Upload
nick-graham
View
214
Download
1
Embed Size (px)
Citation preview
306
Buying and selling businesses can create some
difficult data protection issues. How can the seller,
for example, disclose employee and customer
information to prospective buyers for due diligence
purposes without breaching the Data Protection
Act? To what extent can customer data collected by
the seller be used by the buyer for new or different
purposes going forward? Similar issues arise in
outsourcing transactions where the outsourcing
service provider may want access to employee or
other data to conduct due diligence. In this article,
we examine the key data protection rules and
identify pragmatic solutions to manage these risks.
A. Data protection – scopeThe Data Protection Act 1998 regulates “personal
data”. Personal data is defined broadly as:
data which relate to a living individual whocan be identified:
(a) from those data, or
(b) from those data and other informationwhich is in the possession of, or is likely to comeinto the possession of, the data controller;
and includes any expression of opinion aboutthe individual and any indication of the intentionsof the data controller or any other person inrespect of the individual.
The Court of Appeal has recently sought to
limit the scope of this broad definition in the case
of Durant v Financial Services Authority so that
“personal data” only covers information which is
biographical in a significant sense and has the data
subject as its focus. However, in practice, much of
the information that a seller would want to
disclose as part of, for example, a due diligence
exercise would probably be caught by either
version of the “personal data” definition. On this
score the Durant case may not make much
difference in the context of business transfers.
However, the Court of Appeal also reduced the
scope of manual files which are caught by the Data
Protection Act. In future, manual files will
probably only be caught by the Data Protection
Act where they are sub-divided to allow the
searcher to go straight to a particular category of
information to retrieve particular information.
Thus, if the seller of a business proposes to
disclose manual filing systems to prospective
purchasers, the new Court of Appeal rules may
help in limiting the scope of data protection risk.
B. Data protection – the legalrulesThe Data Protection Act 1998 imposes two key
requirements which are applicable to business sales:
� Data controllers must ensure that data subjects
(for example, employees/retail customers) are
first given the “fair processing information”;
� Data controllers must ensure that any
disclosure of personal data complies with
� One of the “gateway conditions” set out
in Schedule 2 to the Data Protection Act, and
� In the case of sensitive personal data,
one of the additional conditions set out in
Schedule 3 to the Data Protection Act.
We examine each of these requirements below.
C. Fair processing informationThe obligation to provide “fair processing
information” is contained in the First Principle of
the Data Protection Act 1998. This requires the
following information to be provided to the data
subjects (for example, the relevant employees,
retail customers or individual suppliers):
� The identity of the data controller (i.e. the
name of the seller and any other party who
will be granted access to the personal data);
� The purpose or purposes for which the data are
intended to be processed (for example, for due
diligence review);
� Any further information which is necessary to
enable the processing in respect of the data
subject to be fair (for example, any special or
unusual circumstances would need to be spelt
out clearly to the data subject).
Clearly, it will often be highly unattractive and
indeed impractical for the seller of a business to
tell all its employees, retail customers and
individual suppliers that it is considering selling.
Indeed, in order to fully comply, the seller would
also need to disclose the identity of each of the
Data protection
Data protection and business sales – risks andsolutions?Nick Graham, Denton Wilde Sapte, London
Computer Law & Security Report Vol. 20 no. 4 2004 ISSN 0267 3649/04 © 2004 Elsevier Science Ltd. All rights reserved
307
prospective buyers to these individuals. There are
two possible solutions to this issue:
� Firstly, the “fair processing” rules do not apply
where the relevant personal data is obtained
from someone other than the data subject and
compliance with the “fair processing” rules
would involve a “disproportionate effort”.
This, in principle, could help prospective
buyers who obtain personal information about
employees or customers from the seller.
“Disproportionate effort” is not defined in the
Data Protection Act. Guidance from the
Information Commissioner suggests that the
fact that a data controller has to expend a
substantial amount of effort or cost in
providing the information does not necessarily
mean that he can rely on the
“disproportionate effort” exemption. In
practice, it is difficult to see how sending, for
example, a round robin e-mail to all relevant
employees or customers could involve
“disproportionate effort”. This assumes email
addresses are available. In any event, this
solution will not help the seller of the business
who acquired the personal information from
the relevant data subject.
� Secondly, the seller could anonymise the
relevant personal information. In the case of
employee information, for example, the seller
could remove individual names and job titles
and provide the remaining information to
prospective buyers in redacted form. This, in
principle, takes the information outside the
scope of the Data Protection Act and therefore
avoids the obligation to provide the “fair
processing” information. It is also regarded as
good practice by the Information
Commissioner as it minimises the amount of
information being disclosed.
