Data protection in corporate insolvency: who is responsible?


24 Aug 2015

The insolvency of Mount Carmel Medical Group brought into question the data protection of 118,000 patients’ records. Medical records image via Micolas/Shutterstock

Insolvent companies often hold a large volume of personal data, such as customer lists or user data. Who is responsible for this information? Mason Hayes & Curran reports.

Recently, the Irish High Court decided a case concerning the transfer of patient records from a private hospital in liquidation. The court was asked to declare that, upon transfer of patient records, the recipient, rather than the insolvent company or its liquidator, would be the “data controller” of the personal data in those records. This means that the recipient, not the insolvent entity or liquidator, would be responsible for future compliance with data protection law.

The case is a useful reminder that the identity of a data controller is a matter of fact and not contractual drafting.

Mount Carmel

The case relates to the liquidation of the Mount Carmel Medical Group, which had operated a private maternity hospital in Dublin.

As a result of its operations, Mount Carmel held a wide number of hospital records, which needed to be maintained for medical reasons. The liquidator proposed to transfer these records to St James’s Hospital, a large public hospital in Dublin, which would provide patient data management services.

The liquidator asked the court to clarify the impact of data protection law on this proposal. In particular, the liquidator asked whether St James’s Hospital would be the data controller of the data upon transfer of the records; and if St James’s could disclose the records to the liquidator, if the liquidator needed access to the records after the transfer.

The transfer concerned patient records relating to approximately 118,000 patients and dating back to about 1946.

The transfer concerned patient records relating to approximately 118,000 patients

In light of the potential for serious impact on data protection rights – given that much of the data is sensitive personal data – the court notified the Data Protection Commissioner (DPC). However, the court pointed out (as the DPC had acknowledged) that the DPC has no power to pre-authorise or approve such a transfer arrangement.

A rather unique factor to the liquidation was the fact that Mount Carmel was not likely to be fully wound down for 18 to 20 years. This was aimed at taking account of potential legal actions against Mount Carmel by persons born at the hospital who had not yet passed the age of 18.

Transfers of data and transfers of obligations

The proposed contract between the parties stated that after transfer the recipient (St James’s Hospital) would become the data controller in respect of the records.

Notably, there was no transfer of a business under the contract but merely a transfer of personal data and the associated data protection law responsibilities.

The judge made clear that one shouldn’t give undue weight to the person who the contract designates as the data controller. Instead, the identity of the data controller is a question of fact. The emphasis must centre on who will, in reality, exercise control over the data.

Ultimately, the court considered it was inappropriate to exercise its discretion to make a declaration. The court weighed a number of factors, including:

  • That there was no precedent for making such a declaration
  • That it had concerns of overlapping jurisdiction with the DPC
  • The danger of limiting data subjects from taking future legal actions against the appropriate person

Implications of the Mount Carmel case

This case is an important reminder that, in general, it is the facts and circumstances, rather than the contract itself, which identify the data controller.

This case also provides clarity on the scope of the court’s role in making declarations regarding personal data. It is interesting to note that even where the DPC supported the court in making the declaration requested, the court declined to exercise its power.

Unfortunately, the case has failed to clarify where the legal obligations lie. The court’s reluctance to exercise its power means that neither the DPC nor the courts appear to be able to grant any sort of advance pre-approval for similar transactions.

Interestingly, it also appears to mark the first time that the far-reaching Google Spain decision has been cited by the Irish courts, as the court emphasised that the fundamental right to privacy must be weighed in such decisions. This reflects a growing trend across Europe to take account of such rights in the context of data protection.

For more on Google Spain, see our analysis here.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Medical records image by Micolas via Shutterstock