UK: revised Code on right to work checks, consultation on national minimum wage rules, age discrimination guide

  • The Home Office has published a revised Code of Practice on preventing illegal working, which reflects the ability for employers to check certain employees’ right to work records solely by online check from 28 January 2019 (see here).
  • The Government has published a consultation until 1 March 2019 on possible minor amendments to national minimum wage legislation in relation to salaried hours work and salary sacrifice (see here).
  • Acas has published a guide highlighting key areas where age discrimination may happen.

EU: draft guidelines on GDPR extra-territoriality published

On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.

The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing personal data either:

  • in the context of an establishment of a controller or a processor in the EU; or
  • relating to the offer of goods or services to individuals in the EU; or
  • relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU.

The emphasis highlighted above demonstrates the broad drafting of the legislation and potentially extremely wide application of the GDPR to organisations located outside of the EU. This has left many organisations worldwide in a state of uncertainty as to the fundamental application of this important legislation to their activities. Guidance on Article 3 is therefore long overdue.

The draft guidelines published on 23 November 2018 are open for consultation, with interested parties being given until 18 January 2019 to provide comments. However, even in their current draft state, the guidelines give invaluable insight into the European regulators’ view on interpretation of Article 3 and go some way to clarifying key questions regarding the application of the GDPR.

For further details, see our Data Protection Update here.

UK: new resources on criminal record checks, mental health and dyslexia

  • Unlock has published new guidance for employers on criminal record checks, to which the ICO has contributed. The guidance states that checks at the application stage are unlikely to be necessary for most jobs and therefore likely to be a breach of the GDPR. In relation to checks at the job offer stage, the guidance emphasises the need to think carefully whether these are necessary and whether there is a lawful ground and condition for processing. The guidance also discusses the use of personal social media and data in the public domain.
  • New resources on mental health in the workplace include guidance from the CBI, the CIPD and Mind, and new online gateway linking to many more resources at Mental Health at Work.
  • The charity Made in Dyslexia and EY have published a Value of Dyslexia report highlighting the huge value in dyslexic thinking and the unique set of skills that people with dyslexia can offer to an organisation.

UK: first enforcement notice under GDPR shows extra-territorial reach

The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the General Data Protection Regulation (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU. The ICO found that the company, AggregateIQ Data Services Ltd, failed to comply with the GDPR in a number of ways, including by processing personal information in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR. For further information, see the article written by our data protection team, which was first published in the November 2018 issue of PLC Magazine.

UK: Court of Appeal upholds employer vicarious liability for employee data breach and serious assault

The Court of Appeal has upheld the High Court decision in Morrisons Supermarkets Plc v Various Claimants that an employer can be vicariously liable for an employee’s misuse of data even where it has done as much as reasonably possible to prevent the misuse and the employee’s intention was to cause reputational or financial damage to the employer.   Continue reading

UK: Government’s white paper on future relationship and technical notes in the event of a Brexit no-deal

Over the summer the Government published its white paper on the future UK-EU relationship post transitional period, covering a wide range of issues including immigration and employment. On immigration, the Government stated that it recognises the importance of moving and attracting talent across Europe to support the global operations of UK firms and global investors. It suggested that business visits would continue to be permitted to and from the EU under new arrangements but for paid work in only a limited number of circumstances (perhaps in line with the current business visitor rules for non-EEA nationals). The paper also suggested permitting intra-corporate transfers across Europe, based on existing arrangements with other non-EU countries. Finally, the Government made clear that it intends to seek the secure onward movement opportunities for UK nationals in the EU who are covered by the citizens’ rights part of the withdrawal agreement, should they wish to change their member state of residence in the future.  There is little further detail on how migration arrangements could work after Brexit but a further white paper on immigration has been promised this autumn. Continue reading

Hong Kong: The Requirement of Being ‘Fit and Proper’

In many industries, it is a requirement that certain individuals performing regulated activities are, and remain, fit and proper. For example, these requirements will apply to certain individuals who are subject to the oversight of financial services regulators such as the Hong Kong Monetary Authority, the Securities and Futures Commission (SFC) or the Insurance Authority. Assessing whether an individual is fit and proper however, is not always straightforward. Issues which, on their face, may not seem to be compliance risks could in fact be so when viewed through the lens of the fit and proper test.

Continue reading