Insolvent companies often hold a large volume of personal data, such as customer lists or user data. Who is responsible for this information? Recently, the Irish High Court decided a case concerning the transfer of patient records from a private hospital in liquidation. The Court was asked to declare that upon transfer of patient records, the recipient, rather than the insolvent company or its liquidator, would be the "data controller" of the personal data in those records meaning that the recipient, not the insolvent entity or liquidator, would be responsible for future compliance with data protection law.
The case is a useful reminder that the identity of a data controller is a matter of fact and not contractual drafting.
The case relates to the liquidation of the Mount Carmel Medical Group (the "Company"), which had operated a private maternity hospital in Dublin. As a result of its operations, the Company held a wide number of hospital records. These records needed to be maintained for medical reasons. The liquidator proposed to transfer these records to St James's Hospital ("SJH"), a large public hospital, which would provide patient data management services. The liquidator asked the Court to clarify the impact of data protection law on this proposal.
In particular, the liquidator asked whether SJH:
Would be the data controller of the data upon transfer of the records; and Could disclose the records to the liquidator, if the liquidator needed access to the records after the transfer. The transfer concerned patient records, relating to approximately 118,000 patients and dating back to about 1946. In light of the potential for serious impact on data protection rights - given that much of the data is "sensitive personal data" - the Court notified the Data Protection Commissioner ("DPC"). However, the Court pointed out (as the DPC had acknowledged) that the DPC has no power to pre-authorise or approve such a transfer arrangement.
A rather unique factor to the liquidation was the fact that the Company was not likely to be fully wound down for 18-20 years. This was aimed at taking account of potential legal actions against the Company by persons born at the hospital who had not yet passed the age of 18.
Transfers of Data & Transfers of Obligations
The proposed contract between the parties stated that after transfer, the recipient, SJH, would become the data controller in respect of the records. Notably, there was no transfer...