Main menu

Liverpool:

+44 (0)151 600 3000

Manchester:

+44 (0)161 836 8800

Preston:

+44 (0)1772 823 921

Search form

Search form

A B C D E F G H I J K L M N O P R S T V W Y

Commercial

Consequences of failure: the need for clarity in procurement documents
Tuesday 6th February 2018

A recent High Court decision has highlighted the need for contracting authorities and utilities to ensure that their tender documentation is as clear as can be.

In the case of MLS (Overseas) Ltd v The Secretary of State for Defence, the Ministry of Defence (MoD) was found to have fallen short of the required level of clarity in its tender documentation by not specifically highlighting the fact that a ‘fail’ mark for a particular question would lead to a tenderer being disqualified.

Facts

In 2015, the MoD published a contract for global port, maritime and logistical support services in the Official Journal of the European Union (OJEU). The proposed contract would run for up to 10 years and be worth a maximum of around £385 million.

MLS submitted a bid that narrowly lost. In the standstill letter sent to MLS, the MoD was clear that MLS’s bid had been identified as the Most Economically Advantageous Tender (MEAT) under the criteria that had been described in the invitation to tender (ITT). The reason the MoD gave for not selecting MLS was that their tender had fallen short of a pass/fail standard attached to one particular question about safety in the supply chain (Question 6.3).

MLS issued proceedings on the basis that the ITT was ambiguous in not fully explaining what the consequences would be of failure to meet the pass/fail standard for Question 6.3. MLS argued that whereas, in other parts of the ITT the MoD had clearly set out the consequences of failing to meet particular standards, no such explanation had been given about Question 6.3.

In its response, the MoD admitted that, due to an error in drafting, there had been no clear statement that the consequence of failing to achieve a pass standard for Question 6.3 would be disqualification. However, they argued that the documentation was sufficiently clear to have allowed a reasonably well informed and normally diligent tenderer to recognise that a fail score for Question 6.3 would mean disqualification.

Judgment

The Court found that the MoD had acted unlawfully and was in breach of its obligations of transparency and equal treatment because the criteria on which they had rejected MLS’s bid were not sufficiently clear from the ITT.

The relevant test for transparency was an objective one. The court must ask whether the ITT, or other tender documentation, was sufficiently clear to ensure that the award criteria would be interpreted in the same way by all reasonably well informed and normally diligent tenderers.

The court highlighted in particular that the MoD had set out a very highly detailed description of the process that they would use to identify the MEAT. Nowhere in that description had there been any reference to Question 6.3. Additionally, other parts of the ITT had included clear statements in bold type that failure to meet certain standards would result in disqualification, this was not the case for Question 6.3.

Comment

While this was a case brought under the Defence and Security Public Contracts Regulations 2011, it concerns principles that run through public procurement law no matter which set of regulations apply.

The case is a useful reminder for procuring authorities of the importance of carefully drafted tender documentation. Even where highly detailed descriptions of the award criteria have been successfully communicated to tenderers, a simple administrative omission can result in massive delays, costs and the potential need to run the whole procurement process again.

Additional caution should be taken from this case by those procuring authorities that are tempted to use intentionally vague language when describing their awarding criteria. Though it may seem that such ambiguity would ensure slightly more room to manoeuvre and exercise discretion in the late stages, as can be seen from this case, it could potentially lead to very serious infringements of procurement legislation.

Tenderers will be reassured by the decision as it should lead to greater clarity on award criteria issued by procuring authorities. Where there does remain any ambiguity, the best response will always be to seek clarification, rather than risking misinterpretation and the need for litigation.

For more information on this topic, contact Michael Winder on 0151 600 3085, or email him at michael.winder@brabners.com.

 


Author:

Better late than never - new data protection exemptions for insurance sector
Monday 22nd January 2018

You’re going on holiday... Great! Flights and hotel booked, annual leave arranged with work and activities planned – now to find some travel insurance.

You go to the website of your preferred insurance company, and there are a number of questions that you have to answer in order to get a travel insurance quote. One such question is likely to be:

“Are you, or any person to be insured on the policy, aware of any symptoms for which you have not yet seen a doctor?”

One might think that there is nothing out of the ordinary here, so what is wrong with this picture? Well, the answer to that question is something which has been of great concern to the insurance sector for some time.
 

