Asia Employment, Pensions and Incentives Update May 2020

Our Asia Employment, Pensions and Incentives update this month looks at:

  • the new measures in South Korea introducing paid emergency childcare leave to ease the burden on working parents;
  • the Employment Adjustment Subsidy in Japan, intended to try and prevent employers from resorting to immediate redundancies;
  • in Thailand, the new data protection rules and how they impact the collection of COVID-19 data;
  • this month’s Asia Comparative Article, which looks at the requirements and restrictions around the use of fixed term employment contracts in Singapore, Hong Kong, Thailand, Taiwan and the PRC; and
  • our Compliance Check this month, which will help businesses ready for reopening in Singapore and sets out the Safe Management Measures that need to be implemented.

In addition, our Hong Kong team recently published an article for employers returning to work. You can access that article here.

For those of you that missed our termination of employment webinars, you can access the Thailand webinar here and the SEA (Singapore, Malaysia & Philippines) webinar here.

Finally, don’t forget our upcoming regional webinar on return to work measures, taking place on 21 May 2020. You can register for that webinar here.

 

 

 

Fatim Jumabhoy
Fatim Jumabhoy
Partner, Singapore
+65 6868 9822
Narendra Adiyasa
Narendra Adiyasa
Partner, Jakarta
+62 21 3973 8000
Tess Lumsdaine
Tess Lumsdaine
Senior Associate, Hong Kong
+852 2101 4122
Rebecca Lim
Rebecca Lim
Associate, Singapore
+65 6868 8063
Gillian Miao
Gillian Miao
Counsel, Mainland China
+86 21 2322 2325

UK COVID-19: launch of online scheme to reclaim SSP, 5 steps to working safely, new guidance from ICO, EHRC and ACAS

1) This morning the Government announced that an online Coronavirus Statutory Sick Pay Rebate Scheme will be launched on 26 May for small and medium-sized employers to recover Statutory Sick Pay (SSP) payments they have made to their employees due to COVID-19-related absence.

2) Following on from last week’s guidance on creating COVID-19 Secure workplaces, the government has also published “Practical actions for businesses to take based on 5 main steps“.  Action points are given under 5 headings:

  1. Carry out a COVID-19 risk assessment
  2. Develop cleaning, handwashing and hygiene procedures
  3. Help people to work from home
  4. Maintain 2m social distancing, where possible
  5. Where people cannot be 2m apart, manage transmission risk

The government has also updated the guidance for the Access to Work scheme to make clear that eligible disabled employees may claim financial support where they need to work from home as a result of the COVID-19 pandemic

3) The Information Commissioner’s Office (ICO) has published a helpful new set of FAQs for employers on COVID-19 workplace testing.  The ICO accepts that employers will often be able to show a legitimate reason for processing health data in compliance with the GDPR, as long as they are not collecting or sharing irrelevant, inaccurate or unnecessary data.  Employers should carry out, and continually review, data protection impact assessments covering any new testing activity.  Data must be processed securely and kept for no longer than necessary, and transparency will be critical.  Employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues, but should avoid naming individuals if possible, and should not provide more information than is necessary. The ICO notes that the use of temperature checks or thermal cameras on site may not be proportionate if the same results can be achieved through other, less privacy intrusive, means.

4) Acas has recently published guidance on the conduct of disciplinary and grievance procedures during the COVID-19 pandemic, noting that an employer will need to decide if it would still be fair and reasonable to carry on with or start a disciplinary or grievance procedure while employees are furloughed, socially distancing at work or working from home.  Relevant factors include the health and wellbeing of employees, the individual circumstances, sensitivity and urgency of the case, any reasonable objections from those involved, and access to technology and evidence.  The arrangements must allow an employee to fully exercise their right to be accompanied.

Employers should treat with caution the guidance concerning employees on furlough.  The guidance suggests that an employee on furlough can act as investigator, meeting chairperson or notetaker for an employer and can give evidence.  However, in our view, such activities would likely amount to doing “work” for the employer which is prohibited by the terms of the Coronavirus Job Retention Scheme and could therefore break furlough and remove or curtail an employer’s ability to claim reimbursement for those employees under the scheme. The guidance also suggests that only voluntary involvement in a disciplinary or grievance process is permitted while on furlough, which seems odd given it is hard to characterise an employee being subjected to a disciplinary process as “doing it out of their own choice”.

5) Acas has also updated its general COVID-19 guidance for employers and employees and published new guidance on mental health during the pandemic.

