Wm Morrison Supermarkets plc

Data Breach Claims – Wm Morrison Supermarkets plc

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.

Wm Morrison Supermarkets plc v Various Claimants - the facts

In 2013, Mr Skelton, who was then employed by Wm Morrison Supermarkets plc (Morrisons) as an internal IT auditor, was provided with a verbal warning for minor misconduct. Subsequently, he developed an irrational grudge against his employer. After being asked by Morrisons to provide payroll data for the entire workforce to external auditors, Mr Skelton copied the data onto a USB stick. He took the USB stick home and posted the data on the internet, using another employee's details in an attempt to conceal his actions. He also sent this data to three national newspapers, purporting to be a concerned member of the public.

The newspapers did not publish the data, but one newspaper alerted Morrisons, who immediately took steps to remove the data from the internet, contact the police and begin an internal investigation. Morrisons spent £2.26 million dealing with the aftermath of the disclosure, a large proportion of which was spent on security measures for its employees. Mr Skelton was arrested and ultimately convicted of criminal offences under the Computer Misuse Act 1990 and section 55 of the DPA 1998, which was in force at the time.

The claimants in this case were 9,263 of Morrisons' employees or former employees. They claimed damages from Morrisons in the High Court for misuse of private information and breach of confidence, and for breach of its statutory duty under section 4(4) of the DPA 1998. The claimants alleged that Morrisons was either primarily liable under those heads of claim or vicariously liable for Mr Skelton's wrongful conduct.

Data Protection Act 1998

This case was decided under the Data Protection Act 1998 (DPA 1998) which was applicable at the time. The DPA 1998 implemented the Data Protection Directive (95/46/EEC) and imposed broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Section 4(4) of the DPA 1998 provided that a data controller must comply with eight data protection principles in relation to all personal data with respect to which they are a controller.

Under section 13(1), any breach of the DPA 1998 which caused damage entitled the victim to compensation for that damage. Section 13(2) provided as follows:

"An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if the individual also suffers damage by reason of the contravention."

Under section 13(3), it was a defence to any proceedings under section 13 for a person, or in this case Morrisons, to prove that they had taken such care as was reasonably required in all the circumstances to comply with the relevant requirement.

Vicarious liability

It was also crucial to consider whether Morrisons could be vicariously liable for their employee’s action in this instance. Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Lister v Hesley Hall Ltd [2001] UKHL 22, the House of Lords characterised the second stage as a "sufficient connection" test. The question was whether the torts were "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 (Mohamud), the Supreme Court held that the supermarket was vicariously liable for an employee's unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee's job of attending to customers, such that the employer should be held vicariously liable

Wm Morrison Supermarkets plc - Decision

Morrisons was not vicariously liable for Mr Skelton's actions. It found that the Court of Appeal had misunderstood the principles governing vicarious liability in the following respects:

  • The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do.
  • Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, a temporal or causal connection did not in itself satisfy the close connection test.
  • The reason why Mr Skelton acted wrongfully was not irrelevant. Whether he was acting on his employer's business or for purely personal reasons was highly material.

The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. It was clear that Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Comment

This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment in Mohamud should be applied in future cases concerning vicarious liability.

The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by Mr Skelton. Mr Skelton also took extraordinary actions to cover up what he had done and even to frame another employee.

Unanswered questions

Had Morrisons been found vicariously liable for Mr Skelton’s actions, the employees who made the claims would have had to prove that they suffered ‘distress, anxiety, upset and damage’ by the mishandling of their personal information. A supreme court ruling on the issue would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Moving forward

Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles. Therefore the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime.

Additionally, the GDPR makes compliance far more onerous for controllers and risks exposure to the huge revenue-based fines and data subject compensation claims for breaches of the GDPR and DPA 2018. This includes failing to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.

The success of Morrisons in bringing to an end the threat under this case of being subject to a group action for compensation follows Google LLC being granted freedom to appeal against the Court of Appeal's order in Lloyd v Google LLC [2019] EWCA Civ 1599 and is another significant development in the progress of representative class actions in the UK legal system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Web scraping lawyers London

Web Scraping – Legal Issues

Web scraping (or data scraping) is more prevalent than you think. It is estimated that more than 50% of all website visits are for data scraping purposes. This is why users are often asked to go through a series of tests to prove they are not an unwanted bot. There are plenty of new businesses with large datasets or web scraping capabilities which look attractive to investors given the nature of online marketing and the appeal of tools which offer businesses new innovative ways to collect and process data. Being aware of the legal issues is of paramount importance before becoming involved with, or setting up, such businesses. This involves being aware of licences to datasets and possible infringements of database and intellectual property rights.

What is web scraping?

The process of using software to harvest automatically, or scrape, publicly available data from online sources. It has many purposes including recruitment, sentiment analysis, assessing credit risk, identifying trends, marketing and sales. It is also something permitted to certain extents under bespoke licences. In the public sector datasets often operate under the Open Government Licence (OGL), inspired and re-highlighted by an EU directive, the INSPIRE directive (2007/2), which required public authorities to make spatial information datasets publicly available.

In the news

Elections in Brazil have made an example of how marketing companies could potentially abuse web scraping software. It was alleged that political parties used software to gather phone numbers from Facebook which were then used to create WhatsApp groups and spread fake news. Brazil’s electoral court are to investigate whether this undermined the legitimacy of the elections.

In the UK, the investigation of Cambridge Analytica and Facebook by the Information Commissioner’s Office (ICO) has put data scraping under public scrutiny. Facebook were fined a maximum £500,000 for two breaches of the Data Protection Act (UK) 1998 for not adequately safeguarding users’ personal data. When reflecting on the investigation, Elizabeth Denham, the UK information Commissioner, called for an “ethical pause” to allow Government, Parliament, regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data before there is greater expansion in the use of new technologies.

Businesses should therefore consider what the legal implications may be if they intend to scrape data. If operating under a licence to scrape data, a business should understand the scope of such licence and, if personal data is involved, whether the activity complies with data protection laws. If no licence exists then scraping data may infringe copyright and database rights. If the website you wish to scrape has an acceptable use policy or other similar terms and conditions attached to it, the chances are that any scraping activity will breach that policy or conditions.

A recent case in the UK has explored the extent of licences and database rights when applied to web scraping.

77m Ltd v Ordnance Survey Ltd [2019] EWHC 3007 (Ch)

The high court found a geospatial address dataset creator liable for database right infringement and in breach of a number of licences.

The claimant, 77m, created a dataset called Matrix of the geospatial co-ordinates of all residential and non-residential addresses in Great Britain, for which it wished to sell access. It had created Matrix by combining large amounts of data from various datasets. The data at issue derived from the defendant, Ordnance Survey (OS). 77m did not contract with OS but with Her Majesty's Land Registry (HMLR) and Registers of Scotland (RoS). It also accessed data including addresses and geospatial co-ordinates made public by Lichfield District Council (LDC) under the Open Government Licence (OGL) (Lichfield data). HMLR, RoS and LDC licensed the relevant data from OS.

Before looking at database rights, the court had to decide whether 77m had acted within the terms of the licences; if they did, then 77m’s activities in relation to OS’s datasets would be shielded from database right infringement claim; if they did not, then 77m would remain exposed to the infringement claim.

77m had extracted data under the terms of a number of licences. It was found that in many instances 77m had gone beyond the behaviour permitted by the licences. Under the OGL the court deemed the use of publicly available data to create software which was not then sold or included in the software itself, lawful. In most instances however 77m’s use of the data to specify geospatial co-ordinates was in breach of the licences.

The court then went on to see whether 77m’s activity infringed database rights. Firstly it was critical to access whether or not the database in question was subject to such rights. The Database Directive (EU), implemented in the UK in 1997, states that protection shall be granted to the maker of a database who shows that there has been qualitatively and/or quantitively a substantial investment in either the obtaining, verification or presentation of the contents. The court ruled that Ordnance Survey clearly had made such an investment when putting the database together. The High Court judge, Mr Justice Birss, specifically pointed to the investment that went into verifying new addresses as they came into Ordnance Survey’s database which in recent years had an operating expenditure of £6 million per annum.

