Those involved in considering compliance must consider data sharing as part of the due diligence, including establishing the purpose for which the data was originally obtained, the lawful basis for sharing it, and whether these have changed. The latest Data Sharing Code of Practice, (effective October 2021), adds a useful reminder and checklist for where these issues arise. For example; data might be sold as an asset to a different legal personality resulting in a change in controller of the data, or the data might be being shared with an additional controller, perhaps in the case of insolvency.
An Insolvency Practitioner or other adviser may become a Data Controller or a Joint Data Controller and therefore within the ambit of the new Data Sharing Code. The Code of Practice is a statutory code prepared under Section 121 Data Protection Act 2018 and therefore will be considered by any Court or Tribunal or by the ICO in the event of an issue arising out of data sharing. It is therefore advisable to follow the statutory control and the checklist set out prior to sharing any data.
In particular, Data Controllers including new Data Controllers are reminded of their obligations to keep individual data subjects informed about changes relating to the processing of data and when they may have the right to object. The rights of personal data subjects must not be overlooked during any merger, acquisition or other change in organisational structure including insolvency. It is also important to consider the governance and accountability requirements as well as the principles of data protection and at all times check that:
For advice on this and other Data Protection matters contact
Holly Dobson at firstname.lastname@example.org or on 07912 749455
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.