It is worth bearing in mind, however, that
anonymising personal data is easier said than
done. Guidance from the Information
Commissioner also suggests that if a data
controller, having stripped out personal identifiers
so as to create an “anonymised” set of data,
retains the original data set, the data controller
will still be able to identify particular individuals
from the so-called “anonymised” data set which
will remain personal data in the hands of that
data controller. In any event, there is a residual
risk that removal of, for example, names and job
titles from employee information may not prevent
identification of particular individuals. If the pool
of data is relatively small or relates to, for
example, senior management it may be obvious
that the information relates to particular
individuals. Anonymisation, therefore, reduces the
data protection risk but does not exclude it.
D. The “gateway conditions”The Data Protection Act also requires all
processing of personal data to comply with the
“gateway conditions”. These conditions generally
require the data controller to obtain the consent
(or, in the case of sensitive personal data,1 explicit
consent) of the data subjects. The term “consent”
is defined in the Data Protection Directive
95/46/EC as:
Any freely given specific and informed
indication of [the data subject’s] wishes by which
[he].. signifies his agreement to personal data
relating to him being processed.
Needless to say, it will be highly unattractive
for a seller of a business to obtain the consent of,
for example, all relevant employees, customers and
suppliers to the disclosure of their information to
prospective buyers for due diligence purposes.
Indeed, unless 100% of the consents are obtained
in accordance with the requirements of the Data
Protection Act, there is a residual non-compliance
risk in any event. The potential solutions to this
issue are as follows:
� There are a number of alternative “gateway
conditions” which, for example, a seller may
be able to rely on. In particular, a seller can
disclose information to prospective buyers
where the disclosure is:
“necessary for the purposes of legitimate
interests pursued by …..[the seller]…. or by
the third party or parties to whom the data
are disclosed, except where the processing is
unwarranted in any particular case by reason
of prejudice to the rights and freedoms or
legitimate interests of the data subject”.
This, in principle, will often permit the
disclosure of personal information to
prospective buyers. It may also permit the
disclosure of information in the context of an
outsourcing service contract where the
prospective bidders want to access, for
example, employee information for due
diligence purposes. The question as to whether
the above condition can be relied on in any
particular case will, of course, depend on the
particular facts. In particular, a balance has to
be struck between the legitimate interests of
the data controller and those of the relevant
Data protection
Anonymising
personal data is
easier said than
done
308
data subjects. However, it will generally help to
take the following further precautions:
� Information should only be disclosed
under the terms of suitable confidentiality
agreements;
� Information should only be used for
permitted purposes;
� Logical and physical access and security
restrictions should be put in place to protect
the information;
� Consideration should be given to
whether the information should be returned or
destroyed in due course.
� The alternative solution is for the data
controller to anonymise the personal data so
as to take the whole issue outside the scope of
the Data Protection Act. Although this, in
principle, avoids the obligation to comply with
the “gateway conditions”, true anonymisation
is, as explained above, difficult to achieve in
practice. Data controllers often, therefore,
adopt a two tier approach under which suitable
confidentiality agreements are put in place and
personal information is anonymised insofar as
possible to reduce and/or exclude the risks.
E. Sensitive personal dataThe Data Protection Act imposes stricter
obligations in relation to sensitive personal data
such as health or sickness records. In practice, the
Data Protection Act usually only permits the
disclosure of sensitive personal data:
� With the explicit consent of the relevant data
subject; or
� Where the disclosure is necessary for the
purposes of establishing, exercising or
defending legal rights (for example, where the
seller is legally obliged to disclose the
information).
There are other conditions but they are
unlikely to apply here.
There may be limited circumstances in which
there is a legal obligation on, for example, the
seller of a business to disclose personal
information to a buyer. However, this is unlikely
to apply in the context of, for example, a due
diligence exercise. Again, it will be highly
unattractive to obtain the explicit consent of
individual data subjects to the disclosure of their
sensitive personal data. One possible alternative
solution is to anonymise the sensitive personal
data or, indeed, to consider whether disclosure is
strictly required. For example, does a prospective
buyer of the business really need to have full access
to all health/sickness records for the purposes of
its due diligence? If not, then they should not
form part of this exercise.
F. Leveraging the customerdatabaseOnce the due diligence is over and the deal
proceeds to completion, the buyer will want to
integrate the seller’s CRM database with its own.