The way in which 77m used the database was then put into question. The important distinction here is between extraction or consultation of the data within the database. Where extraction would be an infringement of database rights. Some muddled case law coming from the ECJ made the question laborious. Put simply consultation has been defined as being limited to a person merely reading data on a screen, where the only possible other medium to which the data was transferred was the person’s brain. Whereas extraction would be transferring data to a medium other than the person’s brain such as downloading the data onto your own computer.

Therefore 77m’s use of data on such a vast scale and for commercial purposes was always going to amount to an extraction and thus an infringement. The court made clear, however, that in some instances data could be consulted for a commercial purpose. But a user who took all or part of a database’s contents and transferred them to another medium so that they could use them, appropriated to themselves a substantial part of the investment that went into creating the database and was therefore clearly in breach of database rights. Database rights are not only about protecting the data but also about the work that went into compiling the data and synthesising it.

This case highlights the need to be aware of licences a company has in place to use data, the scope of such licencing and if there is no licence, or the licence has been breached, if database rights could protect the database owner.

Web scraping things to consider

Below is a list of things to consider before you scrape data or before you buy a business that has been scraping data:

  • Check the scope of the licences to scrape data, and to store and use that data.
  • If there is no licence in place then a business should consider whether the scraped data is subject to copyright and/or database rights.
  • If no licence exists you could then also check the website’s acceptable use policy and/or term and conditions. If they explicitly forbid scraping or contain other content restrictions this may enable the website owner to sue under breach of contract. Although there is no clear precedent on whether website terms and conditions form binding contracts in the UK, it is worth assuming they could be. The Irish High Court recently ruled that such terms and conditions could form a binding contract. Even if there is no acceptable use policy and/or terms and conditions, it should be noted that such a website may still be subject to copyright and/or database rights.
  • Check whether the target business you want to purchase uses a third party to scrape or store data and, if so, their contractual arrangements.
  • Legal positions differ by country, even between European countries. This is important to be aware of especially when storing data from one nation and making it available to another.
  • Check if personal data is involved and therefore if GDPR / Data Protection Act 2018 / other data protection laws are applicable.

The US perspective on Web Scraping

A recent case involved LinkedIn and HiQ, a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. The Ninth Circuit Court of Appeals ruled in favour of HiQ implying that data scraping of publicly available information from social media websites is permitted. LinkedIn have expressed intent to escalate the case to the supreme court and therefore the law may still be amended.

In the US, similarly to the UK, data scrapers may find themselves on the receiving end of legal action under the following regimes:

  • Intellectual property: Scraping data from websites may infringe intellectual property rights. In 2013 a Federal Court ruled that a software as a service company, Meltwater U.S. Holdings, which offered subscribers access to scraped information about news articles had been acting illegally. Such companies are often referred to as ‘news aggregators’. The news provider, whose data had been scraped, sold licences to many companies and without one, when copying 0.4% to 60% of each article, Meltwater was deemed to have had ‘substantial’ negative effect upon the potential market or the value of the copyrighted work. Therefore getting a licence before scraping data in the US is advised. As mentioned above in the LinkedIn v. HiQ case though it may still be possible to scrape publicly available information from social media sites without a licence.
  • Contract: In the US, if a website user is bound by the Website’s terms of service and causes damage by breaching those terms, the user may be liable for breach of contract.
  • The Computer Fraud and Abuse Act: This provides a civil cause of action against anyone who accesses a computer without authorisation, as well as providing for criminal offences. Although courts have come to differing conclusions, it has generally been ruled that if a scraper uses technical steps, i.e. specialised and complex methods, to circumvent protections to data on websites then the scraper can become liable under the act.
  • Data protection: The US does not currently have comprehensive data privacy legislation at the federal level. On the state level there are plenty of statutes that mandate certain privacy-related rights, but most do not broadly regulate the collection and use of personal data. This is not always the case. California recently passed a state law which regulates data privacy. Coming into effect in 2020, it requires certain companies collecting personal data to disclose how such data will be used and allow consumers to opt-out of data collection. Data scrapers who collect such personal data in California could therefore be found liable when not disclosing the use of such data and allowing an opt-out option.

Final Thoughts

Most business aren’t in the business of web scraping - most business owners or directors aren’t even aware of what web scraping is. However, it’s something to be aware of. Maybe with this awareness you now want to make sure that your website has an acceptable use policy or other security measures in place. If you buy data you should think about how that data was collected. If you are buying a business you should include checks in your due diligence and appropriate warranties in the share purchase agreement to protect yourself from buying a business that collected data unlawfully.

If you have any questions on the points raised above please contact one of our technology lawyers.


cloud services legal issues

Cloud Services Legal Issues

Cloud services are on the rise – they are highly relevant now and they are the future. In this article we provide a brief overview of some of the legal and commercial issues to consider when using cloud services and dealing with cloud services contracts.

What are cloud services?

Cloud services describe the delivery of technology services via the internet. Cloud users either do not need to purchase or install software at all or, if they do, then only on a small scale using software that is standardised. Cloud users do not have to run their own applications and provide the computing power from their own data centres, benefitting from massive economics of scale and dramatically lowering the cost of IT service provision.

Cloud services on the rise

The UK has seen a rapid adoption of cloud computing in business with Software as a Service the preferred deployment model. Cutting costs and providing mobile working solutions for staff is the main impetus for such innovation. The flexibility and scalability of cloud computing means organisations are happy to trade-off some of the control that exists in traditional services.

The rapid take up of cloud services is not limited to the private sector. The fourth iteration of the pan-government G-Cloud Framework has just been awarded to a wide array of large and small cloud operators.

The nature of cloud service provision means that a number of well-established IT concepts need to be reconsidered and will continue to need consideration as technology is refined. Furthermore, there is increasing regulation of cloud services through a wide variety of legislative provisions that do not specifically relate to cloud service provision but have a considerable impact on cloud service provision.

How cloud service providers operate

Cloud service arrangement are generally paid for on a service basis, which means that the upfront charges for customers and regular upgrade fees associated with more traditional software licensing are avoided.

Some cloud service providers may seek to levy start-up fees or upfront subscription charges to mitigate their own commercial exposure, for example, for any third-party software licensing charges. The most common approach now is a committed term of 1 to 3 years when signing up to an enterprise SaaS service – as suppliers want to be able to recognise revenue in their accounts.

Intellectual property issues

Licensing:

Although cloud services contracts relate to the provision of services rather than to the supply of software to customers, particularly in SaaS arrangements, appropriate software licences still need to be granted to the customer. Where users have online use of software, without a licence this would amount to copyright infringement. The licences are usually very narrowly defined and limited to use of the online application for their own business purposes. Customers have no right to make copies of or modifications or enhancements to the software and they cannot sub-licence to third parties.

The cloud services provider will not always own the intellectual property rights in the software that is the subject of the cloud provision service. Where this is the case the cloud services provider will need to arrange for the right to sub-licence the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensors. For purposes of contractual simplicity, it is preferable (and most common) for the cloud service provider to sub-licence the customer’s use of the third-party software.

Content and Data licensing:

The extent to which cloud services providers can make use of the data that is stored within their systems by their customers has become an important issue as a result of the significant marketplace developments in data analytics, including the use of artificial intelligence. Until data analytics became a mainstream business activity, cloud providers tended to regard their customers’ data storage requirements as being a necessary business overhead as part of the overall cloud arrangement. With data analytics, customer data has become a valuable resource which can be used to provide the basis for value added data analytics derived services.

In the early days of cloud services provision, many standard terms and conditions offered by cloud service providers in the consumer market included a broad licence from the customer to the service provider allowing them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable. The uses to which the service provider could make of the content were usually limited but there were often rights to pass the content to third parties and to use it for marketing purposes. Even in the consumer marketplace, there is now considerably more general awareness of data issues, particularly following the Facebook/Cambridge Analytica scandal. In July 2019, the US Federal Trade Commission voted to approve fining Facebook around $5 billion to finally settle the investigation of these issues.