What is the issue?
In order to provide a quote for many types of insurance policy (including, for example, travel insurance), the insurer will need to ask questions relating to the customer’s health, as the answers will affect the level of risk, and therefore the quoted price.

However, those answers will constitute “data concerning health”. Under the GDPR (which comes into effect on 25 May 2018), there are very strict rules about how you can hold and use information concerning a person’s health. The UK’s new Data Protection Bill (which is still going through government) provides for certain grounds upon which it is lawful to “process” that data.

For the insurance sector, the only lawful ground available was (until recently) to obtain the customer’s explicit consent. As the insurer needs to know this information, the provision of a quote will be conditional upon the customer giving that consent.

However, under the GDPR, where the provision of a service is conditional upon the data subject giving consent, there is a presumption that the consent is invalid because it has not been freely given.

Herein lies the issue: the insurer requires consent in order to provide a service, but the nature of that consent being required may render the consent invalid.

Various bodies in the insurance sector have asked the ICO to clarify its guidance on this issue, and have been lobbying the government to try to get a new lawful ground introduced for the insurance sector.
 

Recent updates
On 18 January 2018 an updated version of the UK Data Protection Bill was uploaded to the government’s website. In a move which will no doubt delight insurers, one of the grounds upon which the processing of health data (and other sensitive data) will be lawful has been vastly extended.

It will now be lawful (subject to any further last-minute amendments to the Data Protection Bill) to process sensitive personal data for insurance purposes, without having to rely on consent, provided the processing is carried out for the purposes of measures or decisions with respect to the data subject (e.g. providing a quote) and it is necessary for reasons of substantial public interest (the availability of travel insurance is almost certainly a matter of public interest).

Whilst the Bill is still not finalised, it is likely that this provision will remain largely intact when the Bill comes into effect. As companies across the world scrabble to prepare for the GDPR coming into force, 11th hour amendments to the rules may cause some headaches with those preparations. However, for the insurance sector at least, this latest update is certainly a case of “better late than never”!


Author:

Carphone Warehouse fined £400k after cyber attack
Monday 15th January 2018

In one of the largest monetary penalties ever issued by the Information Commissioner’s Office (ICO), Carphone Warehouse was hit with a £400,000 fine on Monday after its computer systems were compromised by a hacker in 2015.

The attack, which occurred between 21 July and 5 August 2015, compromised the personal data of over 3 million customers and 1,000 employees, including credit and debit card details for more than 18,000 customers.

By using a common security testing tool, the hacker obtained unencrypted login credentials for Carphone Warehouse’s administrative account on WordPress, and used those credentials to access vast amounts of personal data stored in the website’s databases. A large amount of information was exported from the system and, whilst neither the ICO nor Carphone Warehouse could determine exactly what was taken, both conceded that personal data was likely included.

The ICO’s subsequent investigation revealed a number of significant security vulnerabilities in Carphone Warehouse’s systems, each of which constituted breaches of the Data Protection Act 1998 (DPA) in their own right and may have contributed to the ease with which the perpetrator was able to carry out the hack.

In its monetary penalty notice of 8 January 2018, the ICO listed 11 separate breaches of the DPA committed by Carphone Warehouse and said that it is “particularly concerning” that these related to basic, commonplace measures, rather than complex technical deficiencies.

Carphone Warehouse had been using considerably outdated software, had failed to regularly install software patches, and had no routine security testing procedures or means to identify unauthorised access.

No firewalls or anti-virus software were in use on the systems, and the same administrator password (which some 30-40 members of staff had access to) was used on all servers’ operating systems.

Full credit card details were also stored in the system without there being any good reason to do so and, whilst historical payment transaction data had been encrypted, the encryption keys required to unlock that data had been insecurely stored as plain text.

These breaches did not necessarily all contribute directly to the attack; it is important to note that the ICO’s power to impose fines relates to the contraventions of the DPA (such as the failure to implement security measures) rather than the attack itself.

The penalty handed down by the ICO falls just short of the maximum £500,000 fine the ICO is currently allowed to issue. However, when the GDPR comes into effect on 25 May 2018, the ICO will be able to issue fines of up to €20m (currently about £17.8m) or 4% of a company’s total annual worldwide turnover (whichever is higher) for serious breaches.

This penalty could therefore have been financially devastating for Carphone Warehouse had the hack occurred a few years later. An analysis undertaken by NCC Group revealed that the fines issued by the ICO in 2016, which totalled just under £900,000, would have risen to almost £69m under the GDPR framework – a stark reminder for all organisations to review their data processing operations in preparation for the GDPR coming into force.


