Article preview
Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch) (8 August 2013)
Matthew Abraham, Barrister, South Square, London, UKIntroduction
In the recent case of Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 the High Court was asked to determine the relationship between the Data Protection Act 1998 (the 'DPA'), the winding-up of insolvent companies and the duties of liquidators. In particular, the court was asked to determine whether liquidators would be treated as data controllers under the DPA and hence would be personally liable for compliance with the DPA in respect of data processed by the company of which they were liquidators.
Factual background
An application was made by the joint liquidators of Southern Pacific Personal Loans Limited (the 'Company') under s.112(1) of the Insolvency Act 1986 ('IA') for the determination of certain questions and consequential directions. The Company was a member of the Lehman Brothers group of companies but avoided an insolvency process at the time of the collapse of the Lehman group in the UK in September 2008. The Company entered creditors’ voluntary liquidation on 4 September 2012.
The Company focused on the provision of personal loans to individuals resident in Great Britain, secured by way of second charge on their homes. Once such loans were made they were held, along with supporting security, by the Company on trust for various special purpose vehicles ('SPVs') for inclusion in securitisation transactions. The SPVs were entitled to call for a transfer of the legal title to the loans and supporting security.
As a result of the nature of the Company’s business, the Company collected and retained data in relation to its borrowers. This data included names and addresses, the amount of loans etc. Such data comprised or included 'personal data' for the purposes of the DPA and as a result the Company was a 'data controller' as set out in s.1 DPA (see below). Data was held for the Company by another member of the Lehman group, a loan servicing company called Acenden Limited.
In 2010 the SPVs called for a transfer of the legal title to the loans and supporting security held by the Company. After the transfer, the only data retained by the Company related to redeemed loans and was not required to administer loans. Despite this, the Company has continued to receive data subject access requests ('DSARs') and other requests for information or copies of documents made under the DPA in relation to the data. Many of the DSARs and other requests were generated by claims handling companies to determine whether individuals have a claim to compensation over the mis-selling of payment protection insurance. The statutory fee for making a DSAR is GBP 10 and the cost of complying is approximately GBP 455, exclusive of VAT. The joint liquidators of the Company stated that the annual cost of responding to such requests would be GBP 589,000 and that a continuation of costs at this level would have a material impact on the distribution of funds to creditors.
The DPA
S.1 DPA defines 'data controller' as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. S.4(4) DPA provides that it is the duty of a data controller to comply with the data protection principles in relation to all personal data for which he is the data controller. The data protection principles are set out in part 1 of schedule 1 to the DPA. Of importance are paragraphs 5 and 6:
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
Copyright 2006 Chase Cambria Company (Publishing) Limited. All rights reserved.