April 2009

Part 2 Subject access requests

81A.29  General implication of DPA to The Service

Official receivers

The areas in which DPA has a direct impact on the work of the official receiver are:

• providing data subjects with the fair processing information;
• subject access requests;
• disclosure of personal data to third parties;
• obtaining personal data about bankrupts or company directors from third parties;
• dealing with personal data held by insolvents.

In addition, to ensure compliance with the Data Protection Principles, the official receiver should have regard to the requirements outlined in paragraphs 81A.17 to 81A.28.

Detailed guidance on responding to subject access requests is available HERE.

The Service generally

Official receivers should be aware that files may be held for bankrupts and company directors by various Directorates within Corporate and Business Services or Investigation and Enforcement Services. If advice has been sought about a case from Technical Section, a file will have been opened which will contain copies of the exchange of minutes and may contain other papers. These will be stored at the Registry in Birmingham. In addition, IES may hold files on bankrupts and directors, which may form part of a relevant filing system, and also maintain databases with details of  criminal allegations, disqualifications and bankruptcy restrictions orders.

Where appropriate, the applicant should be advised to make a separate subject access request to The Service via the FOIA / DPA Compliance Manager (Jim Digby) at Technical Section. Requests for disclosure of D reports submitted in insolvency practitioner cases should be referred to the IES Conduct and Complaints Team. Requests for any other information held by IES should be referred to Enforcement Technical Section.

Any member of staff wishing to make a subject access request about their own personal data should contact Human Resources.

The official receiver as a data controller has control of information held in his/her liquidation and bankruptcy files; information held on computer of his/her liquidation and bankruptcy cases, and information held in the records of an insolvent where the official receiver is acting as liquidator or trustee in bankruptcy. All other information held by The Service is under the control of the Secretary of State and the official receiver has no duty to disclose its existence. A bankrupt or director will be required to make a separate subject access request to obtain details of personal data held by The Service generally. Information held on computer systems is also under the control of The Service on behalf of the data controller (BIS).

81A.30  Subject access requests

A request under section 7(1) of the DPA is called a subject access request and must be in writing and relate to the personal information of the data subject. The data controller is not obliged to supply information under this section unless he is supplied with any information he may reasonably require to satisfy himself of the identity of the person making the request. [note 1]

Subject access requests should be dealt with by the official receiver (data controller) in each official receiver’s office or by the appropriate Section holding the information. In official receivers’ offices, the data controller is the official receiver and for the remainder of The Service Section Heads act as data processors for the data controller (BIS). In addition the FOIA / DPA Liaison Officer in Technical Section is available to provide specialist advice and, if required, to co-ordinate a response across The Service.

When a request for personal information is received (by any means) a letter should be sent to the data subject asking them to provide two forms of identification (unless the action officer is satisfied about the identity of the requester from other sources). A form is available for them to use when responding which should be sent with the letter. Templates are available HERE, and in Annex A for the initial letter (#1) and form (#2 or #3).

Detailed guidance on responding to subject access requests is available HERE.  

81A.31  Right of access to personal data

Subject to the various exemptions under DPA bankrupts, company directors, and others are entitled to know what personal data about them is held on any of The Service’s record systems and to have copies of that data. Under the FOIA, the definition of data is extended to include information held in an unstructured filing system - effectively extending the access to personal data contained in any manual files, see paragraph 81A.13 to 81A.15 for a more detailed discussion of this point. A subject access request will not give the data subject access to view the official receiver's files.

Section 7 (1) of the DPA provides that, subject to the remaining provisions of the section and to sections 8 and 9, an individual is entitled:

• to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
• if that is the case, to be given by the data controller a description of :-

i) the personal data of which that individual is the data subject,

ii) the purposes for which the data are being or are to be processed, and

iii) the recipients or classes of recipients to whom the data are or may be disclosed,

• to have communicated to him in an intelligible form :-

i) the information constituting any personal data of which that individual is the data subject, and

ii) any information available to the data controller as to the source of the data, and

• where the processing of personal data by automatic means, for the purpose of evaluating matters relating to an individual, for example, performance at work, creditworthiness, reliability or conduct, and this processing is likely to constitute the sole basis for any decision significantly affecting the individual, to be informed by the data controller of the logic involved in that decision-taking.

81A.32  Limitations to subject access rights

Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: [note 2]

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

The reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; but this is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. [note 3]

For the purposes of the DPA another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

Further guidance on dealing with third party information may be accessed HERE.

81A.33  Consent of third party

In determining whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to:

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller to seek the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual.

An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description. [note 4]

81A.34  Subsequent requests for personal information

In addition, where a data controller has previously complied with a subject access request, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request. [note 5]

A number of supplemental provisions are set out under section 8 and in particular limit the obligations under section 7(1)(c)(i) relating to the supply of information in a permanent form where:

• the supply of such a copy is not possible or would involve disproportionate effort, or
• the data subject agrees otherwise

The ICO checklist for handling requests for personal information should be followed where there is any doubt about the requesters rights or any limitation to those rights. The guidance may be accessed HERE.

[Back to Part 1 – Data Protection Act and The Insolvency Service] [On to Part 3 – Other forms of request]