Author:

Commercial Contracts - Recent Updates
Wednesday 10th January 2018

Implied Terms

Parties will generally expect to rely on the agreed wording set out in any contract made between them. However, where disputes arise over ambiguities in the drafting over those contracts, the courts will in certain circumstances have the power to imply terms. The traditional requirements are that:

1.             it must be reasonable and equitable to imply the term;

2.             the term must be necessary for business efficacy;

3.             the term must be ‘so obvious it goes without saying’ (officious bystander test);

4.             the term must be capable of clear expression; and

5.             the term must not contradict any express term.

In 2015, the Supreme Court was approving of this traditional test, but made some additional observations including that:

1.             terms should not be implied into detailed contracts merely because it appeared fair, or merely because the parties would have agreed to it, had it been suggested to them at the time; and

2.             when applying the ‘necessary for business efficacy’ test, a value judgment must be made and it may be appropriate to phrase the question as being whether, without the term, the contract lacks commercial or practical coherence.

Recent case law

The following recent cases have explained this matter further:

1.             In Irish Bank Resolution Corporation Limited (in special liquidation) v Camden Market Holdings Corp. [2017] EWCA Civ 7, a dispute arose between the parties as to the proper interpretation of a clause in a loan agreement that allowed the bank to market a loan that it had made to Camden.

The loan was secured against some property that Camden had developed and the intention was that the loan would be repaid when the property was sold. Camden’s argument was that the price it could achieve for the property would be undermined if it was known that the bank intended to sell the loan. Firstly, potential purchasers may be tempted to buy the loan and call it in to acquire the property, rather than making the acquisition directly. Alternatively, purchasers may wait to see whether the loan was purchased by a third party who might be prepared to sell the property at a discount. In essence, the marketing of the loan by the bank was in direct competition with the marketing of the property by Camden. It was, in Camden’s view, necessary for business efficacy that the term be limited so as to prevent the bank from doing anything to hinder the marketing of the property to achieve the best price.

In the High Court, HHJ Raeside found in favour of Camden that the general permission for the marketing of the loan in the contract was not necessarily contradicted by the more specific limitation that Camden was seeking to have implied.

The Court of Appeal overruled this decision, and held that the limitation that Camden proposed did substantively contradict the express terms of the contract. Beatson LJ found that as a point of law, express and unrestricted powers cannot in the ordinary way be limited by an implied qualification.

2.             In Wells v Devani [2016] EWCA Civ 1106, Mr. Wells was a property developer seeking to sell some flats. A phone call took place between Mr. Wells and Mr. Devani (an estate agent) in which Mr. Devani stated that his commission would be 2% plus VAT, but failed to mention the precise event that would trigger payment of the commission. Mr. Devani later introduced Mr. Wells to a purchaser who bought all of the remaining flats.

HHJ Moloney, in the High Court decision, recognised that the phone call between the parties had not resulted in a binding contract. However, he was prepared to imply a term to complete the bargain and put a binding contract in place.

The Court of Appeal overturned the High Court decision and ruled in favour of Mr. Wells. Lewison LJ stated that the power of the court to imply terms pre-supposes the existence of a binding contract and that it would be wrong in principle for the court to make a contract for the parties where they had not concluded one between themselves.

Comments

The Irish Bank case demonstrates the importance of considering both the precise wording and the actual effect when assessing how a proposed term will interact with the express terms of the contract as agreed between the parties. Even where the language of the proposed term does not necessarily contradict an express term, if the effect of the proposed term is at odds with the effect of an express term, the courts will not imply the term into the contract.

An additional point to note from the Irish Bank case is the weight that the courts attached to the fact that the loan agreement was a long, detailed and carefully drafted document. Beaston LJ specifically noted that the courts should be reluctant to imply further terms into such documents, even where the proposed terms do not actually conflict with the express agreement. Parties seeking certainty will be re-assured that the time they invest in reaching a detailed agreement will not be wasted should the question of implied terms arise in court.

The Wells decision should be seen as a warning of the far-reaching consequences of parties failing to properly form a binding contract. Though there may be times where a court finds a binding contractual relationship despite certain essential terms not yet being agreed, the lesson here remains that everything begins with the question of formation when it comes to contracts and the courts will not interfere to rectify even the most simple, or obvious of deficiencies.

