The High Court in Southern Pacific Personal Loans(SPPL) Ltd  EWHC 2485 (Ch) (8 August 2013).) last week held that liquidators of a company in creditors’ voluntary liquidation are not data controllers for the purposes of the Data Protection Act 1998 (DPA 1998).
Although SPPL was in liquidation it retained a mass of personal data concerning its previous business history. This data resulted in many subject access requests (DSAR) from claims handling companies re PPI policies.
As a result the liquidators sought clarification from the High Court as to whether or not and in accordance with the Data Protection Act 1988 they were data controllers, if not, of course they were free to refuse the DSARs.
It was held that the liquidators were SPPL’S agents and not data controllers. The 5th principle under the DPA states that ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’.
In order for the liquidator to comply with the fifth data protection principle of the DPA 1998 they should dispose of the redeemed loans data asap. This was because they no longer needed the data to administer those loans.
London Borough of Southwark v IBM UK Limited  EWHC 549.