Several important employment law reforms have come into force recently or will come into force shortly, both at the EU and French level. Below are some of the changes to expect for 2019:
Category: Data protection and privacy
- The Home Office has published a revised Code of Practice on preventing illegal working, which reflects the ability for employers to check certain employees’ right to work records solely by online check from 28 January 2019 (see here).
- The Government has published a consultation until 1 March 2019 on possible minor amendments to national minimum wage legislation in relation to salaried hours work and salary sacrifice (see here).
- Acas has published a guide highlighting key areas where age discrimination may happen.
On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing personal data either:
- in the context of an establishment of a controller or a processor in the EU; or
- relating to the offer of goods or services to individuals in the EU; or
- relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU.
The emphasis highlighted above demonstrates the broad drafting of the legislation and potentially extremely wide application of the GDPR to organisations located outside of the EU. This has left many organisations worldwide in a state of uncertainty as to the fundamental application of this important legislation to their activities. Guidance on Article 3 is therefore long overdue.
The draft guidelines published on 23 November 2018 are open for consultation, with interested parties being given until 18 January 2019 to provide comments. However, even in their current draft state, the guidelines give invaluable insight into the European regulators’ view on interpretation of Article 3 and go some way to clarifying key questions regarding the application of the GDPR.
For further details, see our Data Protection Update here.
- Unlock has published new guidance for employers on criminal record checks, to which the ICO has contributed. The guidance states that checks at the application stage are unlikely to be necessary for most jobs and therefore likely to be a breach of the GDPR. In relation to checks at the job offer stage, the guidance emphasises the need to think carefully whether these are necessary and whether there is a lawful ground and condition for processing. The guidance also discusses the use of personal social media and data in the public domain.
- New resources on mental health in the workplace include guidance from the CBI, the CIPD and Mind, and new online gateway linking to many more resources at Mental Health at Work.
- The charity Made in Dyslexia and EY have published a Value of Dyslexia report highlighting the huge value in dyslexic thinking and the unique set of skills that people with dyslexia can offer to an organisation.
The UK data protection regulator, the Information Commissioner’s Ofﬁce (ICO), has issued its first enforcement notice under the General Data Protection Regulation (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU. The ICO found that the company, AggregateIQ Data Services Ltd, failed to comply with the GDPR in a number of ways, including by processing personal information in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR. For further information, see the article written by our data protection team, which was first published in the November 2018 issue of PLC Magazine.
The Court of Appeal has upheld the High Court decision in Morrisons Supermarkets Plc v Various Claimants that an employer can be vicariously liable for an employee’s misuse of data even where it has done as much as reasonably possible to prevent the misuse and the employee’s intention was to cause reputational or financial damage to the employer. Continue reading
Over the summer the Government published its white paper on the future UK-EU relationship post transitional period, covering a wide range of issues including immigration and employment. On immigration, the Government stated that it recognises the importance of moving and attracting talent across Europe to support the global operations of UK firms and global investors. It suggested that business visits would continue to be permitted to and from the EU under new arrangements but for paid work in only a limited number of circumstances (perhaps in line with the current business visitor rules for non-EEA nationals). The paper also suggested permitting intra-corporate transfers across Europe, based on existing arrangements with other non-EU countries. Finally, the Government made clear that it intends to seek the secure onward movement opportunities for UK nationals in the EU who are covered by the citizens’ rights part of the withdrawal agreement, should they wish to change their member state of residence in the future. There is little further detail on how migration arrangements could work after Brexit but a further white paper on immigration has been promised this autumn. Continue reading
This month, we consider whether employers can conduct background checks by way of social media/internet searches on prospective employees, focussing on the position in Singapore, Hong Kong, Japan and South Korea.
Under the Personal Information Protection Act (“PIPA”) any company which handles personal data will be deemed a ‘data handler’ and must comply with strict requirements. This includes employee personal data.
In many industries, it is a requirement that certain individuals performing regulated activities are, and remain, fit and proper. For example, these requirements will apply to certain individuals who are subject to the oversight of financial services regulators such as the Hong Kong Monetary Authority, the Securities and Futures Commission (SFC) or the Insurance Authority. Assessing whether an individual is fit and proper however, is not always straightforward. Issues which, on their face, may not seem to be compliance risks could in fact be so when viewed through the lens of the fit and proper test.