Data Protection – What You Need to Know

Data Protection – Everything You Need to Know But Were Afraid to Ask

We thought digital was the new oil, but discovered it is also the new asbestos”- Christopher Graham, former Information Commissioner, 2016.

The protection of personal data has become a critical risk area for business, not for profits and charities. The regulator, the Information Commissioner’s Office (ICO), is taking a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal information. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.

What should we already be doing?

The existing rules on data protection cover the collection, storage and processing of personal data about individuals. They give individuals a right to request data held by organisations (a “subject access request”) and the right to correct errors. They also create offences where data is lost or stolen due to ineffective security or carelessness – which can lead to significant fines. Particular care must also be taken around marketing activities where contact is made with prospects, supporters, donors or service users. The general principle is that you must have the consent of the person you are contacting before sending them a communication. When you collect information on a paper form or via a website, or over the phone, you must tell people in a ‘privacy notice’ why you are collecting the information, what it will be used for and who it may be shared with. They must be given the option to specifically ‘opt in’ to different types of marketing communications by ticking a box. Pre-ticked boxes are not allowed. The reputational and financial risks of getting it wrong can be very serious. In 2014, the organisers of Park Life Festival were fined £70,000 by the ICO for sending unsolicited and inappropriate marketing text messages. In December 2016, the ICO announced fines for the RSPCA (£25,000) and British Heart Foundation (£18,000) over the inappropriate handling and sharing of donors’ personal information without permission.

The current rules

The Data Protection Act 1998 governs the holding and processing of personal data. ‘Personal data’ means any information which identifies any living individual, whether in digital form, on disk, USB sticks, and includes photos, video and sound recordings. ‘Processing’ personal data means obtaining, recording or holding the information on computer systems, in the cloud or in a paper filing system. More stringent rules apply to ‘sensitive personal data’ which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, details of any offences committed or alleged.

Businesses and charities routinely handle the personal information of employees, volunteers, service users, and suppliers. It is therefore very likely that these activities will be caught by the provisions of the Act. A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. They may also be processing the data. A ‘data processor’ is usually, but not always, a service provider who handles the data but doesn’t control it. Under the current law, the legal responsibility for compliance falls directly on the data controller and not on the data processor. If you are a ‘data controller’ under the Act and fail to register your organisation with the Information Commissioner, you can be fined.

The Act says that all personal data must be:

  • Fairly and lawfully processed (i.e. you must be transparent with individuals about what you’re doing with their data and why, you must have a lawful basis for collecting and processing the information and you process it in a way that individuals would reasonably expect);
  • Processed for specified purposes only (i.e. you must tell people why you are collecting data and what it will be used for from the outset and not then use it for other purposes);
  • Adequate, relevant and not excessive;
  • Accurate and, where necessary, kept up to date (you have positive duty to keep the information up to date and correct any errors);
  • Not kept for longer than is necessary (so employment applications, CVs etc should be securely destroyed after a reasonable period);
  • Processed in line with the rights of the individual;
  • Kept secure (i.e. employ reasonable security precautions); and
  • Not transfer the data to countries outside the European Economic Area, unless the information is adequately protected. Care must be taken if any of your data is stored on cloud based servers in the United States or other countries which do not have a ‘safe harbour’ arrangement in place (e.g. via cloud based accounting, HR or CRM systems). Some transfers are still permitted e.g. if the individual specifically consents, or if there is a suitable contract in place with the data handler to protect the data.

Non-compliance can result in an enforcement notice preventing a business from processing data, effectively preventing many businesses from operating, together with significant fines up to £500,000. Managers and directors can also be prosecuted personally for non-compliance if the offence was committed “with their consent or connivance”.

Individuals have a right to ask your organisation to disclose what personal data you hold about them by submitting a subject access request and paying a fee of £10. You must respond within 40 days. If you fail to respond the requester can make a complaint to the ICO. So you need to be careful about the records, notes and correspondence you keep about employees, job applicants and service users, since it could all be disclosable to them upon request!

