Warning 

Insolvency practitioners may be unwittingly exposing themselves and their colleagues to fines of up to $1,700,000.

That got your attention! Now what are we talking about?

The Privacy Act

Breaches of obligations under the Privacy Act 1988 (Cth) (the Privacy Act) can come at a heavy cost. Fines of up to $1.7 million for companies and $340,000 for individuals can be imposed. Other remedies such as the grant of injunctions to prevent disclosure of information are also available.

Based on the authors’ experience of day-to-day insolvency practice it seems likely to us that insolvency practitioners are regularly (and unwittingly) breaching their obligations under the Privacy Act. This article sets out why we have formed those views.

The common problem

Usually one of the first tasks undertaken on notification of a corporate appointment (whether as liquidator, administrator, receiver, etc.) is securing the books and records of the company. It is nearly always the case these days that some of the records are stored on a computer server.

Not infrequently (indeed we would suggest almost invariably) the server will contain or record emails sent and received. These emails will, again almost invariably, be emails concerning both the company and its business together with personal emails of the company’s directors and employees.

These emails could range from mundane questions about whether milk should be picked up on the way home through to highly confidential material, such as emails to the director’s accountant concerning the director’s personal tax affairs.

For the purpose of this article the nature of the information is largely unimportant.

The Privacy Act regulates dealings with ‘personal information’. Personal information has a very broad meaning under the Privacy Act. It is defined as:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true; and

(b) whether the information or opinion is recorded in material form or not

It is likely that at least some of the personal emails from or to employees or directors (and indeed any other individual who used the server) would constitute personal information within the meaning of the Privacy Act.

It is worth noting that the Privacy Act extends protection to the information of individuals. It does not apply to information of companies or other entities.

Insolvency practitioners regulated by the Privacy Act? 

The Privacy Act only regulates the use of personal information by ‘an APP entity’. An APP entity is defined as an agency or organisation. An organisation includes an individual, company or partnership that is not a small business operator. A small business operator is one with an annual turnover of $3 million or less.

The Privacy Commissioner has expressed the view to the authors that in dealing with an insolvency practitioner the relevant turnover would be that of the insolvency practitioner’s firm, company, partnership, etc., not the individual remuneration charged by the practitioner, whether in connection with a particular appointment or over the year.

It is probable then that the vast majority of the profession are subject to the Privacy Act.

Presuming that an insolvency practitioner is an APP entity, then they are required to deal with personal information in accordance with the Privacy Act.

How should the information be dealt with?

Perhaps it is a commonly held view (if it is thought about at all) that the Privacy Act does not apply because the insolvency practitioner did not collect or cause to be collected the private information. Surely it cannot be right, one would think, that a practitioner has obligations where information is voluntarily merged into or included on the company server by the owner of the information.

Such a view was expressed in one of the few cases decided in the area, although the authors do not agree the view is right. In Matthews v Clifton White J commented:

“On its face, the voluntary disclosure by Mr and Mrs Scarce of their personal information to IWH and Scarce Builders, by their use of their company email accounts, appears not to answer the description of information ‘collected’ by those entities … given the absence of submissions by Counsel on this issue, I would prefer not to express a concluded view about this issue.”

In that case it appears the question of the applicability of the Privacy Act was raised very late in the proceedings and was not argued fully. It also appears, unfortunately, that the Court’s attention was not drawn to the fact that it was the insolvency practitioner who had inadvertently come into possession of the information rather than the company. Neither, it seems was the court’s attention drawn to Privacy Principle 4.

Privacy Principle 4 applies if:

1. an APP entity [the insolvency practitioner] receives personal information; and
2. the entity did not solicit the information.

Put simply, it seems Privacy Principle 4 applies to insolvency practitioners who receive personal information where it is intermingled with the company’s books and records or stored on the company’s server. In simple terms the practitioner receives the information without soliciting it.

What are the obligations?

If Privacy Principle 4 applies then the insolvency practitioner must, within a reasonable period of receiving the information, determine whether or not they could have collected the information under Privacy Principle 3.

Privacy Principle 3 provides that personal information must not be collected unless the information is reasonably necessary for one or more of the insolvency practitioner’s functions.

