of them. Section 7(1) provides, so far as relevant, as follows:
Subject to the following provisions of this section and to sections 8, 9 and 9A, an individual is entitled-
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that controller,
(b) if that is the case, to be given by the data controller a description of –
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form –
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data
Section 7(8) requires a data controller to comply with a request promptly and in any event within 40 days or such other period as may be prescribed after receipt of the request. This requirement is enforceable by two means. First, the court may order compliance on an application made under section 7(9). Secondly, on the basis that a failure to comply with a...
To continue reading
Request your trial
-
In the Matter for Mount Carmel Medical Group (South Dublin) Ltd
...England and Wales that was helpfully drawn to the Court's attention by the DPC. In Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch), Richards J. was asked to consider whether the liquidators of a company should be viewed as data controllers of certain data either jointly or ......
-
Dawson — Damer and Others v Taylor Wessing LLP The Information Commissioner (Intervener)
...a request would be invalid if made for the collateral purpose of assisting in litigation: see Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch) at paragraph 113 Likewise, it would not in my judgment be correct to refuse to exercise the discretion because this disclosure could n......
-
Andrey Grigoryevich Guriev and Another v Community Safety Development (UK) Ltd
...in litigation or complaints against third parties. I share the view expressed by David Richards J in In Re Southern Pacific Loans Ltd [2013] EWHC 2485 (Ch), [2014] Ch 426 [46] (before Dawson-Damer, but not cited to HHJ Behrens), that Auld LJ's dictum is not "authority one way or the other......
-
Alireza Ittihadieh v 511 Cheyne Gardens Rtm Company Ltd and Others
...controllers if those decisions are made as agents of a company of which they are directors: Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch); [2014] Ch 426 at 71 On the other hand, if they are processing personal data on their own behalves they will be data controllers as rega......
-
Selling and utilising personal data in an insolvency situation
...be held responsible for decisions relating to the sale, purchase or use of personal data. In Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch), the High Court held that liquidators of a company in creditors’ voluntary liquidation were not data controllers for the purposes of the the......