Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to ErroneousBee,GSVsowhat,Shelford,Hypster,Wasron, for Donating to support the site

Possible data breach (liquidator)

including wills and probate
yorkshirelad1
Lemon Slice
Posts: 342
Joined: October 5th, 2018, 1:40 pm
Has thanked: 75 times
Been thanked: 93 times

Possible data breach (liquidator)

#376368

Postby yorkshirelad1 » January 12th, 2021, 8:22 pm

I have stumbled across a possible data breach (by insolvency arm of a fairly well known professional services group acting as a liquidator, who themselves give advice on data protection) and I would like the TLF's/group's view on whether I should go straight to ICO, or I should report it to the organisation first (although having looked round their website, their Data Privacy contact is not easily findable.....). NO names at this point.

I had dealings/involvement (as a shareholder) in a liquidation several years ago, it took a while, but finally completed a couple of years ago. I am just doing a bit of record keeping, and I have found all the documents to download as pdf from the liquidator's website. I downloaded the two-page "Letter to Shareholders" to find that it was NOT just the template letter with Dear X at address Y, but it was a 1396 page document that was the output of the mailmerge sent to the printer with full name and address of approx 700 shareholders.

If it had been just my details, I would have had a quiet word with the company. But there are 700 shareholders who have had their details of their status as a shareholder put on the web, and it would be good to think that they were told. And the professional services group should be spoken to in no undertain terms (given that it's the sort of thing they dish out advice on themselves to other companies).

Should I go direct to ICO?
Or should I go to the professional services group?
My concern here is that if I go to the professional services group in the first instance, they may self-report to ICO but in a fairly anodyne way, hope it goes under ICO's radar, and the 700 shareholders may not get to hear about it, and it's personal and financial data....

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376369

Postby johnhemming » January 12th, 2021, 8:29 pm

I would not say I am 100% on this, but I think details of who the shareholders are and how many shares they hold is generally a matter of public record.

You can see this for an example company here:
https://find-and-update.company-informa ... ng-history

Whether there is any breach, therefore is not clear from this.

yorkshirelad1
Lemon Slice
Posts: 342
Joined: October 5th, 2018, 1:40 pm
Has thanked: 75 times
Been thanked: 93 times

Re: Possible data breach (liquidator)

#376395

Postby yorkshirelad1 » January 12th, 2021, 10:24 pm

johnhemming wrote:I would not say I am 100% on this, but I think details of who the shareholders are and how many shares they hold is generally a matter of public record.

You can see this for an example company here:
https://find-and-update.company-informa ... ng-history

Whether there is any breach, therefore is not clear from this.


Interesting point to bear in mind.
Yes, I believe company shareholder registers can be requested for the appropriate fee e.g.
https://www.stephens-scown.co.uk/corporate-commercial/who-is-entitled-to-view-a-companys-register-of-members/
Not quite public record, but available to a member of the public ....

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376436

Postby johnhemming » January 13th, 2021, 7:34 am

yorkshirelad1 wrote:Not quite public record, but available to a member of the public ....

If you look at my link above you will be able to download the confirmation statement which has the same information, but only once a year.

Obviously there are subtleties such as beneficial ownership for nominee accounts, but my own feeling is that what you refer to is not something I would initially think is a data breach. Hence you might be best asking the liquidators what their policy is on the issue rather than alleging to them that it is a data breach.

It may be the case, for example, that they are supposed to publish a list of shareholders as part of the process. I don't know.

Dod101
Lemon Half
Posts: 7283
Joined: October 10th, 2017, 11:33 am
Has thanked: 1731 times
Been thanked: 3023 times

Re: Possible data breach (liquidator)

#376447

Postby Dod101 » January 13th, 2021, 8:03 am

The Register of shareholders in public companies is a matter of public record So I think that the OP should just quietly forget this. He could always give the liquidators are call and see what they say of course.

Dod

yorkshirelad1
Lemon Slice
Posts: 342
Joined: October 5th, 2018, 1:40 pm
Has thanked: 75 times
Been thanked: 93 times

Re: Possible data breach (liquidator)

#376502

Postby yorkshirelad1 » January 13th, 2021, 10:24 am

Thank you for the sage advice: TLF always a useful soundingboard and fount of knowledge.
I think I'll send the liquidators an e-mail and ask if they really meant to put the full pdf (with ~700 names and address) or just one "template" letter.
It may be that it's some sort of obligation to post details, and a shareholder list is public domain, but perhaps the list shouldn't be too easily accessible IMHO (all organisations have a duty to safeguard personal data).
I'm just glad my holdings are now mostly in a nominee (I know nominees are unpopular in the main, but there are a couple of advantages, this situation being one of them).

mc2fool
Lemon Quarter
Posts: 2368
Joined: November 4th, 2016, 11:24 am
Has thanked: 6 times
Been thanked: 734 times

Re: Possible data breach (liquidator)

#376566

Postby mc2fool » January 13th, 2021, 12:31 pm

johnhemming wrote:I would not say I am 100% on this, but I think details of who the shareholders are and how many shares they hold is generally a matter of public record.