As a result, customers receiving cloud services should carefully consider the licensing provisions that relate to the suppliers’ use of the data that they store as a result of providing the services, particularly in relation to use of personal data, treatment of intellectual property rights and confidentiality. Customers should take particular care in identifying any rights they are agreeing to provide to the service provider. Licences may be implied by necessity or business efficacy, however a better and more certain approach is to have an express licence in place that is broad in scope and covers the full range of likely activities.

Jurisdiction and governing law

It is common for cloud services providers and their customers to be located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable law and jurisdiction. In each case, the cloud contract may stipulate choice of law and jurisdiction. However, there may also be separate and different rules on applicable law and jurisdiction that apply irrespective of provisions in the contract: data protection is a good example of this, where the GDPR has its own free standing rules.

Which law governs the contract

Usually the contract will state the laws that apply. If it doesn’t then this can be problematic, especially when cloud services are involved. Why? If, for example, the parties to the contract are based within the EU then in a B2B context it will generally be the laws of the place where the cloud services provider bases its servers that will apply. The position is more complex where service data is stored on multiple servers in different jurisdictions.

It is important therefore to ensure that cloud services contracts include a choice of law (and jurisdiction) clause.

Data Protection

When organisations process personal data they do so either as a “data controller” or a “data processor”. Each have different legal obligations when protecting personal data.

The data controller is the organisation that determines the purposes and means of the processing of personal data and is responsible for compliance with data protection law. In cloud services, the UK’s data protection regulator, the ICO, usually views the customer as the data controller, although when the supplier has a large amount of control over the processing of personal data they may be considered a joint data controller.

The data processor is the entity who processes data on behalf of a data controller. The ICO will regard the cloud services provider as a data processor in most cloud services arrangements.

Most obligations around data protection law fall on the data controller therefore, usually, the customer of a cloud services provider. A customer should therefore only allow a cloud services provider to process data on its behalf if it has appropriate organisational and technical measures in place. Special care must also be taken if international data transfers take place in connection with the processing of the customer’s data.

Checklist for cloud services contracts (buyer perspective)

Before signing on the dotted line you should consider:

  • Data storage: where will your data be stored, how is it stored, who has access to it and what security measures are in place.
  • Warranties and indemnities: consider what disclaimers are contained in the agreement and have appropriate indemnities been given for loss of data?
  • Check for hidden costs: monthly service costs may be low for a reason.
  • How will disputes be dealt with: what law applies and where will disputes be heard?
  • Data recovery: what will happen to your data at the end of the contract?

Checklist for cloud services contracts (supplier perspective)

Make sure that you have considered the following:

  • Intellectual Property Rights: although supplying software as a service is more protective of IPRs you should still make sure that your IP rights are covered.
  • Limitations and exclusions of liability: it’s standard practice to exclude liability for certain losses and to have an overall cap on liability.
  • Will you provide support commitments / service availability guarantees? Your business customers may well insist on these.
  • If you offer a subscription per person what happens if unauthorised individuals access the service? Consider including audit rights.
  • What should happen with the customer’s data at the end of the contract – you probably want the right to delete it after a certain time.
  • Choice of law and jurisdiction.

Cloud services – a multifaceted and evolving area of law

Contracts for the provision of cloud services and the legal issues being thrown up by the uptake in could services technology are evolving all the time. If you need help with cloud services contracts or any technology legal issues then please get in touch with us.


COVID-19 Data Protection Issues

COVID-19 Data Protection Issues

COVID-19 data protection issues have left many businesses scrambling to keep on top of their compliance functions. Other businesses are largely ignoring data protection rules – which are you?!

Although not always at the front of minds in a crisis, data protection laws are there to be followed. As a result of COVID-19 data protection rules are being put to the test as a result of new information about individuals being collected in response to the pandemic. This often includes whether individual members of staff are displaying symptoms of the virus, the health status of staff and related individuals within the same household, the results of COVID-19 testing and the various locations individuals have visited since the start of the outbreak.

This new information collected constitutes “personal data” and sometimes falls within “special categories of personal data”, as provided for under Article 9 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

Regulators Response

Data protection regulators across the EU have issued statements and guidance referring to the effect of COVID-19 on data protection.

The European Data Protection Board (EDPB) has stated that data protection laws in the EU do not, and should not, hinder the response to COVID-19. Therefore organisations subject to such regulation should remain compliant with their obligations under GDPR. The EDPB has commented that the COVID-19 emergency is a “legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”. Whether this means governments have the right to police data protection compliance more or less strictly is unclear.

In the UK the Information Commissioner’s Office (ICO) has published guidance in the context of COVID-19 data protection. The ICO’s approach is sympathetic to the challenges faced by organisations:

“We understand that resources, whether they are finance or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.

The ICO then goes on to mention that this does not extend as far as allowing infringement of statutory timescales but that they will endeavour to communicate to individuals bringing information rights requests that understandable delays may ensue.

The guidance should not be interpreted as a blank cheque by organisations to bend the rules relating to data protection compliance. It is only guidance and may not stand up in court. Additionally, the ICO does not grant any express relaxation of the rules. It has also stated, in line with the EDPB, that data protection should not stop organisations from being able to respond effectively to the crisis.

“Personal Data” and/or “Special Categories of Personal Data”

Information such as whether personnel have self-isolated, body temperature of personnel, visitors to premises and device location data will all be considered personal data. Where information also relates to the individual’s health, it would also fall within the sub-category of “special categories of personal data” – more on this below.

Legal Basis for Processing Personal Data

When processing COVID-19 personal data (that isn’t “special category data”) organisations may rely on the following legal bases:

Legitimate interests: for the purpose of the organisation’s legitimate interests in managing business continuity and the well-being of its staff.

Contractual necessity: necessary for an organisation’s performance of its obligations to its staff e.g. employees under their employment contract. Relevant obligations include ensuring the health, safety and well-being of employees.

Legal obligation: organisations have legal obligations relating to health and safety.

Legal Basis for Processing Special Categories of Personal Data

It is likely that when responding to the COVID-19 crisis organisations will collect special category data. This is because special category data, within the context of health, is defined as:

“personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status”.

This includes information on injury, disease, diagnosis, medical history, medical examination data, registration details with health service, appointment details and/or a number, symbol or other identifier assigned to an individual to uniquely identify them for health purposes.

Organisations can only process special category data on one or more of the following grounds:

Employment, social security and social protection obligations: certain obligations under employment, social security and social protection law may allow the processing of special category data. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. You can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. In this instance it would be sufficient to refer to the Health and Safety at Work (UK) etc. Act 1974 which states:

it shall be the duty of every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his/her employees”.

For example, an employer will want to know whether, in light of COVID-19, an individual member of staff is a health risk in order to ensure the health, safety and welfare of that staff member and the other employees. This is likely to include collecting special category health data from a number of individuals. The employer can rely on employment, social security and social protection obligations to do this processing.

On the other hand, if the employer were to collect unnecessary data such as medical information beyond the scope of that required to diagnose COVID-19 within government guidance, or if the employer disclosed the names of people diagnosed when it was unnecessary to disclose such information then these actions would amount to infringements of data protection law.

Preventative or occupational medicine: occupational medicine is a specialist branch of medicine that focuses on the physical and mental wellbeing of employees in the workplace. Under GDPR the processing of special category data is permitted for the purposes of preventative or occupational medicine, the assessment of an employee’s working capacity, medical diagnosis and/or the provision of health care or treatment.

Section 11 of the Data Protection Act (UK) 2018 states that in the UK organisations can only rely on this condition if the information is being processed by a health professional or a social worker professional or another person who in the circumstances owes of a duty of confidentiality under an enactment or rule of law. Therefore, this condition only applies where an organisation has appointed medical or social advisors who are professionals.

So, an organisation can be justified in processing special category data relating to COVID-19 on the advice of its medical advisors but only when able to show that the processing of this specific data is necessary. It must be a reasonable and proportionate way of achieving one of these purposes, and the organisation must not collect more data than it needs.

