GDPR for Insolvency Practitioners: A Complete Compliance Guide

Why GDPR Applies to Insolvency Practitioners

Insolvency practitioners (IPs) occupy a unique position at the intersection of financial law and personal data. When a company enters administration, liquidation, or a voluntary arrangement, the IP immediately becomes responsible for vast quantities of personal data: debtor financial records, employee payroll files, creditor contact details, and court documents that may contain highly sensitive personal information.

The UK GDPR and the Data Protection Act 2018 apply to IPs in exactly the same way they apply to any other organisation processing personal data. Being appointed as an administrator or liquidator does not grant any automatic exemption from data protection law. In fact, the sensitive nature of the data involved — financial details, employment records, personal addresses — means that the obligations are more demanding, not less.

The Information Commissioner's Office (ICO) has made clear that organisations cannot use insolvency proceedings as a reason to disregard data protection obligations. Whether an IP is processing data as a data controller in their own right or as a data processor on behalf of another party, compliance is mandatory and enforceable.

What Data Insolvency Practitioners Collect

The volume and variety of personal data flowing through an insolvency case is substantial. Understanding what you hold is the first step toward compliance.

Debtor Personal and Financial Details

In individual insolvency cases — bankruptcy, individual voluntary arrangements (IVAs), debt relief orders — IPs collect extensive personal data about the debtor. This includes full name, date of birth, national insurance number, home address, employment history, bank account details, pension information, and a complete picture of assets and liabilities. Much of this information would be classified as sensitive by any reasonable standard, and some categories — such as health information relevant to earning capacity — may qualify as special category data under Article 9 of the UK GDPR.

Creditor Lists and Contact Information

Every insolvency case involves a creditor register. In corporate insolvencies this typically includes trade creditors, HMRC, banks, and bondholders. In personal insolvencies it often includes individual lenders, family members who are owed money, and utility providers. Each creditor record contains personal data: name, address, contact details, and the amount owed. Maintaining this register accurately and securely is a core IP obligation with clear data protection dimensions.

Employee Records from Insolvent Companies

When a company enters administration or liquidation, the IP assumes responsibility for employee records. These include contracts of employment, payroll records, tax codes, bank details for salary payments, holiday entitlement records, disciplinary files, and any occupational health information. Employee data is among the most sensitive categories an IP will handle, and the TUPE regulations add an additional layer of complexity when some or all of the business is sold as a going concern.

Court Documents and Legal Filings

Statutory reports, witness statements, and court filings in insolvency proceedings routinely contain personal data about directors, shareholders, creditors, and debtors. Some of this information is required to be filed publicly at Companies House or the Insolvency Service, while other material remains confidential to the proceedings.

The Tension Between Insolvency Law and GDPR Data Minimisation

One of the most challenging aspects of GDPR compliance for IPs is navigating the inherent tension between insolvency law's disclosure requirements and the GDPR principle of data minimisation. Article 5(1)(c) of the UK GDPR requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

Yet the Insolvency Act 1986, the Insolvency Rules 2016, and regulatory guidance from the Insolvency Service and recognised professional bodies (RPBs) such as the IPA, ICAEW, and ACCA often require comprehensive disclosure of financial information that would, in other contexts, be minimised or anonymised.

The solution lies in the lawful basis framework. Where disclosure is required by law, the legal obligation basis (Article 6(1)(c)) provides a clear justification. Where data processing serves the legitimate interests of creditors in recovering what they are owed, Article 6(1)(f) applies. IPs should document these justifications in their records of processing activities (RoPA) and communicate them clearly in privacy notices to affected data subjects.

Lawful Basis for Processing

IPs will rely on multiple lawful bases depending on the type of processing and the data subjects involved.

Legal Obligation (Article 6(1)(c))

Much of what an IP does is mandated by statute. Filing statutory reports with the Insolvency Service, notifying creditors of meetings, submitting returns to HMRC, and complying with court orders all constitute processing under a legal obligation. This basis requires no consent from data subjects and cannot be withdrawn by them. It provides a robust foundation for most core IP activities.

Legitimate Interests (Article 6(1)(f))

Where processing is not strictly required by law but serves the legitimate interests of creditors, the IP's practice, or the orderly conduct of the insolvency, legitimate interests may apply. This requires a legitimate interests assessment (LIA) balancing the IP's interests against the data subject's rights and freedoms. The ICO provides guidance on conducting LIAs, and IPs should document these for each processing activity where this basis is relied upon.

Special Category Data

Where IPs process special category data (health, biometric, racial or ethnic origin, trade union membership), they must identify both a standard Article 6 basis and a separate Article 9 condition. For IPs, the most commonly applicable Article 9 conditions are processing necessary for the establishment, exercise, or defence of legal claims (Article 9(2)(f)), and processing necessary for reasons of substantial public interest under domestic law (Article 9(2)(g)).

Creditor Data: Maintaining Creditor Registers

The creditor register is central to any insolvency case. IPs must collect sufficient information from creditors to verify claims, communicate about meetings and decisions, and distribute funds. This creates a substantial processing activity that requires proper documentation and controls.

Lawful basis: Processing creditor data is justified primarily under Article 6(1)(c) (legal obligation) and Article 6(1)(f) (legitimate interests of creditors and the insolvency estate). Where creditors are individuals rather than companies, they are data subjects in their own right and must receive appropriate privacy notices.