6) The Equality and Human Rights Commission has published COVID-19 guidance for employers on avoiding discrimination when making decisions on furlough, redundancy, working from home and so on, as well as specific guidance covering employees who are pregnant or on maternity leave.

COVID-19: People: data protection update for employers (Germany)

For many employers, COVID-19 has led to the closure or the impairment of operations. However, some employers have been able to continue their operations unchanged. If the business reopens after the lockdown, all employers will be equally compelled to take measures to ensure both business continuity and employee protection. In many instances, this involves increased processing of health data, in ways that were not envisaged a short time ago. This increase, combined with the timeframes involved in processing health data, and the speed at which government advice and directions are changing, has presented a number of challenges. Even if data protection regulators are recognising these challenges, it is important to remember that a global pandemic is not a general waiver for privacy compliance.

In this article we present individual measures that are conceivable to prevent the spread of COVID-19 in the company and highlight the data protection aspects of these individual measures. Besides we give a short overview of five key legal steps regarding data protection, which employers should consider when allowing employees to work from home.

1. Potential individual measures to stop or prevent the spread of COVID-19 within the company

The question as to how the spread within a company can be stopped or prevented is highly relevant for employers. From our experience, many employers have been asking employees to fill out questionnaires on whether they are experiencing any symptoms associated with COVID-19 and/or have had any contact with persons who have or had contracted the virus. However, some employers have introduced stricter measures such as scanning body temperatures prior to entering the workplace or other medical measures such as assessing the state of health of individuals and whether for example they have been showing signs of sweating or coughing.

The data protection authorities of the Rhineland-Palatinate and Saxony states published statements on their websites stating that requiring employees to fill out a health questionnaire, to report information about their health (with the exemption of information on any recent holidays to risk zones and any contact with suspected persons) and requiring employees to undergo a medical examination such as measuring body temperatures are not justified according to German data protection law. However, other authorities seem to have taken a different view. For example, the Federal Commissioner of Data Protection and Freedom of Information has published a statement that it is permissible to query the health status of all employees in order to ensure the safety of their own employees and prevent the spread of the virus (the statement is available here). According to statements of the data protection authority of the state Hamburg and North Rhine-Westphalia, measuring the temperature of employees prior to entering the premises can be justified on a case-by-case basis. The authority of the state North Rhine-Westphalia recommends reaching a desired solution having considered the views of the employees, the works council and the data protection officer. Entering into a works council agreement as legal basis for processing of employees’ data should in our view help employers to reduce the risk of potential non-compliance with data protection law.

Please note that all other relevant principles and obligations of the General Data Protection Regulation will be need to be kept in mind and complied with when implementing new measures – for example, the data minimisation principle, the information obligation under Article 13, the requirement to document processing activities under Article 30 and to put in place appropriate retention and deletion periods.

 

2. Key steps when allowing employees to work from home

Employers around the world have encouraged their employees to work from home since the outbreak of the COVID-19 pandemic. We have set out five key steps employers should consider when doing so, from a data protection perspective:

  • implement or ensure that company policies on working from home are up to date. This can include ensuring that there are restrictions on access rights, informing employees to lock devices when unattended, making sure any phone calls or online meetings are carried out somewhere where they cannot be overheard, (particularly if what is being discussed is confidential or sensitive information), ensuring employees know not to forward emails to private addresses, and will destroy any hardcopies when back in the office;
  • necessary IT security measures must be in place, e.g. the system must be kept up-to-date, all devices should have virus and firewall protection, and that there are contact persons in case of any technical problems;
  • remind employees to be alert to security issues (e.g. phishing emails);
  • consider ad-hoc training for those employees who typically do not work from home; and
  • remind employees that existing rules on the prohibition of private use of the IT and the email system remain in place.

In this context, the Federal Office for Information Security provides a four-page leaflet that employers can share with their employees. The leaflet is available here.

If these topics are of interest to you or one of your colleagues, please feel free to contact us.

 

Simone Ziegler
Simone Ziegler
Senior Associate, Germany
+49 69 2222 82502
Anna Rosón Eichelmann
Anna Rosón Eichelmann
Professional Support Lawyer, Germany
+49 69 2222 82552

 

 

 

UK: Supreme Court rules that Morrisons not vicariously liable for ‘rogue’ employee’s data breach

The Supreme Court has today overturned the Court of Appeal’s ruling in Morrisons Supermarkets Plc v Various Claimants. The decision re-establishes that, when determining an employer’s vicarious liability, a key focus is whether the employee was pursuing their own, rather than their employer’s, objectives when doing the wrongful act.