Public interest in the area of public health: on the advice of public medical advisors it may be possible to process special category data. This condition is only applicable where the processing is by, or under the responsibility of, a health professional or by someone else who in the circumstances owes a legal duty of confidentiality. For example, an organisation is contacted by health professionals who are trying to collect special category data in relation to the COVID-19 crisis to enable statistical analysis of the disease. On the advice of such public medical advisors, an organisation may rely upon the public interest in the area of public health condition when processing special category data for this purpose.

Consent is another legal bases for processing personal data. When collecting data as an organisation about individuals it is better not to rely upon consent because there is a risk of it not being freely given. This is based upon the general view that an inherent imbalance of power exists between individuals and organisations, in favour of organisations. Consent can also be withdrawn at any time.

Proportionate Collection/Processing of Personal Data for Purpose

An important aspect of GDPR compliance is that organisations only collect as much personal data as is strictly necessary for the purposes being pursued.

Within the context of COVID-19 this includes not naming an individual who is a health risk to other individuals or any other sensitive information about that individual in an organisation when it is not strictly necessary. Another example may be when enquiring about those experiencing symptoms within an individual’s household. In this instance it is unlikely that any more information than a simple ‘yes’ or ‘no’ answer would be required.

In addition, organisations should ensure that the personal data that they collect is stored only for as long as necessary.

COVID-19 Data Protection Q&A

Can you tell staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. But don’t provide any more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection rules do not prevent you doing this.

Can you collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?

You have an obligation to protect your employees’ health and therefore it is reasonable to ask people, be that employees or visitors to your organisations, to tell you if they are experiencing COVID-19 symptoms and hence collect special category data about them. Don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards and discarded as soon as it becomes obsolete.

For example, the best thing to ask would be a simple yes or no question as to whether an employee or visitor is experiencing COVID-19 symptoms or if anybody in their household is. Gaining any medical information unrelated to COVID-19 or their ability to visit your organisation would be deemed unnecessary.

You could also ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms. This approach should help you to minimise the information you need to collect.

Homeworking

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances. This includes the potential need to specifically train homeworkers on their obligations and those of the employer in relation to data protection and confidentiality, concerning the procedures which they must follow, and what is, and is not, an authorised use of data.

Should Organisations Consider Undertaking a Data Protection Impact Assessment (DPIA)?

GDPR requires organisations to undertake a mandatory DPIA:

  • if their processing is likely to result in high risk to the rights and freedoms of individuals – this should involve considerations of the likelihood and severity of potential harm. Article 35(3) of the GDPR provides the following examples of when a processing operation is "likely to result in high risks":
  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special category data, or of personal data relating to criminal convictions and offences.
  • A systematic monitoring of a publicly accessible area on a large scale.
  • (relevant data to COVID-19) when processing biometric data, genetic data and/or tracking data.
  • The GDPR defines biometric data in Article 4(14) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of a person, such as facial images or dactyloscopic.” A fingerprint would be an example.
  • The GDPR defines genetic data in Article 4(13) as “personal data relating to the inherited or acquired genetic characteristics of a natural person”. A genetic profile of an individual would be an example.
  • Tracking data – an example would if an organisation uses device location data when accessing the geographical implications of COVID-19.

If an organisation has already started to undertake such processing activities or process this kind of data without undertaking a DPIA then they should perform one as soon as possible.

In the context of COVID-19 a DPIA will be necessary if an organisation has processed data in this way or of this nature in response to the pandemic. It is also helpful to know the context in which an organisation would be expected to perform a DPIA so that they can avoid it. Another example might be an organisation who becomes involved in the large scale processing of data in response to the crisis. Such an organisation should be prepared to undergo a DPIA if the nature of this new processing requires it.

Undertaking a DPIA, mandatorily or not, can still be useful for organisations in order to understand potential risks within their data controlling/processing activities.

If you need any help with COVID-19 data protection issues or on any other aspects of data protection law please get in touch with one of our data protection lawyers.


Office Lease Lawyers London

The Office Lease - Risks And Opportunities

When negotiating an office lease, the tenant may be dealing with the property industry for the first time. It is then tempting to focus only on the rent and assume everything else is a relatively minor issue. That would be a mistake.

Three Points To Be Aware Of

  1. The office lease does not have to be fair.
  2. Risks in the property industry involve relatively large numbers.
  3. Certain words and phrases in an office lease may appear to have one meaning but actually have a very different meaning in court.

Three examples:

  • If a repairing obligation includes the words “put and keep” then the tenant may find itself upgrading the whole premises despite only having, say, a 3 year office lease. To add insult to injury, the tenant may only realise what it’s got itself into after the lease ends, meaning it would not even be able to use the property in its renovated state.
  • The extant of the “premises” being rented may seem to be a matter of common sense but it may or may not include the windows, doors, non-structural walls, structural walls, pipes and cables and the roof! The extent of the premises simply depends on what the office lease happens to state but it will be up to the tenant to repair and insure the whole of the premises. That may sometimes not be a problem but beware that the building may only look like it is in a good condition: be sure not to have liability for hidden defects, to find out about any incidents in the insurance history of the building and, to confirm that the building is fully insured (i.e. for its full reconstruction value).
  • In a modern office building, a relatively small and brief fire in the kitchen of a small office premises, can easily cause damage that causes £100,000 of costs to the landlord and the other tenants in the building.

Is Your Landlord Solvent?

Many mistakes made by tenants actually come down to a belief that the landlord, as it owns a commercial property, is relatively wealthy. This is frequently not true. Although the landlord may be part of a corporate group which is wealthy, the landlord company itself may have bank financing and internal company loans which exceed the value of the building and thus is simply supported from one year to the next by its parent company. Such arrangements are not uncommon and tenants should therefore take the extra time to think carefully and ensure they remain protected even in the event of the landlord’s insolvency.

An office lease is a very flexible document which manages many risks (each of which may be larger than the annual rent) in a business relationship that will usually continue for many years. An office lease can easily lead to the financial ruin of either the landlord or the tenant but if handled properly, these risks can be managed in a way that allows both parties to safeguard their businesses and grow. How the risks are managed must also reflect the financial, organisational and technical ability of each party to cope with it on a long term basis.

Office Lease Flexibility

An office lease should also reflect the potential for a tenant’s business priorities to change over time. This is true for start-ups as well as more established businesses. Consider:

  • Many businesses adopt strategies which reflect the prevailing attitudes of Investment analysts, who sometimes like focused businesses and sometimes instead prefer businesses with a spread of activities and hence risk. As tenants may buy or sell subsidiaries, open new divisions of their business or themselves become take-over targets, it is important that the office lease remains flexible enough for a tenant to change its business strategy.
  • For start-ups, the future is quite unpredictable, so it would often be helpful to adapt the office lease so that at least the cost of the lease is predictable. For example, larger landlords may agree to having a fixed service charge and rent to be paid monthly in advance instead of the standard 3 months in advance. As a further example of a common problem, will the landlord carry out an (expensive) inspection of the premises months after the tenant has vacated and then invoice it all to the tenant?
  • Does the office lease ensure that at the end of the lease, the tenant can choose to take a new office lease and remain in the premises or would there be a lengthy discussion about the new rent level and open competition from any new potential tenants? For a tenant, that prospect may not only be worrisome from a financial perspective but also the time perspective - the process of carefully selecting new premises and moving into them is very time consuming. A lease can manage this is many ways.
  • If there is further space available in the building, would it be prudent for the tenant to reserve that space for 6 – 12 months?
  • Might the tenant need specialised telecom and data cabling installed in the building? That might be expensive, slow and even forbidden if the office lease in is a listed building or if, as so often happens in London, the landlord also needs consent from one or more superior landlords. Such issues can be addressed in the lease at the outset, to avoid expensive problems in the future.
  • Does the landlord facilitate contact between the tenants? This does not take much effort for a landlord but clearly, is better discussed at the outset if it might be important. A simple gathering of the tenants twice a year could facilitate new business relationships or a strategy to green the building. Those are both items which can be simple and cheap but are quite impossible if the tenants do not talk and that is hard to achieve if the landlord does not facilitate it.
  • Does the landlord plan to provide a service or will the landlord be very difficult even to contact? The office lease can also establish the right communication channels between landlord and tenant and that can make all the difference in any business relationship.

