The Financial Conduct Authority (FCA), Information Commissioners Office (ICO) and Financial Services Compensation Scheme (FSCS) issued a joint statement on 7 February 2020 regarding the sale of personal data in relation to an insolvency appointment.
The statement is in full below but for our readers, I have summarised the content and added my own comments on how this might affect the insolvency profession.
The FCA, FSCS and ICO are concerned that IP’s are selling customer data to companies who process claims for financial compensation (Claims Management Companies or CMCs).
IP’s are being warned that as it is unlikely that standard contracts would allow the use of their personal data in this way, should any such sales take place, they state this may be unlawful. They have not gone so far as to say that it is definitely a breach of GDPR, but it’s pretty close.
The statement goes on to set out the obligations of CMCs under FCA guidelines and GDPR. It looks as though they would consider both parties at fault, not just the IP who sold the data, but the CMC who is using it, given that they believe the transaction is likely to be unlawful.
The statement goes on to say that even if the claims are sold, the FSCS should expect claims to be made directly to them and the use of any CMC would merely delay matters.
How does this affect the insolvency profession?
Well, I believe there has been queries for some time over selling customer ledgers to purchaser of business and whilst this is not covered in this statement, (it merely focuses on the selling of data to CMCs to enable customers to claim financial compensation), it raises further questions about how far reaching GDPR is considered to be by the regulators within the insolvency sector and what assets are now precluded from being sold.
As always when it comes to matters such as this, legal advice should be obtained before any sale of data is undertaken.
The Joint Statement in full
“We are aware that some insolvency practitioners (IPs) and FCA-authorised firms have attempted to sell clients’ personal data to claims management companies (CMCs) unlawfully.
This can happen either before or after a firm has gone into administration and where it is likely claims for compensation will be made to FSCS.
The terms, conditions and clauses within a standard contract are highly unlikely to constitute sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.
By passing on personal data, companies may be failing to meet their obligations under the Data Protection Act 2018(link is external) and the General Data Protection Regulation (GDPR)(link is external).
Any subsequent direct marketing calls, texts or emails carried out by CMCs may breach the Privacy and Electronic Communications(link is external) Regulations 2003 (PECR).
CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, as required by FCA’s Handbook. CMCs using such personal data may not be acting in the customers' interests. CMCs seeking to rely on legitimate interest grounds for processing such data are highly unlikely to meet the requirements of the GDPR.
CMCs that intend to buy and use such personal data must be able to demonstrate how they have considered the fair treatment of customers and how their actions comply with privacy laws.
Where the FCA or the ICO identify breaches of the relevant data protection legislation, or CMCOB Claims Management: Conduct of Business sourcebook, or any other relevant parts of the FCA’s Handbook, we will take appropriate action.
Consumers’ rights to compensation from FSCS