After all, customer databases are often a key driver
for merger and acquisition activity. In order to do
this (and, indeed, in order to establish the value of
a CRM database as part of due diligence) buyers
need to undertake a careful data protection audit
of any legacy mailing lists and CRM databases.
Guidance published by the Information
Commissioner (and tucked away in some website
FAQs dated 26th June 2001) establishes the
following points:
� So long as individuals were not led to believe
that their data would never be disclosed, the
new owner in effect takes over the existing
business and can continue to use the personal
data in substantially the same way as
previously;
� Individuals should be told of the change of
ownership and have an opportunity to object
to the new owner holding their details;
� Information should not be disclosed to, for
example, a buyer, where the relevant
individuals had previously been assured that
their personal information would not be
disclosed;
� If the buyer of a business wants to use personal
information for markedly different purposes
than for the purposes for which it was
originally collected, this will require refresher
consents from the relevant individuals.
It is therefore of crucial importance that the
buyer of a business undertakes an audit, as part of
its due diligence, of, for example, customer
information held by the seller, the way in which
this information was collected and the scope of
existing consents. If existing consents do not cover
intended direct marketing activities and/or data
sharing, this may impact the value of the database
and therefore the overall price.
The above rules are of particular significance
in the context of business sales/purchases. In the
case of share sales/purchases, it may be that the
same data controller will continue to use the same
database going forward and so, in principle, there
Data protection
309
is no disclosure of personal data from one entity
to another. However, in practice, many share deals
envisage the transfer of assets (including customer
database) from the target company to another
group company and/or leveraging the customer
database across the buyer’s group which therefore
involves a disclosure of personal data to other
buyer group companies.
G. Data protection breach – is itworth the risk?In a word, “No”. A breach of any provision of the
Data Protection Act will expose a data controller
to enforcement action by the Information
Commissioner. The Commissioner may issue an
Enforcement Notice (requiring the data controller
to do or not do certain things so as to ensure
compliance with the Data Protection Act). Breach
of an Enforcement Notice is a criminal offence for
which the data controller is liable. This may also
expose directors, managers and other officers of
the data controller to personal liability. If
individuals suffer damage (or damage and
distress), they may claim compensation from the
data controller. In addition, data controllers
should be aware of the reputational risk of being
prosecuted under the Data Protection Act or of
adverse publicity in the press.
Different enforcement regimes will also apply
in different member states of the European Union.
Other Commissioners may take a more proactive
approach to enforcement than in the UK – for
example, the Spanish authorities are funded by the
fines they impose for data protection breaches: an
obvious incentive to prosecute!
H. NotificationAll processing of personal data in the UK must be
notified to the Information Commissioner. This
involves completing a form so as to describe, in
broad terms, the processing of personal data
undertaken by the relevant data controller. Any
processing of personal data without or outside the
parameters of a notification entry is a strict
liability criminal offence which, again, exposes
directors, managers and other officers to personal
liability. Notification entries should be checked
and, if necessary, updated prior to the disclosure of
information as part of a due diligence exercise or
on completion of the sale of a business. In the case
of share sales, it may not be necessary to update
the notification entry if the identity of the data
controller has not changed. Nevertheless, the
notification entry should be checked to ensure it
remains accurate.
I. ConclusionThe Data Protection Act imposes rigid
requirements on the way in which personal
information can be used and disclosed. These rules
do not always lend themselves to the practical
reality of a due diligence exercise or the sale of a
business. In practice, therefore, data controllers are
advised to undertake a data audit in order to
identify the risks sooner rather than later. These
risks can, to some extent, be managed by
anonymising the data and putting suitable
confidentiality agreements in place. Buyers of
businesses also need clarity on the ways in which
they can use CRM databases after completion
which, in turn, may impact the overall price. A
balance therefore has to be struck between the
strict requirements of the Data Protection Act and
the drivers for corporate and commercial
transactions.
Nick Graham, Report Correspondent, Senior
Solicitor Information and Privacy Group, Denton
Wilde Sapte, London
Email: [email protected]
FOOTNOTES
1 Sensitive personal data means personal data consistingof information as to the racial or ethnic origin of thedata subject, his political opinions, his religious beliefs orbeliefs of a similar nature, whether he is a member of atrade union, his physical or mental health or condition,his sexual life, the commission or alleged commission byhim of any offence or any proceedings for any offencecommitted or alleged to have been committed by him,the disposal of such proceedings or the sentence of anycourt in such proceedings.
Data protection
The Data
Protection Act
imposes rigid
requirements on
the way in which
personal
information can
be used and
disclosed