The key steps to ensure compliance are:

  • Ensure your organisation is registered with the ICO as a data controller
  • Prepare a Data Protection Policy
  • Put in place appropriate ‘privacy warnings’ for clients and customers giving them the required notices and informing them of their rights
  • Ensure that you hold no more personal data than is necessary for the business activities that you perform
  • Establish procedures for staff to follow when processing personal data. (Demonstrating that procedures were put in place might be a defence in the event of a complaint brought against you)
  • Train, and regularly refresh, all your staff in best practice
  • Put in place contracts with your suppliers which assist in the protection of information
  • Check your insurance and evaluate your risks of suffering a data breach or security incident

Data controllers must put in place adequate technical and organisational measures to safeguard personal data from destruction, accidental loss, unauthorised access or disclosure.  Data breaches can occur through unauthorised entry into IT networks, loss of mobile devices or memory sticks, or even simple errors like leaving confidential papers in unsecured waste bins. In recent years, the ICO has toughened its stance on prosecuting data breaches. For example, in July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150,000 after a hacker stole more than 1 million customers’ personal details – including credit and debit card numbers – due to poor data security measures on its website. In March 2014 the ICO imposed a penalty of £200,000 on the charity British Pregnancy Advice Service (BPAS) for exposing thousands of personal details of patients to a malicious hacker. The charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues. The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.

Social media such as Facebook or LinkedIn company pages can also be subject to the Act. A data controller who runs an online forum has a responsibility to take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and presented as a ‘matter of fact’. For example, the operator of a site which invites service users to post reviews and feedback on service providers would be subject to this duty.

Special rules for electronic marketing

The Privacy and Electronic Communications Regulations (PECR) were introduced in 2003 to complement the Data Protection Act. They introduced specific rules about sending marketing and advertising by electronic means, including email, telephone, text messages, picture messages and fax. ‘Marketing’ covers not just the sale of products and services, but also the promotion of aims and ideals. In many cases, organisations need consent send individuals marketing or to pass their details on. There is a limited exception for existing customers and clients known as the “soft opt in”, but only for commercial products or services – not campaigning and fundraising activities. Organisations will need to demonstrate through appropriate records that consent was knowingly and freely given. Consent may sometimes be time-limited, depending on the circumstances. Organisations must always say who they are and provide contact details.  Individuals can ‘opt out’ of cold calls by registering with the Telephone Preference Service. You must not continue to send marketing messages to a person who objects or has opted out. Particular care must be taken if your organisation uses bought-in lists for marketing. Appropriate due diligence should be carried out on the quality of the list before proceeding, including obtaining assurances about whether the individuals have ‘opted in’ to receive marketing. Beware of the temptation to sell your own lists of supporters to others without permission. Pharmacy2U was fined £130,000 by the ICO for selling on their customer list, when customers had not given their consent for personal data to be sold on. This can be a particular issue to focus on where mergers, acquisitions or outsourcing are taking place.

Be careful about sharing data

A particular area of risk is the sharing of personal data. Charities may sometimes have a legitimate need to share or disclose data to other agencies and organisations in order to best serve the needs of their service users, or to protect vulnerable beneficiaries. There are a number of lawful routes for sharing data:

  • The person has knowingly given their express consent to the passing on information (usually on a paper form or website sign-up).
  • The processing is necessary in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.
  • The processing is necessary because of a legal obligation that applies to your organisation, except an obligation imposed by a contract (for example, a safeguarding duty).
  • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, (e.g. where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident).
  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
  • The organisation needs to process the data for the purpose of its own ‘legitimate interests’ or the legitimate interests of the third party that the information is disclosed to. The burden is on the organisation to demonstrate that is the case and that the individual is not harmed.

You can share without an individual’s knowledge in cases where personal data is processed for:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of tax or duty.

However, the sharing of information must be fair and transparent. People should generally be aware of which organisations are receiving their personal data, and what it is being used for. The best way to achieve this is to make sure a clear privacy notice is included on application forms, membership forms, website forms etc. that which sets out all this information. It is good practice to keep records of data that has been shared and the reason(s) for sharing. If you regularly share or disclose data to other organisations, you should consider having a Data Sharing Agreement with them, setting out respective responsibilities, requirements for security and for secure deletion of data when no longer required.

Many organisations have come a cropper for sharing personal data for non-legitimate reasons. This can be where they sell a mailing list of supporters to another organisation, or where they pass on personal data to another agency where they shouldn’t have done so and this causes harm to someone (e.g. passing on information about an employee’s health condition to a third party).

Right to object – individuals have a clear right to object to your processing their personal data and this must be brought to their attention when you first collect the data from them. If you are processing data for marketing purposes you must stop as soon as you receive the objection- there are no grounds to refuse or exemptions.

Other legal rules can also apply to disclosing or sharing personal data, such as information obtained in confidence and the Human Rights Act 1998 (Article 8 right to private and family life, home and correspondence).

In Part 2 of this post, we will examine the more stringent rules coming in May 2018 when the new General Data Protection Regulation enters into force.

 


Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Consumer Rights Act Enhances Customer Rights – Traders Beware!