The test for rendering an employer vicariously liable for an employee’s actions is well established, namely there has to be a sufficiently close connection between what the employee was employed to do and the behaviour, such that it is fair and proper to regard the employee as acting in the course of their employment and not “on a frolic of their own”.  It has been less clear how broadly that test should be interpreted, causing concern for employers given the lack of “reasonable steps” defence against vicarious liability for torts.  For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for any employee conduct towards customers, even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.

The latest case also concerned a former Morrisons’ employee, who was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites. The Court of Appeal held that Morrisons was vicariously liable for his actions, on the basis that sending data to third parties (such as the company’s external auditors) was within the “field of activities” assigned to the employee as a senior auditor. It considered that there was sufficient connection between his job and the wrongful conduct for the employer to be held vicariously liable, even where it had done as much as reasonably possible to prevent the misuse and the employee’s intention was to cause reputational or financial damage to the employer.

The Supreme Court has now made clear that it is not sufficient for vicarious liability that the wrongful act is of the same kind as those which it is within the employee’s authority to do, nor is the mere fact that the job provides the employee with “the opportunity to commit the wrongful act”.  It is also not enough to show that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive. The courts below had misinterpreted the Supreme Court’s judgment in Mohamud, which was not intended to change the law.  In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective.  In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.”   The ruling helpfully re-establishes that employers should not be liable for the acts of employees while engaged on “frolics of their own”, ie pursuing their own rather than their employer’s objectives.

Although it did not affect the outcome, the Supreme Court also considered Morrisons’ contention that the Data Protection Act 1998 (DPA) excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”

The Supreme Court’s decision will likely result in a collective sigh of relief for organisations both in relation to their liability for employees’ actions generally and their potential liability for data breach class actions. However, it is important to note that it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.  Our data protection team has published a detailed ebulletin on the ruling available here.

Anna Henderson
Anna Henderson
Professional Support Consultant, London
+44 20 7466 2819

UK: stricter timescale for employers to respond to subject access request

The Information Commissioner’s Office has amended its General Data Protection Regulation: Right of access guidance to apply a stricter timescale for employers (and other data controllers) to comply with a data subject access request (DSAR). Previously, if a controller asked the data subject for further information/clarification of the request, the start of the one-month time period for compliance was paused until that information was received. The guidance has now been amended to state that the clock will no longer be paused in this situation – the one-month timescale will start to run from the date of receipt of the DSAR or, if later, upon receipt of proof of identification. Controllers may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests.

If the data subject delays in providing the information requested, this could significantly reduce the time available to collate a response. Employers will need processes in place to ensure they can respond quickly and efficiently.

The ICO consulted on its more detailed draft Right of access guidance until 12 February 2020 and the final version is awaited. The draft adopted the same approach as the amended guidance discussed above.

Future of Work: Adapting to the democratised workplace

The new world of work: report warns of an unprecedented rise in workplace activism

Across all sectors and geographies workers are becoming more vocal in articulating their views – about the workplace, their employer and about wider social issues – and increasingly holding organisations to account, enabled and amplified by social media. This trend is set to grow and gives rise to new and distinct risks for employers.

The paradox of the robotic age is that automation will only make human skills more valuable. The World Economic Forum estimates that 75 million jobs will be lost to automation by 2022 but 133 million new jobs will be created – jobs requiring uniquely human qualities such as emotional intelligence and fine judgment. But unlike robots, humans have opinions – and that presents its own challenges for employers.

To help prepare for what’s ahead, we surveyed ~400 cross-sector C-suites worldwide to understand the triggers and scale of this trend.

Activism on the rise

Key findings reveal that in the next 3-5 years:

  • Over 80% of companies predict a rise in workforce activism with 95% expecting an increase in workers use of social media to amplify their voice
  • Respondents anticipate an increase in online digital petitions with 77% expecting to see more crowdfunded legal challenges
  • Workforce activism is a significant potential threat to corporate reputation, warning this could cost organisations up to 25% of global revenue each year
  • Almost 50% see activism as a positive force for change.

 

The voice of the workforce will insist on being heard as never before. If traditional, internal communication channels fail to meet their needs, external means of raising concerns will fill the gap.