Use An Expert

It is therefore important, especially for tenants who may be dealing with the property industry for the first time, to choose advisers who have a deep experience of the entire property industry and can therefore efficiently solve problems on time and budget and who can provide support for the entire lifecycle of the office lease: the initial heads of terms, the lease itself, fit-outs and refurbishments to the property (by either or both the landlord or the tenant), expanding, insolvency, renewing the lease or preparing the exit (well in advance). Contact Neil Williamson or call us on 0203 637 6374 if you would like to enquire about any aspect of an office lease.


COVID-19 force majeure

COVID-19 Force Majeure and Frustration

COVID-19 has sent shockwaves throughout the business world. For some businesses the impact has been severe and they will find it difficult or impossible to perform contracts entered into before the onset of the pandemic.

In this blog we provide an overview of how businesses may be able to rely on force majeure or the doctrine of “frustration” so as to avoid liability for failing to perform their obligations as a result of COVID-19.

Contractual Position

If you are working under a contract governed by English law the starting position is that you must perform that contract. So, even if you are affected by COVID-19 you must still perform that contract and if you fail to do so you will be liable. There are two key exceptions to this rule: the operation of any force majeure clause in your contract and the common law concept of frustration.

COVID-19 Force Majeure

Unlike in other jurisdictions, English common law or statute does not recognise force majeure. So if your contract does not contain a force majeure clause you cannot use force majeure as a means to avoid liability for non-performance.

If your contract does contain a force majeure clause then you will need to check it to see how it deals specifically with each party’s rights and obligations. Key factors to consider are set out below.

Is COVID-19 covered?

Assuming COVID-19 is not specifically covered as a force majeure event, check if it is the type of event that would fall under general force majeure wording (e.g. pandemic or similar wording), or whether there has been a government decision or administrative action preventing performance that meets the political interference language which is commonly included in definitions of force majeure.

Should the party that wishes to claim force majeure have guarded against COVID-19?

Check if the contract excludes events that could have reasonably been provided against, avoided or overcome. In the COVID-19 context, the current pandemic is not likely to be foreseeable. On the other hand, parties who elected to enter contracts with reasonable knowledge of the virus’s potential consequences, such as in January of 2020 when the virus began to attract attention in China, may have a more difficult foreseeability argument.

Is COVID-19 the true reason for not being able to perform the contract?

The party that is seeking to rely on force majeure must usually establish that the force majeure event has prevented or hindered it from performance of the contract. This is mostly a factual question but, again, will also turn on the exact wording of the clause. For example, some force majeure provisions require performance to have been rendered impossible, so the burden on, for example, a contractor to show that it could not have sourced staff, equipment or materials from elsewhere will be high. Generally, force majeure clauses are not so generous as to offer relief where services or goods will simply be more expensive to perform or obtain.

Mitigation

The party that is claiming force majeure relief is usually under a duty to show that it has taken reasonable steps to mitigate or avoid the effects of the force majeure event. Check whether being able to rely on force majeure is conditional upon you mitigating the effects of COVID-19.

Notice requirements

Parties will wish to ascertain whether prompt notification is a contractual condition precedent to relief. In that situation, a failure to notify in the prescribed manner will result in a party being unable to rely on the provision. In other cases, a failure to notify will not prevent a party from relying on a force majeure provision and the only consequence will be a potential damages claim (if the other party has suffered a loss). The courts have not always taken a consistent approach to the interpretation of notice provisions, and clearly the safest course of action is to ensure strict compliance with any notice provisions in the prescribed manner and as soon as possible

What are the consequences of establishing COVID-19 force majeure?

In most contracts, establishing force majeure will lead to relief from performance, thereby avoiding the risk of a default termination, and an extension of time to target dates. Commonly, parties bear their own costs arising from any force majeure delay but there are exceptions where compensation may be payable after a certain duration or certain costs are payable from one party to another. Extended periods of force majeure can lead to a right for one or more parties to terminate the contract. If the parties do not wish this to happen, it is important to engage in discussions sooner rather than close to the deadline. It may be preferable for these to be held on a without prejudice basis.

COVID-19 Frustration

In the absence of a force majeure clause, a party to a contract may be able to rely on “frustration”. Frustration is a common law right that allows a party to be discharged from its contractual obligations if a change of circumstances makes it physically or commercially impossible to perform the contract or would render performance radically different from that agreed to when the parties entered into the contract. This test may be satisfied if the commercial purpose of the contract is no longer achievable. Delay caused by COVID-19 could in principle be a frustrating event, depending on the nature of the contract in question and the length of the delay.

The focus will be on the parties’ specific contractual obligations and whether they have ‘radically changed’ as a result of the spread of COVID-19 to the extent that requiring a party to comply with its strict contractual obligations would mean requiring it to do something fundamentally different from that which it originally promised to do. In other words, it will be important to identify the consequences of the pandemic on the parties’ ability to perform the specific contract in question. It is unlikely to be sufficient that circumstances have changed in society generally or that performance of the contract has become more onerous or expensive or even uneconomic.

Consequences of frustration

Frustration discharges a contract meaning that all current and prospective rights and obligations are cancelled. All sums paid by a contracting party before the frustrating event will be repayable, subject to the court’s discretion (broadly) to give credit for expenses incurred or benefits provided by the other contracting party.

If you have any questions or need help with any COVID-19 force majeure or frustration issues please contact Neil Williamson or call us on 0203 637 6374.


Furlough EM Law

COVID-19 Furlough Job Retention Scheme

In this blog we explain what furlough leave is and how the Job Retention Scheme introduced by the Government as a result of COVID-19 can help employers and employees.

Please bear in mind the situation is fluid and if you would like advice around furlough leave or any other aspects of the COVID-19 Job Retention Scheme please contact one of our employment lawyers.

Background

As a result of the economic impact of the COVID-19 pandemic, the Government has introduced the Coronavirus Job Retention Scheme. The scheme is intended to avoid redundancies by alleviating the pressure on employers to continue paying wages in full during the crisis period.

The scheme enables an employer and employee to agree to the employee being put on furlough leave i.e. a period of leave during which the employee is not required to work. The employer can then recover a proportion of the employee’s salary from HMRC. The level of reimbursement allowed will be the lower of 80% of wage costs or £2,500 per calendar month.

Once it is up and running the scheme will be backdated to 1 March 2020. The scheme will be open for three months and then extended if necessary. The Government expects the scheme to go live by the end of April 2020.

Which staff are included in the Job Retention Scheme?

Employees

The following individuals are covered by the scheme provided they were on the employer’s payroll on 28 February 2020:

  • Full-time employees.
  • Part-time employees.
  • Employees on agency contracts.
  • Employees on flexible or zero-hour contracts.

Employees who were made redundant since 28 February 2020 can qualify if they are re-engaged by their former employer.

Self-employed

The self-employed are not covered but a scheme is being set up to provide them with similar rights.

Does the employee have to be at risk of redundancy to be covered by the scheme?

The precise circumstances in which an employer can put employees on furlough leave remain unclear but it seems that the scheme is intended to cover employers who, without the scheme, would need to drastically cut their payroll as a result of the crisis, either through lay-off or redundancy. We will need to hear more from the Government about what evidence HMRC may require but we believe it is unlikely that employers will need to provide anything substantial to back up their claims. However, the Government has stated that it will retain the right to retrospectively audit all aspects of the scheme with scope to claw back fraudulent or erroneous claims.

Can you put employees on long-term sick leave on furlough leave?

Government guidance suggests that employees who are on sick leave or self-isolating should receive statutory sick pay (SSP) but can be furloughed once they have recovered or are no longer self-isolating.

It seems likely therefore that employees who are on long-term sick leave and have exhausted SSP will not qualify for furlough leave until they are fit for work.

