ICO - FS50897723

From GDPRhub
Revision as of 21:38, 21 April 2021 by AD (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - FS50897723
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(a) GDPR
Article 10 GDPR
216 (4) of the Insolvency Act 1986
3(2) of the DPA
Type: Complaint
Outcome: Rejected
Started:
Decided: 14.04.2020
Published:
Fine: None
Parties: The Insolvency Service
The individual/ Complainant
National Case Number/Name: FS50897723
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

On April 14, 2020, the ICO supported the decision of the Insolvency Service to withold the information it held about insolvent companies. Furthermore, it stated that the confirmation or denial by the Insolvency Serivce that it held more information about the companies within the scope of the request invovled the disclosure of personal data itself.

English Summary

Facts

The Insolvency Services received a request to provide all information regarding two companies it holds on record. The complainant believed that the Director of an insolvent company had set up a second company with a prohibited name and had requested information about both companies.

Article 216 Insolvency Act prohibits the Director of an insolvent company to use the name of that company in the 12 months leading up to the liquidation.

The Insolvency Service noted that the information it held was already public and that it could not disclose the remainder as it falls under the personal data of an individual (the Director). However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name.

The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office.

Dispute

The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain.

But first, the Commissioner considered whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial involves the disclosure of personal data itself.

Moreover, Commissioner considered as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request.

Holding

The Commissioner stated that the information, specifically the confirmation or denial about having more information, in the scope of the request, would fall within the definition of ‘personal data’ defined in section 3(2) DPA: “Any information relating to an identified or identifiable living individual”. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. The confirmation or denial that information was held by the Insolvency Service, not arleady in the public, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.

Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles. Here, the Commissioner referred to Article 5(1)(a) GDPR.

Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to Article 10 GDPR, as well as domestic legislation, the Commissioner underlined that by indirectly confirming or denying the information, it confirmed that it had taken steps to establish whether a breach of Section 216 had occurred, by doing so, the Insolvency Service processed and disclosed criminal offence data.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.