For more information on the topic, contact Danny on 0151 600 3168 or via email on danny.greenland@brabners.com.


Author:

Commercial Contract Updates - Exclusion and Limitation Clauses
Tuesday 9th January 2018

Background

Commercial contracts often purport to exclude parties’ rights and remedies or to limit the liability of the parties, but it is important to note that such clauses may not always be enforceable. Parties may not, for example, exclude their liability for fraud or for personal injury or death caused by negligence.

Where a party seeks to rely on such a clause, particularly if it is onerous or unusual, it should always ensure that it is brought to the other party’s attention so that there is no question of whether or not the clause forms part of the contract.

In consumer contracts, there are strict requirements in the Consumer Rights Act 2015 that terms must be fair to the consumer. There are similar (albeit less restrictive) requirements in the Unfair Contract Terms Act 1977 (UCTA) for business-to-business contracts.

Under UCTA, where one party deals on the written standard terms of business of the other, the other party cannot exclude or restrict its liability for any breach of the contract unless the relevant clause satisfies the reasonableness test (i.e. “that the term shall have been a fair and reasonable one to be included having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made”).

Where only part of a term is invalid or prohibited, the Courts are sometimes prepared to sever that part and leave the remaining clause intact.

Recent case law

In African Export-Import Bank v Shebah Exploration [2017] EWCA Civ 845, the Courts had to decide whether a loan contract, subject to the conditions of the Loan Market Association Standard Form (a neutral industry model form), was on the “written standard terms” of one party, and therefore subject to the reasonableness test. Following previous case law, it was noted that “written standard terms” must be the terms that a party uses for all, or nearly all, of its contracts of a particular type, and that the essence of such terms must not be varied between transactions. In the High Court, Phillips J stated that it would be difficult to find that any negotiated, commercial contract, based on a neutral industry model and where the parties have legal assistance, is on the written standard terms of one of the parties. The Court of Appeal upheld the High Court’s decision that UCTA would not therefore apply to the loan contract.

In Goodlife v Hall Fire Protection [2017] EWHC 767 (TCC), the exclusion clause in question purported to exclude liability for personal injury and death resulting from negligence (which is prohibited under UCTA). The High Court had to decide whether or not the clause could remain in effect with the offending words removed. The Court was prepared to sever the offending words and, due to the equal bargaining position of the parties, it was found that the remaining clause was reasonable.

Comments

Neutral model contracts are used in many types of business, and parties could be forgiven for thinking that these would count as “written standard terms”. However, following the decision in Shebah Exploration, it is clear that UCTA’s reasonableness test will not apply to such contracts unless one party has genuinely adopted the model contract as its own terms, and uses those terms for all of its contracts without scope for negotiation.

Whether or not part of an exclusion clause can be severed by the Courts, to make the remainder of the clause effective, is a question which has been addressed by seemingly conflicting decisions in the past. Following the recent decision in Goodlife, the position appears to be as follows:

  • Where part of a clause is ineffective, e.g. because it excludes liability for personal injury or death caused by negligence (as prohibited by UCTA), then the rest of the clause may still be tested for reasonableness and remain effective (as was the case in Goodlife).
  • However, where a clause is tested for reasonableness under UCTA, it must pass or fail as a whole and cannot be severed to remove the unreasonable parts (this was the effect of the decision in Stewart Gill Ltd v Horatio Myer and Co Ltd [1992] QB 600, which the Court distinguished in Goodlife).

The distinction seems to rely on the idea that an exclusion of liability for personal injury or death caused by negligence will not be subject to the reasonableness test; it is simply ineffective under UCTA. If the clause in Goodlife, after having removed the reference to personal injury and death, still had unreasonable parts (e.g. if it purported to exclude liability for fraud), then the whole clause may have been deemed ineffective.

For more information please contact William Eggleston on 0161 836 8831 or via email - william.eggleston@brabners.com.
 


Author:

Specialist Dental Lawyer’s Guide to Dental Equipment Warranties
Monday 8th January 2018

When you buy a dental practice, the contract of sale is likely to contain warranties. These warranties are a series of promises which are made by a seller, giving you, as a buyer, assurances as to the efficacy of the business that you are acquiring.

The warranties can cover a wide range of issues and should be tailored to the specific practice and your personal requirements. If, once you own the practice, it transpires that a warranty has been breached, the contract should set out the method, timescales and amounts of a remedy that will be available to you.