Where an employer is selecting which employees to designate as furloughed, they must be mindful of the risk of discrimination if selection is linked to a protected characteristic such as disability.

Implementing furlough leave

What steps must employers take?

Government guidance states that employers should discuss the proposal with staff and make changes to the employment contract by agreement. It is a condition of eligibility for reimbursement that furlough leave is confirmed to the employee in writing.

Employers will need to:

  • Decide which employees to designate as furloughed employees.
  • Notify furloughed employees of the intended change.
  • Consider whether to consult with employee representatives or trade unions.
  • Agree the change with the furloughed employees in the form of a “furlough agreement” (more on this below). Most employment contracts will not permit an employer to reduce an employee’s pay, provide them with no work and change their employment status, without agreement. However, faced with the alternatives, which are likely to be unpaid leave, lay-off or redundancy, the majority of affected employees are likely to agree to be placed on furlough leave.
  • Confirm the employees’ new status in writing.This is an eligibility requirement for accessing the subsidy, and a record must be kept of this correspondence.
  • Submit information to HMRC about the employees that have been furloughed and their earnings through the new online portal, expected to be operational by the end of April 2020.
  • Ensure that the employees do not carry out any further work for that employer while they are furloughed.

Furlough Agreement

It is important that the agreement between the employer and employee for the employee to be placed on furlough is carefully drafted as it will amount to a variation to the employee’s employment contract. As well as covering rights to pay during the furlough leave itself, the agreement should address other benefits such as pension rights and bonus entitlement.

Deciding which employees to put on furlough leave

An employer could initially ask for volunteers. However, in some cases an employer may receive more volunteers than it wants to furlough. The procedure an employer follows to decide which employees to furlough may depend on its current financial situation. If the employer needs to very urgently furlough employees or make them redundant in order to be able to continue to trade, a limited selection procedure carried out on an urgent basis is likely to be acceptable. However, where an employer does not have any immediate financial concerns, it is likely to be more reasonable for it to follow a more comprehensive procedure in a similar way to redundancy scoring

It may seem unfair that some employees will be required to continue working, potentially increasing their risk of infection if they are unable to work from home, and others will be permitted to receive a substantial proportion of salary and not be required to do so. However, provided the employer has used appropriate, non-discriminatory criteria to choose who is granted furlough leave, it is possible for an employer to lawfully choose to furlough only part of the workforce.

Will employers need to collectively consult if they intend to put 20 or more employees on furlough leave?

The short answer is “yes” - the employer will have a duty to inform and consult appropriate employee representatives but this is a complex issue in these circumstances and what the employer should do depends on the employer’s position. If you are considering putting 20 or more employees on furlough leave please get in touch with us to discuss the best way forward.

Do employers have to top up the remaining 20%?

Employers are entitled to continue paying full pay during furlough leave, but they are not obliged to do so. If they do top up, they can only claim back employer national insurance contributions and minimum auto-enrolment payments up to the cap.

Withholding 20% of an employee’s salary will, however, amount to breach of contract and unlawful deduction of wages unless the employee gives their consent. It is expected that the majority of employees will consent since furlough leave is a better alternative than unpaid leave, lay-off or redundancy.

How does an employer make a claim to HMRC for reimbursement?

To claim, the employer will need to submit:

  • The employer’s PAYE reference number.
  • The number of employees being furloughed.
  • The claim period (start and end date).
  • The amount claimed.
  • The employer’s bank account number and sort code (UK bank account)
  • A contact phone number.

Employers can only submit one claim at least every three weeks, which is the minimum length an employee can be furloughed for. Claims can be backdated to 1 March 2020 if applicable.

Reimbursement will be paid via BACS payment to the nominated bank account.

The claim can only be made at the point at which the employer runs payroll or in advance of an imminent payroll because actual payroll amounts need to be submitted.

What can the employer claim back?

Employers can claim up to the lower of 80% of usual monthly wage costs or £2,500 per employee, plus the associated employer national insurance contributions and minimum auto-enrolment employer pension contributions.

Fees, commission and bonuses should not be included in the calculation.

The 80% calculation is based on the employee’s gross salary at 28 February 2020.

Auto-enrolment pension contributions and employer’s NICs can be reclaimed in addition to the cap.

The sum paid to the employee during furlough leave is subject to the income tax and national insurance in the usual way.

The reimbursement is made to offset those deductible revenue costs and should be treated as income in the business’s calculation of its taxable profits for income tax and corporation tax purposes, in accordance with normal principles.

If you have any questions or need help with any COVID-19 furlough issues please contact Rhodri Thomas, Helen Monson or Imogen Finnegan or call us on 0203 637 6374.


COVID-19 Employment Law London EM Law

COVID-19 Employment Law Issues

COVID-19 has put unprecedented pressure on businesses and their staff and has raised various employment law issues. An awareness of government updates and employment law will help you weather the storm. Here are some key points although please bear in mind the situation is fluid:

Coronavirus Bill 2019-2021

On 17 March 2020, the government published details of the Coronavirus Bill 2019-2021 and set out proposed emergency legislative measure to address the outbreak.

Important employment law issues raised include:

  • Employees and workers will be able to take emergency statutory volunteer leave in blocks of two, three, or four weeks’ unpaid leave. A UK-wide compensation fund will be established to compensate for loss of earnings and expenses incurred at a flat rate for those who volunteer through an appropriate authority.
  • Changes to statutory sick pay (SSP) include: allow for it be claimed from the first day of incapacity, which will have retrospective effect from 13 March 2020; enable employers with fewer than 250 employees to reclaim SSP paid in respect of the first 14 days of COVID-19-related sickness absence, which will have retrospective effect from 14 March 2020.

Statutory sick pay (SSP) and COVID-19 Employment Law

SSP is the right of all employees to receive payment from employers when they are unable to work due to illness. Many businesses offer sick pay policies in employment contracts.

In order to qualify for SSP an employee must be absent from work due to incapacity. Where an employee has not, at the point they are suspended, either been diagnosed with COVID-19 or exhibited symptoms, then it is unlikely that their absence will meet the definition of day of incapacity in the Social Security Contributions and Benefits Act 1992.

The deemed incapacity rules in the SSP regulations have been extended to explicitly include employees who are self-isolating or socially distancing following government guidance.

Is an employer entitled to send an employee home from work to self-isolate?

If the workplace and the nature of the role allow for remote working then this may provide the employer with an alternative to suspension for the purposes of self-isolation.

There may be a range of reasons that an employer may wish to send an employee home to self-isolate. The employer may be acting out of an abundance of caution, the employee may have had contact with someone who has been infected, or they may be exhibiting symptoms.

If there is an identified risk that an employee may have been exposed to COVID-19, then it is understandable, in light of an employer’s duty to protect the health and safety of other employees.

From an employment law perspective, the employer should consider whether it has an express right to require the employee to stay at home. If not, the question is then whether there is an express or implied right for the employee to attend work in these circumstances. It is unlikely to be a breach of implied duties to require an employee to stay at home in these circumstances, assuming there are reasonable and non-discriminatory grounds for concern, and the matter is dealt with appropriately, proportionately and sensitively.

What pay are employees entitled to when sent home?

Where the employer is able to continue work from home then, subject to any contractual provision to the contrary, they will continue to be entitled to their normal rate of pay.

If they are not able to do so then consideration would need to be given to the terms of the contract of employment, although most employment contracts will not provide for this type of scenario.

If an employee has been advised by government guidance to self-isolate or be socially distant then they will fall within the new deemed incapacity rules for SSP discussed above. In those circumstances is it likely that the employer could treat them as being on sick leave and pay them SSP (subject to any contractual sick pay policy).

Where an employee refuses to attend work due to fears about coronavirus, what action can the employer take and what pay are they entitled to?

If the employee can work from home, this may well resolve the issue. If not, the employer would need to consider the current public health advice, the specific reason that the employee is concerned about attending work and whether it would be discriminatory to refuse home working, take disciplinary action, or withhold pay.

