In this note, we will focus on some of the key legal and practical considerations that a retiring trustee should take into account before it transfers information on the trust, its interested parties and the underlying beneficiaries to third parties on a change of trusteeship.
WHAT INFORMATION DO YOU HOLD AS TRUSTEE?
By virtue of their office and the nature of their fiduciary duties, trustees invariably hold an array of personal and sensitive information relating to the trusts they administer. This ranges from business sensitive information (which might include information concerning the affairs of corporate structures held within the trust fund) to personal information on the beneficiaries, the settlor and other individuals (such as names, birth dates, family relationships and relations, personal preferences, personal financial circumstances to name but a few).
WHAT ARE YOUR DUTIES REGARDING SUCH INFORMATION?
Trustees hold such information subject to a duty of confidentiality. The ability to disclose such information to interested parties under the trust and specifically to beneficiaries and the rights of beneficiaries to access such information, has been the subject of many Court cases and extensive academic discourse. Generally, the right of beneficiaries to obtain such information is restricted and limited to disclosure of trust documents, trust accounts and information relating to the administration of the trust fund. Personal information held by the trustee is treated as held in confidence and the duty of confidence generally takes precedence over the right to information.
Trustees must also be mindful of their responsibilities under applicable data protection legislation relating to any personal data that they hold. Where a jurisdiction has modelled its data protection law off Europe's GDPR (as is the case in the Bailiwicks of Jersey and Guernsey), trustees will be considered to be data controllers of that information as they determine the means and purposes (i.e. the "why" and "how") of the processing.
As data controllers, trustees will not only be subject to a number of wide-ranging obligations under the data protection law but, in addition to reputational risk, they will also be primarily liable for any breaches thereof including the risk of administrative fines as well as civil claims issued by aggrieved data subjects.
Any information relating to an identified or identifiable natural person is personal data for the purposes of the data protection regime some of which are held to a higher standard than others. For example, personal data relating to a person's health, religious beliefs, political opinions or, in some circumstances, criminal data could all fall within scope of the definition of "special category data".
WHAT SHOULD A RETIRING TRUSTEE CONSIDER BEFORE HANDING OVER INFORMATION TO A SUCCESSOR TRUSTEE?
Whilst there has been a great deal of discussion concerning the rights that beneficiaries have to access their personal data from a trusts perspective (see our Data Protection and Subject Access - a changing landscape article), far less has been written regarding a retiring trustee's obligations at the end of a trusteeship.
It is generally the obligation of a retiring or removed trustee to surrender and transfer all trust property held by or vested in the trustee, to the successor trustee. The successor trustee, once appointed and receiving trust property, as well as information relating to the trust and its interested parties, will be subject to the same duties of confidentiality as the retiring trustee.
Where we are concerned is when information is provided to the successor trustee before the appointment is effected. How then does an outgoing trustee deal with disclosure requests from a potential successor trustee which is in the process of considering whether or not to accept the trusteeship of the trust?
Sometimes the prospective successor trustee will have received sufficient information from the beneficiaries to enable it to decide whether or not to take on the trusteeship but often the successor trustee will approach the retiring trustee for information, not only on the formal trust documentation, but also to see documents such as the trust accounts, reports, correspondence, trustee resolutions and due diligence information held by the retiring trustee. When requesting access to such information and documentation, the prospective successor trustee is a third party to the trust and generally third parties have no right to access such information. Can the retiring trustee therefore disclose such information, much of which would be confidential and/or protected under Data Protection law?
WE SHALL EXAMINE EACH OF THESE DUTIES BELOW.
1. Duty of confidentiality
Although the duty of confidentiality is not absolute, as a general rule the disclosure of confidential information to a third party can only be justified if that disclosure is authorised or necessary and made to protect the legitimate interests of the beneficiaries and even then the disclosing party needs to ensure that the confidentiality of the information remains protected. In the context of trusts, unless the trustee has express or implied consent to make disclosure or unless disclosure is reasonably necessary for the protection of the trustee's own interest (see Guernsey Court of Appeal In re B 35/2012) disclosure of confidential information can only be justified if the disclosure is in the interests of the beneficiaries. Where a trustee retires or is removed it is (other than in exceptional cases) undoubtedly in the interest of the beneficiaries that a successor trustee be appointed. From the prospective successor trustee's perspective, it will want to know as much as possible about the affairs of the trust to enable it to take an informed decision whether or not to accept the trusteeship.
The outgoing trustee should also, especially if it has the power to determine who the successor trustee should be, consider whether the prospective successor is an appropriate successor. It should not be disclosing any information at all to a third party if it is not satisfied that the third party would, if willing to accept the trusteeship, be an appropriate successor trustee.