You can see this for an example company here:
https://find-and-update.company-informa ... ng-history.

Dod101 wrote:The Register of shareholders in public companies is a matter of public record.

Methinks being a matter of public record in the sense that anyone can turn up at a company's HQ and ask to see a copy of the register of members (shareholders) -- paying any fee that is required by the company to do so and specifying their purpose for wanting to see it, with the company being able to refuse if they consider it an "improper" purpose -- which is what is legally required, is a tad different from putting the list up on a public website!

The example linked to isn't appropriate for this case, 'cos a company does not have to provide Companies House with the list of its members, only those with "significant control" (obviously with a company with only one shareholder, as linked to, that shareholder has significant control).

yorkshirelad1 wrote:Should I go direct to ICO?

I've found that if you call the ICO they are (at least, were, in pre covid days) happy to informally chat over potential cases without opening a formal complaint, so I'd say give them a call and do so.

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376571

Postby johnhemming » January 13th, 2021, 12:53 pm

mc2fool wrote:The example linked to isn't appropriate for this case, 'cos a company does not have to provide Companies House with the list of its members, only those with "significant control" (obviously with a company with only one shareholder, as linked to, that shareholder has significant control).

My understanding is that the confirmation statement includes Shareholder Information which includes having a list of shareholders.

mc2fool
Lemon Quarter
Posts: 2368
Joined: November 4th, 2016, 11:24 am
Has thanked: 6 times
Been thanked: 734 times

Re: Possible data breach (liquidator)

#376576

Postby mc2fool » January 13th, 2021, 1:17 pm

johnhemming wrote:
mc2fool wrote:The example linked to isn't appropriate for this case, 'cos a company does not have to provide Companies House with the list of its members, only those with "significant control" (obviously with a company with only one shareholder, as linked to, that shareholder has significant control).

My understanding is that the confirmation statement includes Shareholder Information which includes having a list of shareholders.

The confirmation statement is (usually) just a very brief document confirming that none of the details companies house has on record have changed.

E.g. go take a look at the latest one for Unilever. https://find-and-update.company-information.service.gov.uk/company/00041424/filing-history

I think you'll be able to figure from the fact that it's only 3 pages that it doesn't have a list of Unilever's shareholders, without even actually looking at it. ;)

But if you still think that the list of shareholders of a company is widely and freely available, and public beyond as I described previously, then your challenge is to find us a list of Unilever shareholders (that don't have "significant control") ... :D

P.S. Here's another company where the confirmation statement doesn't have any shareholder information. https://find-and-update.company-information.service.gov.uk/company/11540441/filing-history :D :D

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376582

Postby johnhemming » January 13th, 2021, 1:39 pm

mc2fool wrote:I think you'll be able to figure from the fact that it's only 3 pages that it doesn't have a list of Unilever's shareholders, without even actually looking at it. ;)

But if you still think that the list of shareholders of a company is widely and freely available, and public beyond as I described previously, then your challenge is to find us a list of Unilever shareholders (that don't have "significant control") ... :D

P.S. Here's another company where the confirmation statement doesn't have any shareholder information. https://find-and-update.company-information.service.gov.uk/company/11540441/filing-history :D :D


That is all true, but if you look at that example you will see that the shareholders list is available with the incorporation documents and because the shareholders have not changed the confirmation statement does not have any changes.

For this company
https://find-and-update.company-informa ... y/07728574

You will see that the confirmation statement has changes to shareholdings and that there are details of additional shares issued.

I accept that the situation is different for listed companies.

Looking at this
https://www.gov.uk/government/publicati ... -registers

There remains the alternative of having statutory registers open to inspection.

AJC5001
Lemon Slice
Posts: 275
Joined: November 4th, 2016, 4:55 pm
Has thanked: 86 times
Been thanked: 66 times

Re: Possible data breach (liquidator)

#376638

Postby AJC5001 » January 13th, 2021, 4:08 pm

yorkshirelad1 wrote:I have stumbled across a possible data breach (by insolvency arm of a fairly well known professional services group acting as a liquidator, who themselves give advice on data protection) and I would like the TLF's/group's view on whether I should go straight to ICO, or I should report it to the organisation first (although having looked round their website, their Data Privacy contact is not easily findable.....). NO names at this point.

I had dealings/involvement (as a shareholder) in a liquidation several years ago, it took a while, but finally completed a couple of years ago. I am just doing a bit of record keeping, and I have found all the documents to download as pdf from the liquidator's website. I downloaded the two-page "Letter to Shareholders" to find that it was NOT just the template letter with Dear X at address Y, but it was a 1396 page document that was the output of the mailmerge sent to the printer with full name and address of approx 700 shareholders.


Is it possible to find another example of a Letter to Shareholders for another company that this professional services group has handled liquidation for?

This would show if this is a one-off or a normal state of affairs.