If there is no discrimination angle, and the public health advice is such that the employee could reasonably be asked to attend work then it is possible that the employee could be investigated for misconduct in terms of refusal to follow a reasonable management instruction, and their unauthorised absence.

If the absence is unauthorised then the employee would likely not be entitled to pay as they are not willing to attend work.

Returning from ‘high-risk’ countries

As matters currently stand, government guidance does not advise self-isolation for those returning from countries with a high incidence of COVID-19. This means, arguably, an employer requiring an employee to self-isolate because they have returned from a high-risk country, will need to pay the employee full pay.

This does not seem to reflect the government’s intention. However, given the link between public health guidance on self-isolation and SSP it seems to represent the legal position.

Can we change our enhanced sick pay scheme to provide that only SSP is payable in the event of absence due to COVID-19?

Where the relevant employee’s sick pay entitlement is out in their contracts, to amend this will amount to a variation of contract. There are a number of ways an employer could achieve this:

Consent – employers could seek written consent of the relevant employees to the contractual change. While employees are unlikely to agree to a change in terms that is not in their favour, they may be willing to do so where their agreement may help the employer to stay in business.

Dismissal and re-engagement - where employees are unwilling to consent to a change in their contractual sick pay entitlement, an employer can consider dismissing them and offering them re-engagement on the revised terms. Even if the affected employees accept the new terms, they will be entitled to claim unfair dismissal in respect of termination and wrongful dismissal, if the employer does not give them the required notice to terminate.

Unilaterally imposing the change – employees may respond to a change that is imposed on them unilaterally in a number of ways. They may “work under protest” and bring claims for breach of contract or unlawful deductions from wages. Alternatively, they may resign and claim constructive dismissal.

Where the relevant employees’ contracts specify that their sick pay entitlement is set out in the employer’s separate sickness absence policy, which may be amended from time to time, it will be much easier for an employer to make the change. The employer should confirm the change in writing to employees and ideally ask them to provide written acknowledgment.

Lay-off and short-time working

Laying off employees means that the employer provides employees with no work (and no pay) for a period while retaining them as employees; short-time working means providing employees with less work (and less pay) for a period while retaining them as employees. These are temporary solution to the problem of no or less work. However, if employees are laid-off or put on short-time working in circumstances where the employer does not have the contractual right to do so then the employer will be in fundamental breach of contract entitling the employee to resign and claim constructive dismissal.

A better option is likely to be the Coronavirus Job retention Scheme which will pay employees' salaries of up to £2,500 a calendar month as long as they are kept on the payroll.

COVID-19 Employment Law: Coronavirus Job Retention Scheme

The introduction of a new Coronavirus Job Retention Scheme (furlough leave) was announced by the government on 20 March 2020. Under the scheme, all UK employers, regardless of size or sector, can claim a grant from HMRC to cover 80% of the wages costs of employees who are not working but kept on the payroll ("furloughed"), of up to £2,500 a calendar month for each employee. Employers can choose to top up the remaining 20% if they wish.

The Government will provide access to the scheme through an online portal which is currently under development. Once the scheme goes live it will be backdated to 1 March 2020. The scheme will be in place for at least 3 months. 

It is understood that the scheme will apply in respect of all employees on PAYE, including those on zero-hours contracts.

Employers cannot require employees to be furloughed unless the employment contracts allow for this which is highly unlikely. It is therefore advisable for employers to obtain the agreement of the employees to be furloughed within a properly drafted furlough agreement. For those employees who do not agree then you are left with either imposing furlough on them (which would amount to a breach of contract) or making them redundant.

We have published a separate blog dedicated to the COVID-19 Job Retention Scheme here.

If you have any questions or need help with any COVID-19 employment law issues please contact Rhodri Thomas, Helen Monson or Imogen Finnegan or call us on 0203 637 6374.


Commercial law firm London EM Law

Terminating a Contract - Tread Carefully

Terminating a contract may be the way forward especially when the other party has blatantly failed to meet its obligations. But don’t fall into the trap of thinking that terminating a contract is straightforward. Giving the correct notice and reasons for terminating a contract is a process to be carefully navigated if the adversely affected party wants to claim all possible compensation.

Examples of improper approaches to terminating a contract can be dramatic. In the case of Phones 4u Ltd v EE Ltd [2018], EE denied themselves a £200 million claim because of a badly drafted termination notice. Given the potential consequences it is generally assumed that an aggrieved party will take legal advice before going ahead with termination.

Most importantly you must act. Even a repudiation, meaning the most serious breach of contract, does not automatically end a contract. Termination rights can also be lost by delay. By the time an aggrieved party decides to assert itself it may be too late.

Things to be most wary of when terminating a contract

Terminating a contract without the right to do so

  • By terminating a contract you are refusing to perform any duties which may arise after termination.
  • If not justified by a contractual or common law right this refusal to perform is usually itself a repudiation.
  • The other party could accept the repudiation, terminate the contract and sue for damages.

Giving the wrong grounds for termination

This is what happened in the Phones 4u In that instance EE terminated its contract with Phones 4u on the basis of its rights to terminate for the other party’s insolvency. EE did not explicitly state in its termination notice that Phones 4u were in breach of contract. Even though EE had reserved its rights in the termination notice the judge nevertheless ruled that EE’s £200 million claim against Phones 4u for breach of contract could not now be pursued.

Not following the contractual termination procedure

  • The basic rule is that a party serving a notice to exercise a right must comply strictly with the contract.
  • Failing to comply may render a termination invalid even if the requirement is meaningless or pointless.
  • In the case Zayo Group Internaitonal Ltd v Ainger and other [2017] the court ruled that a requirement to leave the termination notice at a party’s old address was still valid. Because the notice wasn’t left at the old address on time the claim failed.
  • Serving an ineffective notice of termination could amount to a repudiatory breach as it communicates an intention to stop performing and may be accompanied by such action.

You can't take it back

It is also important to note that you cannot take back a termination notice:

  • Serving a termination notice communicates a party’s decision to exercise its termination right, which is not compatible with keeping the contract alive.
  • In two employment cases, the employee who gave a clear unequivocal notice to resign was then unable to withdraw that notice after an hour in the case of Riordan v War Office [1959] and a day in Southern v Frank Charlesly & Co [1981].

Terminating a Contract - Common Law Rights

Aside from express or implied termination clauses it is also important to consider common law rights when contemplating grounds for termination. The common law gives every contracting party the right to terminate on repudiation. A repudiation comes in different forms:

  • Breach of a condition.
  • Repudiatory breach of an intermediate term (or innominate term).
  • Renunciation, defined as, a party’s outright refusal to perform all or substantially all its obligations under a contract.
  • Impossibility, if a party makes it impossible to perform the contract.

Understanding repudiatory breaches of intermediate terms is key when assessing your possible right to terminate a contract. Generally speaking, a breach of an intermediate term is repudiatory if it deprives the aggrieved party of substantially all the benefit of the contract. This deprivation must also coincide with the time that the aggrieved party chose to terminate.

Final word

Terminating a contract must be done carefully if the aggrieved party wants to retrieve as much compensation as possible. As we say above the consequences of not doing so can be severe. Please get in touch with Neil Williamson or Joanna McKenzie if you need any help.

 


InsurTech

InsurTech – Big Data, AI and Web Scraping

While InsurTech is disrupting the traditional means by which insurance products and services are provided and accessed by consumers, it also gives rise to a range of regulatory concerns, in particular around the use of data.

What is InsurTech?

InsurTech is a portmanteau of "Insurance" and "technology". InsurTech does not have an agreed definition, but is instead used as a broad term covering the use of technology in the insurance value chain and the rethinking of existing processes, usually across the following themes:

  • Product innovation in relation to novel risks arising from new technologies.These include new products such as pay-as-you-go (PAYG), parametric, disaster relief, connected device and sensor and peer-to-peer (P2P) type products, usually enabled by leveraging one or more aspects of disruptive technologies.
  • Deployment of disruptive technologies across the insurance value chain. The application of innovative technologies (or a combination), such as internet of things (IoT) devices and artificial intelligence (AI), large data sets (Big Data) to facilitate product development, distribution, underwriting and claims and administration practices.
  • Development of new technology-enabled insurance business models. These include start-ups reimagining discretionary mutual models and industry consortia seeking to reinvent the insurance value chain through technologies such as blockchain or distributed ledger technology (DLT).
  • Rethinking existing insurance processes using technology. The development of new technology platform solutions for adoption by the wider market, with a view to automating paper-based processes and centralising the reconciliation and storage of data.