If you sell goods or services to individual consumers (rather than other businesses), you should be aware that consumer law changed on 1 October 2015, when the Consumer Rights Act came into force. The changes cover:

  • what should happen when goods are faulty
  • unfair terms in a contract
  • what happens when a business is acting in a way which isn’t competitive
  • greater flexibility for trading standards to respond to breaches of consumer law, such as seeking redress for consumers who have suffered harm.

As well as these changes there are two new areas of law covering:

  • what should happen when digital content (such as online films, games, apps or e-books) is faulty – the Act now gives consumers a clear right to repair or replacement.
  • how services should match up to what has been agreed, and what should happen when they do not or when they are not provided with reasonable care and skill (e.g. giving some money back if it is not practical to bring the service into line with what was agreed).

According to the Government, UK consumers spend £90 billion a month. New transparent rights will help them to make better choices when they buy, generating the opportunity for businesses to compete, innovate and grow. Businesses and consumers who understand their rights and responsibilities should also save time and money by avoiding costly disputes. The Consumer Rights Act replaces a number of laws with regard to business-to-consumer transactions, including the Sale of Goods Act 1979 and the Supply of Goods and Services Act 1982.

In summary, the main rights are as follows:

Purchase of goods

The Act says goods must be as described, fit for purpose and of satisfactory quality. During the expected lifespan of your product a consumer is entitled to the following:

Up to 30 days after purchase: if goods are faulty, they can get an immediate refund

Up to 6 months after purchase: if it can’t be repaired or replaced, then the consumer is entitled to a full refund in most cases.

Up to 6 years after purchase: if the goods do not last a reasonable length of time, a consumer may be entitled to some money back.

If goods or services are ordered remotely or online the Consumer Contracts Regulations 2013 also allow the customer up to 14 days from receipt of the goods to change their mind and get a full refund.

There are some exceptions to this, for example if the goods are perishable or made specifically to order.

Purchase of services

The Act says:

A customer can ask supplier to repeat or fix a service if it’s not carried out with reasonable care and skill, or get some money back if they can’t fix it.

If you haven’t agreed a price beforehand, what the customer is asked to pay must be reasonable.

If you haven’t agreed a time period beforehand, the service must be carried out within a reasonable time.

If the customer orders services remotely or online, again the Consumer Contracts Regulations 2013 allow the customer in most cases to cancel within 14 days. But if they agree the service should start within this time (e.g. because the job is urgent), you can still charge them for what they have used.

Selling digital content

The Act requires that digital content must be as described, fit for purpose and of satisfactory quality. If digital content is faulty, the customer is entitled to a repair or a replacement.

If the fault can’t be fixed, or if it hasn’t been fixed within a reasonable time and without significant inconvenience, the customer can get some, or all of their money back.

If they can show the fault has damaged their device and you haven’t used reasonable care and skill, they may be entitled to a repair or compensation.

Also the Consumer Contracts Regulations 2013 give consumers of digital content a 14 day right to change their mind and get a full refund on digital content. But they do not have this right to cancel once a download has started, provided you have told them this and they have acknowledged this –  website order forms should be amended accordingly.


If you sell goods and services to the public, it is important to be aware of these changes and adjust your terms and conditions and website wording accordingly. If you would like us to review your terms and conditions for compliance, please get in touch info@elderflowerlegal.co.uk or 01625 260577.

If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Employing Staff for First Time? Know Your Legal Duties!

Are you employing staff for the first time? It is vital to understand your legal duties.

Starting a new enterprise is an exciting time. In due course you may think about employing staff to help you. It is vital to understand your responsibilities when taking on employees. Time spent getting your paperwork in order could be a wise investment to avoid problems and expense further down the line. Here, I offer a few simple tips to ensure compliance.

1  Run a fair recruitment process

Draft a job description and person specification for the role you are looking to recruit. Set out the requirements in an objective way and avoid using problematic phrases like “young and dynamic candidate” which could be construed as discriminatory. Remember that recruits have the right not to be discriminated against on grounds of sex, race, disability, sexual orientation, religion and belief, age, gender reassignment, marriage and civil partnership, pregnancy or maternity. Design a fair recruitment and selection process so all candidates can, as far as possible, be treated equally. Objective competency tests help to demonstrate this better than interviews alone. Remember that if there is a problem, a disgruntled candidate may request copies of all information you hold about them under the Data Protection Act, so make sure your paperwork is in order.