Warranty provisions relating to equipment are often hotly negotiated. Although you may be paying thousands of pounds for dental chairs and autoclaves within a practice, you should not expect the same kind of warranty that you would get when buying electrical appliances on the high street.

The first issue to consider is the date on which the warranty is given. Warranties that are given by the seller will apply on the date of exchange of contracts. It is wise for the buyer to seek a provision in the contract to say that the warranties are repeated on the date of completion.

You are very unlikely to get a promise that something is going to continue to work for a year or two following the purchase. Equipment warranties are usually limited to an assurance that something is working on the day on which the contract is signed; although even this is not a given, as the seller may say that they are not sufficiently qualified to make such an assurance.

As a buyer, you might seek warranties not only that the equipment is in working order on the date of completion, but further that the equipment that you are being sold is adequate for both the continuation of the practice (i.e. that the seller isn’t going to remove a vital item of equipment prior to the sale and leave you unable to practise). A warranty that the equipment available is sufficient and adequate to ensure that the practice complies with current GDC and CQC guidelines is also reasonable. Warranties that equipment has been properly maintained and serviced will also give the buyer some protection (although this should also be investigated during the purchasing due diligence process).

Finally, a sensible buyer should seek a warranty that the equipment within the practice is actually owned by the seller and is free from any finance or lease agreement.

During negotiations, a seller may want to limit the warranties in relation to equipment as much as possible. Sellers frequently make formal disclosures against equipment warranties. If information is disclosed to you prior to completion, then you may be prevented from making a warranty claim relating to that information.

What constitutes a disclosure can also be in dispute. A seller may claim that they have disclosed to you anything that would be reasonably apparent on an inspection of the practice. The question then arises as to what sort of inspection this would cover. A qualified technician, who inspects the equipment, might find a fault in an item that a cursory glance by a less qualified person would fail to bring to light.

Warranties will also be limited in terms of both value and time. You will have a limited period of time in which to bring a claim for breach of warranty following a practice acquisition. It is therefore important that you are aware of the timescales agreed. A seller will also seek to include within the sale agreement both minimum and maximum values on possible claims. It is important that both the seller and the buyer understand the warranties that are being offered in any sale agreement. Equipment warranties should offer the buyer some assurance that what they are buying will be fit for their requirements even if they don’t purport to promise that the equipment won’t break in the weeks, months or years following your acquisition.

 


Author:

Data Protection Bill – Exemptions
Thursday 14th December 2017

The UK’s proposed Data Protection Bill (the “Bill”) creates a number of exemptions to the requirements under the EU General Data Protection Regulation (GDPR), many of which mirror similar provisions in the Data Protection Act 1998 (DPA). For businesses which rely on these provisions to process personal data without breaching the legislation, it is important to understand the scope and the limitations of the exemptions due to the increasing penalties for non-compliance.

Public functions

The existing DPA exemptions for public bodies are largely unchanged in the Bill, with the majority of data subjects’ rights being excluded where the processing of personal data is necessary for the prevention or detection of crime and the assessment and collection of taxes, the public functions of certain regulatory bodies and for various functions in the public interest, including protecting the public against financial malpractice, protecting charities and securing the health and safety of workers.

A contentious new addition in the Bill relates to the processing of personal data for the maintenance of effective immigration controls (and, significantly, has nothing to do with the prevention of crime), which the advocacy group Liberty described in its report of October 2017 as a “brazen violation of the data protection and privacy rights of migrants”.

Exemptions from access and transparency rights

Data subjects’ rights of access can sometimes conflict with the rights of privacy of other individuals. For this reason, an important exemption is recreated in the Bill which provides that data controllers are not required to disclose information in response to an access request where another individual can be identified from that information (unless they give their consent).

Rights of access, and the requirements to provide certain information to data subjects upon the collection of personal data (a.k.a. “transparency”), are also excluded where the data could have the benefit of legal professional privilege, or are processed for the purposes of business management forecasting. If the data consists of confidential references (for employment, education or training), the controller’s records in relation to any negotiations with the data subject, or information recorded by candidates during an exam, the exemption will also apply.

A person will also not be required to comply with an access request if doing so would reveal incriminating evidence of their commission of a criminal offence (however, note that this rule against self-incrimination does not apply to offences under the Bill, or to perjury offences).