It may be that information concerning the director’s personal financial circumstances falls within this category. If for instance, recovery proceedings are contemplated by a liquidator against a director, the director’s personal financial circumstances and ability to meet a judgment may be relevant and ‘reasonably necessary’ for one of the liquidator’s functions.

It is difficult however to contemplate that information in an email such as ‘Let’s not go to dinner in Cleveland Street – I don’t like Indian food’ could possibly be reasonably necessary for the liquidator’s functions. Equally if a receiver is appointed and is only selling company assets, the director’s tax return would not be reasonably necessary to the receiver’s functions.

Privacy Principle 3 goes on to provide that sensitive information (as defined) must not be collected unless it is necessary and the individual consents. If the individual uses the email system it could be argued they consent to disclosure to the company. But surely not that they consented to disclosure to the company’s liquidator.

For the purpose of this article it is enough to note that it seems highly probable that much of the personal information located on the server would not be information the insolvency practitioner would have been entitled to collect under Privacy Principle 3.

If however the practitioner would have been entitled to collect the information, the Principles go on to set out a range of obligations the practitioner would have with respect to dealing with the information.

If the insolvency practitioner would not have been entitled to collect the information, then Privacy Principle 4.3 provides that the practitioner must:

“…as soon as practicable, but only if it is lawful and reasonable to do so, destroy the information or ensure the information is de-identified.” 

The obligation to de-identify the information means effectively, to ensure that the individual in question cannot be identified by reference to the information.

The application

How does the insolvency practitioner deal with these obligations? Do they automatically seek an exemption from the Privacy Commissioner on being appointed? It is by no means clear such an exemption would be granted.

So should an early task for a practitioner upon receiving the books and records be to review them to determine whether personal information other than that of the company is contained in those records which should be destroyed or de-identified? Certainly the Act says that the practitioner has an obligation to undertake this task within a reasonable time of coming into possession of the books and records.

How does the practitioner know personal information has been received? Presumably the books and records are obtained as a matter of form, and once they are received, some review of them is undertaken. Often in the first instance however, the review is not undertaken by the insolvency practitioner. Presumably the insolvency practitioner will need to direct his or her staff and partners to be aware of these issues.

However, often the review is not of all books and records. An understandable focus is on financial issues. Should it be mandatory for all books and records to be inspected to determine whether private information other than that of the company is contained in them?

A receiver, having finished with the books and records for the purposes of the receivership, would ordinarily deliver them to the liquidator. Can the receiver hand over the books and records to the liquidator if the receiver knows they contain personal information? The answer to that question must be no. The receiver’s obligation is to destroy or de-identify the information.

Of course it is not a straightforward matter to ensure compliance with these obligations. There may be more than one server. There may be hundreds and thousands of emails.

Does the insolvency practitioner have an obligation to ensure all emails are reviewed? Should the insolvency practitioner write to the directors asking them to identify whether personal information is held on the servers? Do they have an obligation to do the same thing with respect to all employees (past and present)?

Who will pay the cost of dealing with these issues? (The creditors of course.)

What however is the situation if the practitioner is not possessed of sufficient money to undertake these tasks? Does that mean it is not ‘reasonable’ to require them to perform the review or to destroy or de-identify such information as they find?

Care needs to be exercised 

It may be that the time is coming where those issues will need to be considered and it may be that consultation is needed with the Privacy Commissioner to deal with what may prove to be unintended consequences of the Privacy Act.

In the meantime, the authors suggest this is an area in which care needs to be exercised.

The fines referred to earlier are the maximum that can be imposed for breaches of the Privacy Act. The authors do not suggest for a moment that the Privacy Commissioner would seek an order of such magnitude, nor that the Court would impose such substantial fines and penalties, for inadvertent breaches or breaches where practitioners had taken mitigating steps.

But we did get your attention by referring to them!

It does however seem to us that on its face the Privacy Act applies to many of the circumstances in which insolvency practitioners find themselves, and consideration should be given to the need to meet those obligations.

For more information please contact Simon Gallant.

Copyright Australian Insolvency Journal, article first appeared in the September 2015 issue, reproduced with permission.