2  Always use a written contract

When employing staff, the law requires employers to provide employees with a written statement of the main terms of their employment within two months of starting work. The statement must cover the following as a minimum in one single document:

  • the employing organisation’s name
  • the employee’s name, job title or a description of work and start date
  • if a previous job counts towards a period of continuous employment, the date the period started
  • how much and how often an employee will get paid
  • hours of work (and whether the employee will have to work Sundays, nights or overtime)
  • holiday entitlement (and whether that includes public holidays or not)
  • where an employee will be working and whether they might have to travel or relocate
  • if an employee works in different places, where these will be and what the employer’s address is

Failure to provide the written statement may entitle the employee to raise a grievance and bring a claim before the employment tribunal for compensation equivalent to 2-4 weeks’ pay.

As well as these main terms, the following further information must also be given in writing, although this can be in a staff handbook or other documents:

  • how long a temporary job is expected to last
  • the end date of a fixed-term contract
  • notice periods
  • any collective agreements that are in place between the employer and trade unions
  • pension entitlement
  • who to go to with a grievance
  • how to complain about how a grievance is handled
  • how to complain about a disciplinary or dismissal decision

As soon as someone accepts a job offer, they have a contract with their employer. An employment contract doesn’t have to be written down, but the use of a written contract helps both parties to know where they stand and can avoid misunderstandings and costly disputes. It also the employer’s opportunity to make sure the employee is aware of certain obligations necessary to protect the employer’s business, such as not poaching customers or staff when they leave, protecting trade secrets, or handing over inventions, documents, passwords and keys when they leave.

The contract of employment can be varied only with the agreement of both parties. If you are proposing to change an employee’s contract of employment, you should consult with that employee and explain and discuss the reasons for the change. Employees are more likely to accept changes if they can understand the reasons behind them and have an opportunity to express their views.

If you impose a change to the contract unilaterally you may be in breach of contract and your employees could bring a legal claim against you for constructive dismissal if the breach is fundamental and significant, claim damages for breach of contract in the courts or bring a claim at an employment tribunal for unlawful deduction from wages, if the change affects their pay.

3  Pay the correct amounts

Do some research to find out what the going rate is for employees in your sector. When employing staff, think about whether to offer a bonus or incentive scheme to encourage good performance and loyalty, but make sure the criteria and rules are clear. Think about what the organisation can afford. Additional benefits, such as pension contributions and childcare vouchers can be attractive for candidates and they may also save tax.

All employees have a right to be paid at least the National Minimum Wage or if they are over 25, from 6 April 2016 the National Living Wage applies, which is £7.20 per hour. Below the age of 25 the following hourly rates apply: 21 or over £6.70, 18 to 20 £5.30, under 18 £3.87, an apprentice aged 16 to 18 or over 19 in their first year £3.30. The National Living Wage for over 25’s, represents a £910 per annum increase in earnings for a full-time worker on the previous minimum wage and it is set to increase year on year. By 2020 the Government predicts a full-time minimum wage worker will earn over £4,800 more in cash terms. The increase is going to have a big impact on the cost base of labour-intensive sectors like health and social care. Organisations will need to budget for these increases in business plans and consider whether and how these costs can be passed onto customers, (or consider recruiting more under 25’s!)

Remember it is unlawful to deduct amounts from an employee’s wages unless you are legally required to do so (e.g. to service student loans), you have a contractual right to do so, or you have a separate written agreement signed by the employee (for example, a right to set off outstanding balance of a training loan or season ticket loan if the employee leaves).

4  Provide induction and ongoing training

At the start of a new job many employees feel highly motivated and excited about their future prospects. Unfortunately this idealism doesn’t always last and some staff members may find themselves becoming disenchanted. Often, this can be attributed to a lack of support, a failure by the business to communicate key responsibilities, an overwhelming amount of new information or because the recruit fails to build a social network within the organisation. A good induction programme is the way to help a new employee settle into the organisation and become effective quickly. Focus on the new employee and provide them with information and training that is needed for them to be competent with their job responsibilities. There should be continuous support: it is a good idea to appoint a mentor to support a new joiner when they first arrive.

Ongoing training for employees has clear business benefits, including

  • Better job satisfaction and morale among employees
  • Increased employee motivation
  • Efficiencies in processes, resulting in financial gain for the enterprise
  • Enhanced capacity to adopt new technologies and methods
  • More innovation in strategies and products
  • Reduced employee turnover
  • Enhanced company image, e.g. through customer service training
  • Better risk management, e.g., training about data protection and equality laws.

Remember that losing staff always has a cost and risk to the organisation in lost productivity, additional recruitment fees and management time in finding a replacement. Research by Oxford Economics in 2014 found that the average cost to replace an employee was a startling £30,000 once you take into account direct recruitment costs and the time taken to reach optimum working efficiency (typically 24-28 weeks for an SME).