Adapting to the democratised workplace: Six steps to success

Workplace activism in the age of digital communication calls for a new mindset from employers. Leadership styles may have to change and established procedures and policies will certainly have to be adapted to contend with a more democratised workforce. Protecting and nurturing the trust and engagement between employers and the workforce in this environment is paramount. The organisations that will thrive will be those that find a way to redefine the workforce relationship, manage tensions and create a common, compelling vision.

To succeed in the new world of work download your copy of the report here.

Video: The voice of the workforce

 

Emma Rohsler
Emma Rohsler
Regional Head of Practice (EMEA), Paris
+33 1 53 57 72 35
Miles Bastick
Miles Bastick
Regional Head of Practice (APAC), Australia
+61 2 9225 5722
Andrew Taggart
Andrew Taggart
Head of Employment (UK), London
+44 20 7466 2434
Karen IP
Karen IP
Partner, Mainland China
+86 10 65355135
Fatim Jumabhoy
Fatim Jumabhoy
Partner, Singapore
+65 68689822
Barbara Roth
Barbara Roth
Partner, New York
+1 917 542 7858

Game changer for cyber/data breach cases opens in Supreme Court: WM Morrisons Supermarkets Plc v Various Claimants

The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?

The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act?  Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?

If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.

Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions.  You can follow her here.

Our Employment Notes blog post on the Court of Appeal decision is here.

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Christine Young
Christine Young
Partner, Employment Group, London
+44 20 7466 2845
Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Kate Macmillan
Kate Macmillan
Consultant, London
+44 20 7466 3737

 

UK: ICO announces first ‘mega fines’ for data breach under GDPR

In the last couple of days, the Information Commissioner’s Office has issued two notices of intent to impose the first ‘mega fines’ under the GDPR regime for data breaches by British Airways (for £183.39 milion) and Marriott International (for £99.2 million).  Both companies now have the chance to respond to the notices of intent, after which a final decision will be made by the ICO. Even if the final fines do remain at the current intended levels, it seems likely that the companies will appeal, a process which would take some considerable time and potentially end up in the Court of Appeal.  The ICO has not yet published full details of the specific infringements or the detail of how the fines have been calculated.

Whatever the outcome of the enforcement, it is clear that these notices mark a turning point in GDPR enforcement – and will certainly serve to focus the minds of companies with respect to data security and GDPR compliance. It may also force some organisations to carefully reconsider their current approach to GDPR risk.

The Marriott notice may also have significant implications for corporate M&A.  The notice concerns a compromise of the systems of the Starwood hotel group prior to its acquisition by Marriott, with the breach itself discovered following completion of the corporate acquisition.  The fine shines a spotlight on the importance of data and cyber due diligence in corporate transactions.  For further details, see the posts on the BA notice and the Marriott notice on the HSF Data Notes blog.

Anna Henderson
Anna Henderson
Professional Support Consultant, London
+44 20 7466 2819

UK: right to privacy in relation to personal emails and WhatsApp messages

The European Court of Human Rights in Garamukanwa v United Kingdom has confirmed that the right to privacy can theoretically apply in relation to communications sent from a workplace email address, or which touch on both professional and private matters. However, in this case, the employee did not have a reasonable expectation of privacy in private communications sent to a work colleague, which had been discovered as part of a police investigation into allegations of harassment and passed to the employer for use in disciplinary proceedings. At the time of the communications, the employer had already informed the claimant of his colleague’s complaint and that his conduct was unacceptable, and therefore he could not have reasonably expected that his subsequent communications linked to the allegations would remain private. The employer was entitled to rely on these communications to justify dismissal for gross misconduct. The case highlights the importance of putting employees on notice of this type of allegation at an early stage.

More recently, the Outer House of the Court of Session has decided that, although ordinary members of the public may have a reasonable expectation of privacy when sending messages to a WhatsApp group, the position was different for police officers subject to professional standards applicable both on and off duty. In this case police officers sent offensive messages to a WhatsApp group of other officers, all of whom were under a positive obligation to report this type of message, in itself increasing the likelihood of disclosure. Given that officers are expressly required at all times to abstain from any activity likely to interfere with the impartial discharge of duties or giving that impression to the public, their expectation of privacy was limited. The employer was therefore entitled to use the messages (discovered during the course of a separate criminal investigation) as the basis for misconduct proceedings. The ruling suggests that individuals working in regulated industries or professions, where a higher standard of personal conduct is required, may not be entitled to an expectation of privacy in relation to messages sent to a WhatsApp group. (BC v Chief Constable Police Service of Scotland)

Anna Henderson
Anna Henderson
Professional Support Consultant, London
+44 20 7466 2819