top of page

Data access and your Obligations in a liquidation

Below is a practical, Australia‑specific overview of the legal obligations relating to data access in a liquidation, grounded in the Corporations Act 2001 (Cth), the Privacy Act 1988 (Cth) and current ASIC guidance. I’ve framed this in the way insolvency practitioners, directors, IT providers and advisers usually need to understand it in practice.

1. Core principle: control of data shifts to the liquidator

 

Once a company enters liquidation, the liquidator becomes the person legally entitled to control and access the company’s data (both physical and electronic) for the purpose of administering the winding‑up.

Under the Corporations Act 2001, data is treated as part of the company’s “books and records”, which explicitly includes electronic records and databases. 

This means:

  • Email systems

  • Accounting platforms (Xero, MYOB, etc.)

  • CRM systems

  • Cloud file storage (SharePoint, OneDrive, Google Drive)

  • Domain‑related records and hosting data

  • are all within scope.

2. Obligation on directors, officers and third parties to provide access
Statutory duty to assist the liquidator

Sections 530A and 530B of the Corporations Act impose a positive legal obligation on:

  • Directors

  • Former officers

  • Employees

  • Accountants

  • IT providers

  • Cloud and software custodians to deliver up company books and records and not obstruct access.

  • Refusing or delaying access is an offence of strict liability

  • The obligation applies even if the data is held by a third party

  • “Books” includes source data and system access, not just exported reports

  • ASIC can intervene and commence enforcement action if access is denied. [asic.gov.au]

3. Electronic data and system access

Australian courts and ASIC treat electronic access as functionally equivalent to physical possession.

This means:

  • Liquidators are entitled to administrator‑level access where necessary

  • Providing “read‑only” access may be insufficient if it prevents investigation or asset realisation

  • Passwords, MFA resets, and tenant access may be lawfully compelled

  • This is reinforced by ASIC guidance on obtaining books and records in the possession of officers or third parties. [asic.gov.au]

4. Privacy law does not prevent access by a liquidator

A common misconception is that the Privacy Act 1988 (Cth) prevents liquidators from accessing personal data.

In fact:

  • Liquidators step into the shoes of the company

  • Access and use of personal information is generally permitted under the “required or authorised by law” exception in APP 6 when exercising statutory duties

However, liquidators must still:

  • Limit use of personal information to liquidation purposes

  • Secure data appropriately

  • Avoid unnecessary disclosure

  • Liquidators who mishandle personal data can still breach the Privacy Act, even though access itself is lawful. 

5. Limits: legal professional privilege and third‑party ownership

Some documents may be protected by legal professional privilege, but:

  • Privilege belongs to the company (now controlled by the liquidator)

  • Directors generally cannot assert privilege to block access

  • ASIC confirms privilege issues must be addressed carefully but do not negate access rights.

Third‑party owned data

If data genuinely belongs to a third party (e.g. an external adviser’s internal working papers):

  • The liquidator is entitled to inspect company‑owned data

  • Adviser working papers may be excluded if clearly distinct and proprietary

6. Creditors’ access to data (not automatic)

Creditors do not have a general right to inspect all company data.

Under s70‑45 of the Insolvency Practice Schedule, creditors may request information, but the liquidator may refuse if:

  • The request is not relevant

  • Disclosure would breach duties

  • It is unreasonable to comply

  • This distinction is critical when dealing with sensitive customer or employee data.

7. Data retention obligations

Liquidators must retain company books and records for at least five years after the end of external administration or deregistration, unless ASIC consents to earlier destruction.

This includes:

  • Electronic backups

  • Email archives

  • Accounting data exports

8. Practical implications for IT providers and MSPs

For IT providers supporting companies in liquidation:

  • Access must be provided on instruction of the liquidator

  • Continuing to take directions from former directors may be unlawful

  • Failure to assist can expose providers to criminal liability

  • ASIC explicitly recognises third‑party custodians as subject to these obligations.

9. Summary table

liq-table.png

Direct Support Au

Contact us:
+61 403 888 884
helpdesk@directsupportau.com
120 Sussex Street,
Sydney, NSW 2000

Subscribe to Our Newsletter

Follow Us On:

  • LinkedIn
  • Facebook
  • Twitter

© 2023 by Direct Support Au. All rights reserved.

bottom of page