5  Make sure employees know the rules

As well as the contract of employment, when employing staff, it is essential to have a set of policies which staff are made aware of during their induction. These will cover issues like sickness absence, , confidentiality and data protection, expenses and subsistence, use of company facilities, home-working, use of social media. Employees should be made aware that failure to follow the rules can result in disciplinary action. You should have in place a clear written disciplinary procedure. ACAS publishes good guidance on best practice.

If employees have a problem with managers or co-workers, they must have an opportunity to raise these through a grievance procedure. If you hold a grievance or disciplinary meeting, the employee has the right to be accompanied by a colleague or trade union official.

You must have a health and safety policy and put in place Employers Liability Insurance which will help you pay compensation if an employee is injured or becomes ill because of the work they do for you. The policy must cover you for at least £5 million and come from an authorised insurer. You can be fined £2,500 every day you are not properly insured. You can also be fined £1,000 if you do not display your insurance certificate or refuse to make it available to inspectors when they ask.

6  Manage attendance

Research by PWC found that the annual cost of sickness absence to UK employers was almost £29 billion in 2013. British workers apparently take more than four times as many sick days off work than other countries, the average unplanned days of absence being around 9 days!

Clearly, there is a significant cost to the employer of this loss of productivity. The costs could be even greater if you are forced to hire additional temporary cover for a key role.  It is important to address this cost by looking for ways to improve employees’ health, morale and motivation. For example, allowing greater workplace flexibility could help to helping break the cycle, e.g. allowing home-working or flexi-time, initiatives to promote exercise or healthy eating may also help. Some employers pay a bonus for a good attendance record.

There should be clear procedures for notifying and recording absences, a requirement to produce medical certificates for prolonged absences of more than 7 days and in the case of long-term absence the employer may want a right to require an employee to undergo an independent medical examination. Specify carefully in the contract how much time an employee can take off on full pay before their salary is reduced. As a minimum, an employee who is off sick for 4 days or more should qualify for statutory sick pay (‘SSP’) (currently £88.45 p.w.) and payable for up to 28 weeks. Until 2014, employers could usually reclaim SSP from the Government, but that is no longer the case – which means the wording of the contract can be crucial to manage your costs. Remember also that annual leave is still accrued while an employee is off sick.

7  Don’t dismiss unfairly

You can only dismiss someone if you have a good reason. Dismissal is normally only fair if an employer can show that it is for one of the following reasons:

  • a reason related to an employee’s conduct (e.g. failure to comply with policies, serious errors or customer complaints).
  • a reason related to an employee’s capability or qualifications for the job (including long term sickness, although extreme care is required if the employee has a disability).
  • because of a redundancy situation (there is insufficient work or roles are being restructured)
  • because a statutory duty or restriction prohibits the employment being continued (e.g. an employee is convicted of an offence or becomes bankrupt where this prevents them holding that role).
  • some other substantial reason of a kind which justifies the dismissal (for example, the employee is sent to prison).

But you must also show that you have acted fairly and reasonably in handling the process. In practice, this means you must:

  • inform the employee of any problem that you with their conduct or performance
  • carry out a proper investigation
  • if it’s a redundancy situation a fair and transparent selection process must be used
  • hold a meeting to discuss the problem
  • allow the employee to be accompanied
  • decide what the appropriate action is (perhaps a verbal or written warning before dismissing)
  • provide the employee with an opportunity to appeal (ideally to someone unconnected with the initial investigation or problem).

In order to make an ‘unfair dismissal’ claim an employee must normally have been employed for at least 2 years, however, there are exceptions if the dismissal relates to an ‘automatically unfair’ reason (see below), where no qualifying period applies.

Some types of dismissal are regarded as ‘automatically unfair’, regardless of the reasonableness, if an employee is exercising specific rights to do with:

  • pregnancy: including all reasons relating to maternity
  • family reasons: including parental leave, paternity leave (birth and adoption), adoption leave or time off for dependants
  • trade union membership grounds and union recognition acting as an employee representative
  • pay and working hours: including the Working Time Regulations, annual leave and the National Minimum Wage.

Employees are normally entitled to at least one week’s notice if you intend to dismiss them, unless a longer period applies. This minimum period rises to two weeks after two full years service and then by one week per year up to a maximum of 12 weeks. It may be possible to pay an employee in lieu of notice if you include this right in the contract. This may be appropriate in certain sensitive roles where it is preferable if the employee leaves immediately.

Sometimes you may dismiss someone without notice on the grounds of gross misconduct. This occurs when an employee has committed a serious act such as theft, violence, physical abuse, serious breach in health and safety or gross negligence. But it is still important to follow a fair procedure as for any other disciplinary offence.

Employees have the right to ask for a written statement of the reasons for their dismissal within 14 days. Having