Many companies will be in possession of a list of clients and this client list will normally be in the form of a computerised database. This database is potentially an asset, which can be sold or licensed for the benefit of the insolvent company.
Because such databases contain personal information the seller usually will run into difficulties under the Data Protection Act 1998 (“DPA 1998”) if the individuals included in the database were not told in the first instance that their information could potentially be passed on to other organisations. However the DPA 1998 will not prevent the sale of such a database, provided that certain requirements are met. Some of these requirements are detailed below.
For what purpose was the information originally collected?
When personal information is collected from individuals (“data subjects”), the DPA 1998 requires it to be made clear to the data subjects what the data will be used for. When a database is sold, the Official Receiver should make sure that the buyer understands that it can only use the information for the purposes for which it was originally collected. Selling it to a business for a different use is likely to be incompatible with the original purpose and therefore go beyond the expectations of the data subjects. Although this means that your number of potential buyers for the information is reduced, it also means you have a unique selling angle as the information is by default ‘tailored’ for your prospective clients’ needs.
The buyer of a database will often seek to use it to send marketing material. Whether it will be able to do so will depend on the basis on which the personal information concerned was originally gathered. The general rule is that unsolicited marketing can be sent to data subjects where they have agreed to this or where this is nevertheless likely to be within their reasonable expectations.
The buyer should also establish whether data subjects would only expect to receive marketing via a particular medium, for example via the postal system. Particular care should be taken when there is an indication the data will be used for telephone or email marketing and the special rules governing electronic marketing should be complied with. Unsolicited marketing emails should only be sent to individuals who have consented and buyers should not assume consent if an individual does not respond.
When they have established that they can use the personal information for marketing, the buyer should only market products and services which are similar to those that the information has been used to market previously. Before selling databases to potential buyers the Official Receiver should point out any restrictions imposed by the DPA on the use of marketing material.
The Official Receiver has a responsibility to ensure that the personal information being sold on is used properly. As a result any potential buyer should be notified they can only use the personal information contained within the database for the purposes it was originally collected. In doing so, the Official Receiver will need to inform any buyer what these purposes were. If the buyer then expresses a wish to use the personal information for a new purpose, the Official Receiver should advise the buyer that it must gain consent from all the individuals concerned before it can use it in any other way.
This is not the only circumstance in which the new owner of the information will have to contact the individuals contained within the database. If the database is sold it is then the responsibility of the buyer to ensure all individuals contained within it are informed of the details of the new owners and should receive confirmations that the information will only be used in the same way as before. This is not as daunting a task as it first seems, as it is highly likely all the contact details needed to meet this task will be within the database itself. Before selling the database, the Official Receiver should ensure that the buyer undertakes to inform all individuals that it now holds the information.
Can information be held on databases indefinitely?
Any personal information held should be adequate, relevant and not excessive, and it should not be kept for longer than necessary. The Official Receiver should inform the potential buyer that it is required to decide how much of the information supplied it needs to keep and any unnecessary personal information should be deleted. It is important that personal information is not held in the hope that it one day might be useful.
What happens if the database cannot be sold?
If no potential buyers can be found for a database or if the Official Receiver so orders, the information held should be deleted and/or destroyed immediately.