The Information Commissioner's Office (ICO) has now published useful guidance on the issue.
Since TUPE requires that employee liability information is provided, the DPA permits the disclosure because it is required by law.
However, both parties must still comply with general data protection principles when handling such information. This means that the information must be anonymous or obvious identifiers removed.
Alternatively appropriate safeguards should be put in place such as an undertaking to only use the information in connection with the transfer and that the information will be returned or destroyed if the transfer does not proceed.
A copy of the full guidance can be found here. It should also be remembered that not all transfers are TUPE transfers so there may still be DPA issues, where a business is acquired by (say) a share transfer.
Sarah Rushton (email@example.com)
This is intended for general information only and should not be considered as giving advice in relation to any individual case nor be taken as applying to any particular case. No liability is accepted for any such use of the information.