Privacy notices: Individual creditors should receive a privacy notice at the point their data is first collected — typically when they submit a proof of debt. This notice should explain who is processing their data, why, on what lawful basis, how long it will be retained, and what rights they have.

Data accuracy: Creditor registers must be kept accurate and up to date. The UK GDPR's accuracy principle (Article 5(1)(d)) requires that personal data be "accurate and, where necessary, kept up to date."

Employee Data from Insolvent Companies

When a company enters administration, the IP takes on the role of employer for data protection purposes. The employees of the insolvent company are data subjects whose information must be handled with the same care as any other employer would apply.

TUPE Obligations

Where some or all of a business is sold out of administration, the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) require the transferor (in practice, the administrator) to provide the incoming employer with "employee liability information." This includes age, employment particulars, disciplinary and grievance records within the preceding two years, and details of any collective agreements.

Transferring this data to the buyer is a lawful processing activity under Article 6(1)(c) (legal obligation under TUPE) and must be covered in the privacy notices issued to employees.

Redundancy and Final Pay

Where employees are made redundant, IPs must process financial data to calculate and administer redundancy payments, including claims to the National Insurance Fund via the Redundancy Payments Service. This processing is clearly covered by the legal obligation basis.

Court-Mandated Disclosures and the Insolvency Act

The Insolvency Act 1986 and the Insolvency (England and Wales) Rules 2016 impose extensive reporting and disclosure obligations on IPs. These include progress reports to creditors, statements of affairs, reports to the Secretary of State on director conduct, and applications to court that may contain personal data about multiple parties.

All of these are justified under the legal obligation lawful basis. However, IPs should be aware that the existence of a legal obligation to disclose does not override all data protection considerations. The principle of data minimisation still applies: disclose what the law requires, and no more.

Data Sharing with the Insolvency Service and Regulatory Bodies

IPs are subject to regulation by their recognised professional body (IPA, ICAEW, ACCA, or the Insolvency Service directly for official receivers) and must share information with these bodies and with government agencies including HMRC, the Pensions Regulator, and Companies House.

The Insolvency Service has its own privacy notices and data sharing arrangements. IPs who share case data with the Insolvency Service are typically doing so under legal obligation (Article 6(1)(c)), but they should ensure that any data sharing agreements or protocols are documented.

Data Retention for Insolvency Case Files

Determining how long to retain insolvency case files is one of the most practical compliance challenges IPs face. There is no single universal retention period: the appropriate period depends on the type of case, the regulatory requirements of the IP's RPB, and any outstanding litigation or regulatory investigations.

IPA and RPB Requirements

The Insolvency Practitioners Association (IPA) and other RPBs set minimum retention periods for case files as part of their regulatory requirements. Typically, case files must be retained for at least six years after the closure of the case. Some RPBs require longer periods in complex cases or where there is a possibility of future litigation or regulatory investigation.

Practical Retention Policy

IPs should maintain a written data retention policy that specifies retention periods for each category of case file and explains the justification for those periods. The policy should cover both physical and electronic records and should specify the secure destruction method to be used when files are deleted.

Handling Data Subject Access Requests During Proceedings

DSARs present a particular challenge in insolvency. A debtor, a former employee, or a creditor may submit a DSAR to the IP at any point during live proceedings. The IP must respond within one calendar month regardless of the complexity of the insolvency case.

Who is the data controller? This is often the first question to resolve. In most insolvency cases, the IP acts as the data controller in their own right for case management data.

Exemptions: The Data Protection Act 2018 contains exemptions that may be relevant to DSAR responses during insolvency proceedings. Schedule 2, Part 1 provides exemptions where disclosure would prejudice the prevention, detection, or investigation of crime.

Third-party data: DSAR responses must not disclose personal data about third parties without their consent, unless it is reasonable to do so. In an insolvency context, a debtor's DSAR may encompass files that contain information about creditors or employees. IPs must redact third-party personal data before providing the response.

Practical Compliance Checklist for Insolvency Practitioners

• Register with the ICO: All IPs who process personal data as a data controller must register with the ICO and pay the data protection fee.
• Maintain a Record of Processing Activities (RoPA): Document every category of personal data processed in insolvency cases, including the purpose, lawful basis, data sources, recipients, retention periods, and security measures.
• Issue privacy notices: Ensure that debtors, creditors, employees, and other data subjects receive clear privacy notices explaining how their data will be used.
• Conduct Legitimate Interests Assessments: For any processing not covered by legal obligation, document a LIA.
• Implement a data retention schedule: Align retention periods with RPB requirements (typically six years post-case closure).
• Establish a DSAR procedure: Designate a DSAR lead, implement a DSAR log, and ensure all staff know how to recognise and escalate a DSAR.
• Secure case file storage: Implement appropriate technical and organisational measures to protect case files, both physical and electronic.
• Manage data sharing agreements: For each entity with which case data is shared, confirm the lawful basis for sharing and document it.
• Train your team: All staff involved in insolvency case management should receive data protection training.
• Report data breaches: Implement a breach detection and reporting procedure. Breaches must be reported to the ICO within 72 hours.

---

GDPR compliance is not an afterthought for insolvency practitioners — it is a core professional obligation that runs alongside the statutory duties imposed by insolvency law. IPs who build robust compliance frameworks into their case management processes will be well placed to meet regulatory scrutiny and protect the data subjects whose information they are entrusted to handle.

Custodia helps insolvency practices build compliant privacy frameworks. Start with a free privacy scan at app.custodia-privacy.com.