So, David Hall is challenging the provisions of the Personal Insolvency Act regarding the publication of details on public registers. Iâ€™m quoted in this Irish Times article about it. My comments, which I expand on here as an update to my earlier post, where to the effect that:
- The publication of detailed personal data on a publicly accessible register would invite the risk of identity theft in the absence of any appropriate controls over the access to that data.
Examples of public registers where controls are in place are the Electoral Register (search one name and address at a time), and the Companies Registration Office (find out the home addresses of Directors if you pay a small admin fee), or the list of Revenue Tax defaulters (publication only over a threshold, summary personal data published).
Public does not mean Open. Public means that it should be able to be accessed, subject to appropriate controls. The requirement to name people who are in an insolvency arrangement needs to be balanced against their right to personal data privacy and the risk of identity theft or fraud through the use of published personal data.
The mockup Register entries presented on the ISI website may do the organisation a disservice with the level of data they suggest would be included and I await the publication of further revisions and the implementation of a control mechanism to introduce balance between the requirement to publish a Register and the need to protect personal data privacy. But of course, Section 133 of the Personal Insolvency Act is silent as to what the actual content of the published Registers should be (at least as far as I can see). So there is scope for some haggling over the content of what the final Registers will be.
A key question to be considered here is what is the purpose of the Registers and what is the minimum data that would be adequate and relevant to be provided on a Register to meet that purpose.
Section 133(4) allows for the public to â€œinspect a Register at all reasonable times" and to take extracts or copies of entries, and even allows for a small fee to be charged (the â€œreasonable cost of making a copyâ€). So there is scope for some form of access control to be put in place either with a search mechanism like the electoral register and/or the operation of a paywall for the making of copies (e.g. generating a pdf report on headed paper, at â‚¬1 a go).
- Section 186 of the Personal Insolvency Act needs to be interpreted and applied with care.
Section 186 of the Personal Insolvency Act purports to suspend the operation of Section 4 of the Data Protection Acts in certain circumstances. This is the section which allows a Data Subject to request a copy of their personal data. This is a basic right under the Acts.
However the Data Protection Acts already contain provisions which allow for the suspension of Section 4 in Section 5 of the Data Protection Acts. Specifically Section 5(1)(d) allows for an exclusion for data which is being processed in the performance of a statutory function intended
â€¦to protect members of the public against financial loss occasioned by
i) dishonesty, incompetence, or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations
ii) the conduct of persons who have at any time been adjudicated bankrupt
in any case where the application of that section would be likely to prejudice the proper performance of any of those functions.
The operation of the Insolvency Service of Ireland would appear to fall under this section. But rather than a blanket exclusion, Section 5 has a more nuanced approach â€“ you canâ€™t have your data if it will prejudice the proper performance of the ISIâ€™s role. Of course, 5(1)(d) only kicks in if there has been dishonesty, incompetence, or malpractice on the part of a bank that has resulted in a financial loss or risk of financial loss to the Data Subject.
Section 5 gives a number of other grounds for exclusion from the operation of Section 4. Among them are:
- If disclosing the data is contrary to the interests of protection the international relations of the State (which would raise an eyebrow Iâ€™m sure if cited in an insolvency situation).
- If legal privilege attaches to the records in the case of communications between clients and legal advisers.
If the restriction is on disclosure of personal data during the course of an investigation then this would likely be covered under Section 5(1)(a ) and there is legislative precedent in the Property Services (Regulation) Act 2011 to extend that to an investigation undertaken by the PRA under that Act.
An explanation and clarification?
The ISI has similar powers of investigation and prosecution of offences (section 180 and Chapter 5 of the Personal Insolvency Act 2012). Therefore the exemption from disclosure under Section 5(1)(a ) would apply. A â€œbelt and bracesâ€ inclusion of an exemption from section 4 of the DPA for the investigation of offences would be consistent with the Acts.
However this would only be the case for the investigation of an offence. The processing of a general complaint would not fall within the scope of an offence under the Insolvency Act or other legislation.
Therefore a blanket opt out would not exist. If an offence is suspected Section 186 reinforces the existing provisions of the Data Protection Acts. But general complaints to the Complaints committee would (based on my reading) not, unless the complaint wound up in an offence being detected. Of course a Data Subject would only be entitled to their own data.
A recent case involving the DPC and Dublin Bus made it clear that the potential for civil proceedings or a complaint were not grounds to refuse a Subject Access Request.
- Excessive Retention of Data on Public Registers is a concern.
This, of course, is another biggie from a Data Protection point of view.How long does this data need to be held for? In the UK similar schemes have the personal data removed from the public register 3 months after the debtor exits the scheme. Hereâ€¦
Section 170 of the Personal Insolvency Act indicates that Personal Insolvency Practitioners will need to retain data for 6 years after the â€œcompletion of the activity to which the record relatesâ€. This is consistent with the statute of limitations on a debt and makes sense â€“ it would allow people who avail of an Arrangement to get access to information about their arrangement if required. However it is not the same as the Public Registers.
Section 133 sets out the provisions relating to the Registers of Insolvency Arrangements. It says nothing about the length of time a personâ€™s data will be listed on a Register. Given the purpose is to maintain a searchable register of people who are in Insolvency Arrangements, the principle of not retaining data for longer than it is required for a stated purpose kicks in.
And, as is all to often the case in Irish legislation, we seem to be left looking to the UK for a benchmark period for retention: Duration of Arrangement plus 3 monthsâ€¦ but that may be 3 months longer than required.
- Personal Solvency Practitioners acting as Data Processors, and the implications for security and awareness of obligations under the Data Protection Acts
This is a squeaky wheel issue in many respects. All too often organsiations will outsource functions or engage people to perform functions on their behalf on contract, which would set out the purposes of the processing and the role of the Processor and sanctions for breaching their obligations. The Personal Insolvency Act sets out how Personal Insolvency Practitioners will be appointed, empowers the ISI to set standards re: their level of education and skill, and imposes sanctions for breaches of the standards of conduct of the role.
The function of a PIP is one which could have been undertaken internally within the ISI but it has been decided to outsource it to these PIPs.
Therefore a PIP is likely to be viewed as a Data Processor acting on behalf of the Data Controller (ISI) [for more on this read here]. Therefore they need to be taking (at a minimum) appropriate security measures to prevent unauthorised access to data. The concern I expressed in the article was that it is an unknown quantity what level of understanding of their obligations under the Data Protection Acts a PIP will have and what training (if any) will be provided.
Section 161(c) of the Personal Insolvency Act 2012 provides a mechanism for this to be addressed through the prescribing of the completion of appropriate training from a qualified trainer with a proficiency in Data Protection as one of the training requirements for authorisation as a PIP.
[Disclosure: my company provides an extensive range of Data Protection compliance review and training services]