Dear IP Letter 52

Dear Insolvency Practitioner,

In this, the Fifty Second of the “Dear IP (NI)” series, I should like to deal with the following issue:

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Insolvency Service would like to remind IPs of the requirements of the General Data Protection Regulation (GDPR). The requirements apply to any public or private organisation processing personal data.

The Insolvency Service provides IPs with a wide range of personal data in a number of circumstances, and to ensure that we are compliant with GDPR and to minimise the possibility of data breaches, we would ask IPs to take note of the following:

1. Information provided to IPs prior to appointment

When the OR determines a case has sufficient assets to warrant an IP appointment, the IP who is next on the rota is provided with sufficient detail, which will include personal data relating to the bankrupt or director, so that they may determine whether they will accept the appointment.

In circumstances where the case is not accepted all personal information which the IP obtained from the Insolvency Service must be confidentially destroyed immediately.

2. Information provided after appointment

Once an appointment has been made, IPs are expected to conform to their own, and to their authorising bodies’ policies and procedures in order to comply with GDPR. This applies to all personal information and documents shared by the Insolvency Service.

Data Protection Act

Insolvency Service would like to remind IPs of their responsibility to comply with the data protection principles in all their processing of Insolvency personal data shared:

i.e. IPs should:

• treat the Insolvency Service personal data as confidential and safeguard it accordingly
• only disclose Insolvency Service personal data to staff who are directly involved in its administration and who need to know the information, and ensure that such staff are aware of and comply with their obligations as to confidentiality
• have in place appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing, and against accidental loss, destruction, damage, alteration or disclosure
• take reasonable steps to ensure the reliability of staff and agents who may have access to the personal data
• ensure that all staff and agents required to access the personal data are informed of the confidential nature of the personal data
• ensure that none of the staff and agents publish, disclose or divulge any of the personal data to any unauthorised third parties
• ensure that only people who have a genuine business need to see the data will have access to it.