Adrian

scrumpyjack
Lemon Quarter
Posts: 1568
Joined: November 4th, 2016, 10:15 am
Has thanked: 119 times
Been thanked: 676 times

Re: Possible data breach (liquidator)

#376648

Postby scrumpyjack » January 13th, 2021, 4:20 pm

Every public company must maintain a share register which is open to inspection by members (free) and by anyone else (can be charged a fee).
This discusses it

https://www.stephens-scown.co.uk/corpor ... f-members/

Whether the register is at Companies House or at the company's registered address does not, I think, alter it being a public document. But there do seem to be some legal limits on access as per the above link

mc2fool
Lemon Quarter
Posts: 2368
Joined: November 4th, 2016, 11:24 am
Has thanked: 6 times
Been thanked: 734 times

Re: Possible data breach (liquidator)

#376682

Postby mc2fool » January 13th, 2021, 5:32 pm

johnhemming wrote:https://find-and-update.company-information.service.gov.uk/company/07728574

You will see that the confirmation statement has changes to shareholdings and that there are details of additional shares issued.

Names, but no addresses. Have the addresses of the other shareholders (presumably family) also been published publicly anywhere? The OP does say their names and addresses have been published in the suspected data breach.

Looking at this
https://www.gov.uk/government/publicati ... -registers

There remains the alternative of having statutory registers open to inspection.

Hmmm....things have changed a little since I last knew. :D But making the register fully public (rather than just "available for inspection") is a choice, and there do seem to be conditions. And I'm puzzled by the condition in section 2 that says the public register doesn't apply "to a company whose shares are not traded on a regulated market", given that the whole matter applies only to private companies. :?

The OP didn't say if this is a private or public company, but it seems to me that the first thing the OP should do is have a dig through the company's CoHo listing to see if the register of shareholders was already published....

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376695

Postby johnhemming » January 13th, 2021, 6:04 pm

mc2fool wrote:Names, but no addresses.


True. I think if you inspect the register you get the addresses as well, but I am not 100% on this.

mc2fool
Lemon Quarter
Posts: 2368
Joined: November 4th, 2016, 11:24 am
Has thanked: 6 times
Been thanked: 734 times

Re: Possible data breach (liquidator)

#376703

Postby mc2fool » January 13th, 2021, 6:21 pm

johnhemming wrote:
mc2fool wrote:Names, but no addresses.

True. I think if you inspect the register you get the addresses as well, but I am not 100% on this.

Yes, you do, but the availability of that is the point of the discussion, isn't it? Is the register publicly available in a totally unrestricted manner (e.g. up on an open website), or is it just available for inspection if Joe Public pays a fee and specifies an acceptable "proper" purpose? From your previous link it looks like it could be the former, although I'll bet that for most it's the latter. Whether it was for this particular case is currently unknown....

johnhemming
Lemon Quarter
Posts: 4508
Joined: November 8th, 2016, 7:13 pm
Has thanked: 10 times
Been thanked: 541 times

Re: Possible data breach (liquidator)

#376712

Postby johnhemming » January 13th, 2021, 6:41 pm

mc2fool wrote:Whether it was for this particular case is currently unknown....

I might ask the liquidator what is going on rather than say that there definitely is a data breach.

mc2fool
Lemon Quarter
Posts: 2368
Joined: November 4th, 2016, 11:24 am
Has thanked: 6 times
Been thanked: 734 times

Re: Possible data breach (liquidator)

#376713

Postby mc2fool » January 13th, 2021, 6:46 pm

johnhemming wrote:
mc2fool wrote:Whether it was for this particular case is currently unknown....

I might ask the liquidator what is going on rather than say that there definitely is a data breach.

Nobody has said there definitely is a data breach. It too is currently unknown ... and is the point of this thread! :D

yorkshirelad1
Lemon Slice
Posts: 342
Joined: October 5th, 2018, 1:40 pm
Has thanked: 75 times
Been thanked: 93 times

Re: Possible data breach (liquidator)

#377574

Postby yorkshirelad1 » January 15th, 2021, 5:35 pm

yorkshirelad1 wrote:I have stumbled across a possible data breach (by insolvency arm of a fairly well known professional services group acting as a liquidator, who themselves give advice on data protection) and I would like the TLF's/group's view on whether I should go straight to ICO, or I should report it to the organisation first (although having looked round their website, their Data Privacy contact is not easily findable.....). NO names at this point.

(snip)


The liquidation was of a listed investment trust/company.
I e-mailed the liquidator's contact and had a swift and helpful reply (as below). Good outcome all round.
I didn't contact ICO and the liquidators didn't seem to think any further actions necessary.

Liquidator wrote:Thank you for your email raising your concerns around documents held on our website in relation to the above company.
Whilst we would usually post copies of reports and details of any communications to our Insolvency Portal, we would not generally post an entire mail merge document.
We have, therefore, removed the additional address letters from our Portal.
As you have acknowledged, address details for Shareholders in a Plc are available in the public domain. We have assessed the potential risk with our Data Privacy Team who have advised that no further action is required.
Many thanks again for raising this with us.


Return to “Legal Issues (Practical)”

Who is online

Users browsing this forum: No registered users and 9 guests