Rapid change

Awareness of InsurTech solutions and their underlying technologies, coupled with effective mitigation and management of the risks associated with their adoption are vital in a regulated sector pursuing rapid change. The development of new technologies, such as drones, cryptocurrencies and automated vehicles, has prompted product innovation relating to the emergence of new risks created.

InsurTech Regulators

The Financial Conduct Authority (FCA) has indicated its support for innovative products and services coming to the UK market and new business models being applied, while maintaining its position as a technology agnostic regulator. To this end, the FCA has created a "regulatory sandbox" as part of its wider innovation agenda (known as "Project Innovate"). This helps innovators navigate the layers of financial services regulation and aims to promote competition in the interest of customers. The sandbox aims to facilitate a "safe space" for InsurTech start-ups to prove their business plans without immediately incurring all the costs and regulatory consequences of engaging in regulated activities.

Big Data analytics

The traditional underwriting model for insurance is based on a combination of customer responses to proposal forms, historical claims data and risk studies; data that is used by analysts to predict consumer behaviour and identify patterns in claims losses.

Within the underwriting context, InsurTech solutions seek to alter traditional models by exploiting the connectivity facilitated by IoT devices and the vast amounts of data points available for analysis, or "Big Data", that they accumulate. The accumulation of Big Data sets and developments in data analytics capabilities, including AI tools employing machine learning and deep learning techniques, have the potential to inform increasingly precise and segmented underwriting decisions. This is allowing some insurers to offer cover for risks on better terms than would have been possible without this data. In some cases, customers would not have been able to obtain cover without it. Big Data analytics is also used to facilitate prediction of consumer behaviour in the underwriting process, enabling insurers to assess risk more precisely, price policies better and estimate necessary reserves accordingly.

Legal and regulatory implications of Big Data

The most obvious and wide-reaching legal and regulatory implications for InsurTech relate to the assemblage and analysis of Big Data sets:

  • Data privacy.Much of the Big Data being gathered in insurance products constitutes "personal data" under the GDPR. Personal data is defined broadly under European data protection law and includes pseudonymised data. Even if an ID has been attached to an individual (rather than a name or other types of more obviously personally identifiable data), it is still possible that personal data is being processed and data protection issues therefore need to be considered. The key GDPR considerations in the context of Big Data are:
    • Transparency requirements. The GDPR sets out requirements for consent on the part of the individual to the use and processing of their personal data (including in relation to wholly automated decision making). This can be challenging in the context of Big Data, particularly when the specifics of the intended use of data may not be known at the point at which data is collected and notices are given.
    • Purpose limitation. Under the GDPR, data collected for a specified purpose cannot then be used for an incompatible purpose.
    • Data minimisation. The principle of data minimisation means only processing data that is required for the purposes for which it is collected and therefore not collecting unnecessary data.
    • Storage limitation. Finally, the GDPR includes a requirement around storage limitation – not keeping more data in personally identifiable form then is necessary, or for longer than is necessary.

Accordingly, it is important to undertake a privacy impact assessment when accumulating and analysing a Big Data project. It will also be key to consider the terms of privacy notices, the specifics of the types of data to be analysed and any steps that can be taken to anonymise it and potentially take it out of the scope of the GDPR data protection regime.

  • Pricing practices.Regulators are concerned that Big Data creates the potential for underwriters to create customer profiles and price based on data collected about customer income and appetite for shopping around. Regulators are also conscious of practices where pricing is set based on an expectation that customers will provide enhanced underwriting data, with those who are unwilling to provide this being penalised with increased premiums.
  • Micro risk segmentation.Regulators are concerned that analytics of Big Data is likely to result in more sophisticated and predictive underwriting models, with underwriting increasingly being performed on the basis of ever smaller or more segmented pools of risk or categories of insureds. This has the potential to pose moral hazard issues in relation to the creation of "uninsurable" risks or classes of risk.

InsurTech Artificial Intelligence

Various forms of AI are in widespread use across the insurance value chain, particularly in distribution and claims administration where defined (and often time-consuming) processes, procedures and actions are commonplace.

AI's most tangible impact to date has been in the areas of policy monitoring and claims processing, which are gradually becoming subject to intelligent automation to improve efficiency and produce cost-savings, consequently lowering premiums. One example of this is through the development of chatbots and other forms of robo-advisers, which are designed to simulate an intelligent conversation and replace humans in various insurance processes.

A number of InsurTech solutions focus on embedding fraud deterrence and detection software as part of claims management processes. Smartphones enable photographs and videos to be sent to claims managers to evidence damage. Online claims forms can be monitored to identify amendments to draft submissions in response to requests later in the process for evidence or a verbal summary of the relevant loss. Fraud detection software, often utilising AI, can also enable earlier and more effective detection of fraudulent claims, through discerning human emotions by monitoring facial expressions and natural language.

GDPR requires algorithms used in decision making relating to retail insurance products to be explainable. AI is also attracting an increased focus from regulators. They are keen to ensure that the implementation and use of such technologies in the insurance value chain is subject to appropriate systems and controls and that requirements to be able to explain how decisions are made are met. This can be challenging particularly in the context of some non-deterministic forms of AI, such as deep learning applications, which are programmed to learn through their own errors.

Financial institutions using AI should ensure that they have governance processes in place relating to the use of AI within their organisations that ensure compliance with law and ethical standards, and set processes for ensuring these matters can be properly audited. It will also be important to ensure that board members are educated on the forms of AI being used in their operations and the potential implications of these technologies on business processes in practice.

See our blog on AI for more information.

Big Data and web scraping

In the insurance context, terms such as "web scraping" describe practices leveraging publicly available online data to assist with pre-population of proposal forms, underwriting decisions and claims assessment. These practices give rise to a number of issues from a contractual, data privacy, IP and reputational perspective:

  • Intellectual Property.Consideration will be required as to whether collection of data through web scraping from third-party sources would constitute a breach of any IP rights (principally literary copyright and database rights infringement).
  • Many websites' terms and conditions have express prohibitions against the collection of content and materials from their site and often refer to web scraping specifically. There are a number of tools by which third parties do make their data available to other sources. However, these are often subject to various licence terms, which may place controls on what can be done with the data.
  • Most companies want to make sure that they are giving their client base, and the individuals with who they interact, assurances that their data is being handled responsibly. There is a risk that the collection of data from third-party sources could be seen to be intrusive or inappropriate, which could have a negative reputational impact on the company.
  • Data protection.The GDPR specifically requires that individuals must be told about the sources of collection of personal data, which will be relevant where data is not collected from the individuals themselves but from third-party sources. There are rules under the GDPR that apply in relation to decision-making that is taken on a solely automated basis and produces legal effects relating to the individual or other similarly significant effects. Guidance from the Information Commissioner's Office (ICO) suggests that this could include decisions taken about insurance premiums. The rules around automated decision-making are such that consent is likely to need to be obtained to undertake this type of activity if it does in fact fall within the scope of automated decision-making under the GDPR. There are also requirements around providing individuals with rights to challenge decisions that are made automatically and potentially to obtain some human involvement in that process.

See our blog on web scraping for more information.

InsurTech – The benefits of technology

Being able to analyse data on a big scale has enhanced an industry for which information is the main source of its operations. Being able to do this through automation, access to publicly available information online and without the need for a human perspective comes with a load of legal consequences. Whilst the FCA encourages innovation in insurance, with some believing it can improve customer experience, the ethical dimension is tied up in a range of regulation which needs to be built into any InsurTech system.

EM Law specialises in technology law and data protection law. Please get in touch with one of our lawyers if you need any help.