Data on deals: what are your obligations?
The ICO is tasked with ensuring compliance with the Data Protection Act. There are seven key principles governing the security of personal data.
The Information Commissioner’s Office is tasked with ensuring compliance with the Data Protection Act. There are seven key principles, as well as detail, governing the security of personal data. Personal data is, broadly, data which relates to a living individual who can be identified from the data, or from the data and other information which is in the possession of, or is likely to come into the possession of, the person controlling the information.
Data security breaches have been the subject of plenty of recent publicity. The Information Commissioner has been working to raise public awareness of the need for data security and of its role in policing the provisions of the DPA. Organisations that it has targeted have included as diverse a range as local authorities (e.g. Cornwall Council and London Borough of Ealing), Wiltshire Police and the Royal Bank of Scotland. In the latter case, the RBS had sent dozens of faxes over a 14 month period to an incorrect fax number belonging to a third party organisation. The faxes included the account numbers and sort codes of a number of bank customers, and the breach resulted in the bank’s CEO giving a public undertaking to improve the bank’s procedures. In addition, the ICO has recently issued fines, some significant in financial terms as well as being harmful to reputation, to the British Heart Foundation, the RSPCA, The Money Shop and Hampshire County Council. In the last two cases, the fines were £180,000 and £100,000.
General awareness of the consequences of breaching data protection law has been increased by the publicity surrounding these recent ICO actions.
TUPE and personal data
In terms of the process of corporate transactions, there is one aspect which regularly arises which needs to be handled carefully. This concerns the transfer to the proposed buyer by the seller(s) of information relating to the employees of the target business/company. This information will be very likely to comprise personal data for the purposes of the DPA and so should be dealt with in accordance with the data protection principles set out in the Act. This would require keeping any such information confidential and so restrict it from being shared with the proposed buyer.
However as regards business transfers, The Transfer of Undertakings (Protection of Employment) Regulations require that the new employer is provided with certain specific details about their new workforce in advance of any transfer or change in service provision (usually known as Employee Liability Information). The DPA permits these disclosures because they are required by law.
On any transfer, your starting point when dealing with employee data should be the Information Commissioners Guidance on disclosure of employee information under TUPE. The Guidance explains that, while the disclosure of employee information is required by law, parties must still comply with data protection principles when handling personal information. The Information Commissioner recaps the information that must be provided under TUPE and highlights the importance of thinking about data early in the transfer process. Ideally, parties should agree what information will be transferred, and how, well before the transfer makes place.
It is also important to make sure excessive or irrelevant information is not transferred and that those responsible for negotiating the transfer of staff are aware of their responsibilities to comply with the data protection principles (for example, to keep personal data up to date and secure). The Guidance also encourages employers to inform staff that their information will be transferred to the new employer (although the practicality of this may depend upon the circumstances) and to ensure that any records retained post-transfer are accurate, relevant and up to date. Any unnecessary information in the former employer’s possession post-transfer should be securely disposed of.
Other types of cases
There will be other cases, such as share deals and asset sales which do not amount to business transfers for the purposes of TUPE, where the buyer of a business requires information about employees which is not covered by TUPE, where the TUPE exemption does not apply.
In these cases, the seller should release information that is anonymous or, at the very least, should remove obvious identifiers such as employees’ names (“redaction”) to ensure that employees are not identifiable from the data being transferred. Sellers should where possible consider only disclosing this extra information with the consent of the individuals concerned, or putting in place appropriate safeguards to make sure that the information will only be used in connection with the proposed share/business transfer and will not be kept once it has been used for this purpose. This can be a complex area and each case will need to be carefully considered and appropriate advice taken. The agreements signed between the parties about the information being provided can be very important, both in order to protect your employee information and to ensure compliance with the DPA.
It is interesting to note that recently the ICO has recorded a 12% increase in cases where sensitive information has not been adequately redacted. It could be just a matter of time before the failure to deal properly with employee information on a corporate deal adds to the list of ICO fines.
Robert Turnbull (email@example.com) is a consultant in the corporate team at Weightmans LLP and is based in Manchester. If you have any questions about your obligations on dealing with data please do not hesitate to get in touch with him or speak to your usual advisor in the Employment, Pensions and Immigration team. Weightmans are able to assist with all aspects of transfers, mergers and acquisitions, and commercial contracts, and if you are at all concerned about any such issues please do speak to us, we are happy and able to help.