The retiring trustee would be well advised to ensure that the confidentiality of any confidential information provided to the prospective trustee will be protected by entering into a Confidentiality Agreement with the prospective trustee before either handing over or granting access to such information. Granting access to review documentation may be preferable to providing copies of documentation but may not always be achievable in practice. Confidentiality Agreements should contain provisions restricting access to and further disclosure of information, bind the recipient to indefinite confidentiality undertakings and oblige the recipient to return all the information and documents received unless the recipient thereafter accepts the trusteeship. Should the recipient accept the trusteeship, it would be bound by general Trust Law duties of confidentiality.
2. Complying with data protection obligations
How does the retiring trustee however ensure that it remains compliant with its obligations as data controller under General Data Protection Regulation ("GDPR")?
For the purposes of the GDPR, the first point to be made is that the prospective successor trustee would also be a data controller as it would not be processing the information received on behalf of the retiring trustee but would, in order to assess whether or not to assume the trusteeship, determine the purposes for which it will process the data and the means of processing.
The disclosure of personal data from one controller to another constitutes processing for the purposes of the data protection regime. Whilst neither the GDPR nor Jersey and/or Guernsey's respective data protection laws mandate that the disclosing party and receiving party enter into contractual arrangements governing the proposed transfer, the Code of Practice on Data Sharing issued by the UK's Information Commissioner's Office (ICO) - which is considered to be persuasive authority in the Channel Islands - sets out best practice guidance for controllers to consider before sharing personal data (either on a one-off or regular basis).
BEST PRACTICE GUIDANCE - DATA PROTECTION
The Code of Practice sets out in expansive detail how a data controller should approach data sharing, what to consider and how to comply with the law. This note is not intended as a detailed analysis of all the guidance and processes of the Code but rather to alert trustees of the need to be aware of the legal requirement to comply with the data protection principles when requested to disclose personal data to prospective successor trustees. It is, for example, regarded as good practice to conduct a Data Protection Impact Assessment ("DPIA") before deciding whether or not to transfer or share personal data. A DPIA assist in in assessing any risks that may arise should a trustee as data controller share such data and how the trustee could mitigate these risks. Whilst conducting a DPIA is only a legal requirement where the processing is considered to be "high-risk", assessing these risks as part of a DPIA will help a controller to demonstrate to a regulator, if challenged, that it has considered (and where appropriate) discounted risks associated with the transfer. When assessing risk, the DPIA will invite the controller to take into account factors such as the nature and sensitivity of the data concerned (including whether it falls within the scope of 'special category data'), jurisdictional risk and security issues. Trustees should also be careful to establish where the personal data is going. For example, under Guernsey and Jersey's data protection laws, a controller is prohibited from sending personal data to a recipient who is based in a jurisdiction which has not received an adequacy decision by the European Commission or is otherwise outside the UK or the European Economic Area (EEA) unless appropriate safeguards are in place. Whilst the GDPR identifies examples of "appropriate safeguards" (which include Standard Contractual Clauses approved by the European Commission), recent case law and European guidance has raised the bar - imposing additional burdens on controllers seeking to export data outside of Europe (see our article on The data transfer challenge: Schrems II and the Channel Islands).
It is also regarded as good practice to enter into a Data Sharing Agreement with the prospective successor trustee. Such an agreement will evidence the trustee's compliance with the data protection accountability principle, the purpose for which the data is shared, what the data may be used for, set out the standards to be adhered to protect the data, record who will be responsible for complying with a data subject requests and should record the prospective successor trustee's obligations regarding the data should it either decide to accept the trusteeship or, alternatively decide to do so. Trustees need to be mindful of these issues especially in circumstances where a change of trustee is anticipated and they may be asked to disclose personal data to, what in effect is a third party or stranger to the trust.
Furthermore, an outgoing trustee's data protection obligations do not cease once a successor trustee has been appointed and the final transfer of assets has been effected. To the extent that the outgoing trustee has an obligation to retain trust information (including personal data) in accordance with its data retention obligations, then it must continue to do so in accordance with the data protection regime. These obligations will persist for so long as the outgoing trustee retains this information.
With increased regulatory enforcement action being taken for breaches of the data protection regime and the risk of civil claims for breach of confidentiality and data protection, it is clear that any form of disclosure by a trustee to a third party should trigger some form of assessment of the substantive legal risks. This assessment, however, will be fact and context specific. Whilst the public has been (traditionally) quite complacent when it comes to divulging their personal details on an online social media platform, in a professional or trusts context, the implications of divulging such details can be far more serious. When taking into consideration the risks associated with the sharing of information, all organisations should have proper regard to their duties under the law as well as the potential wider ramifications following a breach not only to regulatory sanction and possible claims but also to their reputation. This is particularly important in the context of the trust industry where high net worth clients highly value their confidentiality and are willing to go to great lengths to ensure its preservation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.