Data on deals
A buyer will typically require disclosure of personal data about incoming employees. How can the seller comply, whilst observing data protection…
The Information Commissioner’s Office (ICO) is tasked with ensuring compliance with the Data Protection Act 1998 (DPA). There are seven key principles, as well as detail, governing the security of personal data. Personal data is, broadly, data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the person controlling the information.
Data security breaches have been the subject of plenty of recent publicity. The ICO has been working to raise public awareness of the need for data security and of its role in policing the provisions of the DPA. Organisations that it has targeted have included as diverse a range as local authorities (e.g. Cornwall Council and London Borough of Ealing), Wiltshire Police and the Royal Bank of Scotland. In the latter case, the RBS had sent dozens of faxes over a 14 month period to an incorrect fax number belonging to a third party organisation. The faxes included the account numbers and sort codes of a number of bank customers, and the breach resulted in the bank’s CEO giving a public undertaking to improve the bank’s procedures. In addition, the ICO has recently issued fines, some significant in financial terms as well as being harmful to reputation, to the British Heart Foundation, the RSPCA, The Money Shop and Hampshire County Council. In the last two cases, the fines were £180,000 and £100,000.
General awareness of the consequences of breaching data protection law has been increased by the publicity surrounding these recent ICO actions.
How does this affect corporate sales?
In terms of the process of M&A transactions, there is one aspect which regularly arises which needs to be handled carefully. This concerns the transfer to the proposed buyer by the seller(s) of information relating to the employees of the target business/company. This information will be very likely to comprise “personal data” for the purposes of the DPA and so should be dealt with in accordance with the data protection principles set out in the Act. This would require keeping any such information confidential and so restrict it from being shared with the proposed buyer.
However as regards business transfers, The Transfer of Undertakings (Protection of Employment) Regulations 2006 (as amended) (“TUPE”) requires that the new employer is provided with certain specific details about their new workforce in advance of any transfer or change in service provision. The DPA permits these disclosures because they are required by law.
There will be other cases such as share deals, asset sales which do not amount to business transfers for the purposes of TUPE or where the buyer of a business requires information about employees which is not covered by TUPE, where the TUPE exemption does not apply.
In these cases, the seller should release information that is anonymous or, at the very least, should remove obvious identifiers such as employees’ names (“redaction”) to ensure that employees are not identifiable from the data being transferred. Sellers should consider only disclosing this extra information with the consent of the individuals concerned, or putting in place appropriate safeguards to make sure that the information will only be used in connection with the proposed share/business transfer and will not be kept once it has been used for this purpose. This can be a complex area and each case will need to be carefully considered and appropriate advice taken.
It is interesting to note that recently the ICO has recorded a 12% increase in cases where sensitive information has not been adequately redacted. It could be just a matter of time before the failure to deal properly with employee information on a corporate deal adds to the list of ICO fines.