A warning for insolvency practitioners – take care when handling personal data

Published 30 March 2020

The Financial Conduct Authority, the Information Commissioner’s Office and the Financial Services Compensation Scheme have issued a joint statement warning insolvency practitioners to be careful when handling personal data.

The Joint Statement says that the FCA, ICO and FSCS are aware that some IPs and FCA - authorised firms have attempted to sell clients’ personal data to claims management companies, where it is likely claims for compensation will be made to the FSCS.

Claims can be made to the FSCS in certain circumstances when an individual is owed money by a firm that is unable to meet its financial obligations. CMCs are representative firms that handle (at a price) certain types of compensation claims, and are themselves now authorised by the FCA.

In circumstances where IPs sell clients’ personal data to CMCs, the Joint Statement warns:

“The terms, conditions and clauses within a standard contract are highly unlikely to constitute sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.”

Passing on personal data with the intention of it being used for marketing without the required consent will be a breach of companies’ obligations under the General Data Protection Regulation, and the resulting electronic marketing communications, a breach of Privacy and Electronic Commerce Regulations. The FCA and ICO warn they “will take action” where they identify breaches. Both regulators have the right to impose significant fines and, in the case of the FCA, to require redress to be provided to affected data subjects.

IPs should have been alive to their GDPR obligations since the regulation and the Data Protection Act came into force in May 2018. Where consent is the lawful basis for processing personal data, IPs must check how a data subject’s consent has been sought and recorded, as well as the scope of that consent.

As flagged by the Joint Statement, IPs need to consider carefully whether clients of a now insolvent company consented to receiving marketing material asking whether they would like help with a claim against a company or to the FSCS, or, as is more likely, their consent is limited to simply receiving marketing materials solely about that company and its products.

The publication of the Joint Statement suggests that it has come to the regulators’ attention that some IPs have been failing in their GDPR obligations, at the very least in respect of selling personal data to claims management companies.

Where a FCA-authorised firm enters administration and eligible claimants are entitled to bring claims before the FSCS, the Joint Statement says that the FSCS will work jointly with the IP to identify potential claimants. In those circumstances, it says that consumers should contact the FSCS directly and the IP should contact the consumer to explain what the administration of the firm means for them.

The Joint Statement is a warning that IPs must take care when handling personal data. Regulators are alive to the issue and will take action. If in doubt about your obligations, seek expert advice.

The Joint Statement is available here.