Corporate finance providers enjoy a similar exemption; rights of access and transparency will not apply where compliance would likely affect the price of corporate finance instruments, or where compliance would prejudicially affect the functioning of financial markets by affecting the decisions of business people in relation to corporate finance.

Freedom of expression and research

There have been concerns that the increased protection for individuals under the GDPR could have a detrimental impact on the general right of freedom of expression. However, the Bill contains a wide exemption – which covers almost all of the rights of data subjects, the lawful grounds for processing and requirements relating to consent (including children’s consent) – for the processing of data for journalistic, academic, artistic or literary purposes, where the controller reasonably believes that the publication of the material would be in the public interest.

Rights of access, rectification, restriction of processing and objection to processing are also excluded where personal data is processed for scientific or historical research, statistical purposes, or for archiving purposes in the public interest.

Health, social work, education and child abuse

In most proceedings in the Family courts, if the court processes personal data relating to health, social work or education (e.g. where it is contained in evidence or other reports in the proceedings) and, under the relevant court rules, the court may withhold the information from the data subject, then the rights of the data subject (such as access rights) will not apply.

In relation to health, social work or education data, there are also exemptions from the right of access where disclosure would be likely to cause serious harm to the physical or mental health of the data subject (or another individual).

Where an access request is made by a person either with parental responsibility for a child (under 18) data subject or who has been appointed by a court to manage the data subject’s affairs: in relation to data concerning child abuse, the right of access will not apply to the extent that compliance would not be in the best interests of the data subject; and in relation to data concerning health, education or social work, the right of access will not apply where the data was obtained from or provided by the subject with an expectation of privacy (or where the subject expressly indicates that the information should not be disclosed).

Any businesses concerned about the changes under the GDPR, or unsure whether or not exemptions might apply, should seek advice before the GDPR (and the Bill) come into force next May; our experienced Commercial team can assist in deciphering the legislation and preparing your business for the new rules.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


Author:

GDPR - Data Subject Rights
Thursday 14th December 2017

The EU General Data Protection Regulation (GDPR) provides important changes to the rights of data subjects. As well as introducing new rights, some provisions in the Data Protection Act 1998 (DPA) have been revised to strengthen protection for individuals and bring further clarity for controllers.

Bolstering existing rights

The DPA obligation for controllers to provide certain information to data subjects has been rechristened as “transparent communication” in the GDPR. As well as information about their identity and the purposes for which personal data are processed, controllers will have to provide subjects with information about:

·         the legal basis for processing data;

·         any intended recipients of the data or transfers to non-member states;

·         data retention periods;

·         information about subjects’ rights and how to withdraw consent or lodge complaints; and

·         the existence of any automated decision making or profiling systems.

This information must be provided at the time the data is obtained, in a concise, intelligible and easily accessible form, using clear and plain language (particularly in respect of child subjects).

Data subject access rights subsist in the GDPR and subjects may request access to their personal data as well as the information as listed above at any time. The timescale for complying with such requests is reduced from 40 days to one month, and businesses will no longer be able to charge a £10 fee for this service. However, if subject access requests are manifestly unfounded or excessive (and it is for the controller to prove that they are), controllers may either charge a reasonable fee to cover their costs or refuse to act on the request. Controllers may also request information from the subject if they have reasonable doubts as to their identity (and, therefore, the validity of the request), and may refuse an access request where the requested data contains personal data relating to other individuals (which could not reasonably be separated).

The right to rectification of personal data (correcting errors and omissions) is largely unchanged in the GDPR, but data subjects currently have to apply for a court order to request rectification; under the GDPR controllers will usually have to respond to such requests within a month, but this can be extended by two further months for complex or multiple requests.

The right for data subjects to object to the processing of personal data is also broadened; subjects may currently object only where the processing of personal data is likely to cause them substantial unwarranted damage or distress or where it is used for direct marketing. Under the GDPR an objection may be made in relation to any processing which is justified on the grounds of either public interest or the legitimate interests of the controller (the latter being particularly significant as many controllers may turn to this as an alternative to consent, which is becoming harder to demonstrate). Controllers will have to cease processing the data following such a request unless they can demonstrate compelling legitimate grounds which override the subject’s rights; from a practical standpoint, this topic is yet to be explored in detail, but such grounds may include where the controller and the subject have an existing relationship (e.g. for the provision of services) and the processing is necessary in order to provide the level of service that the subject expects and continues to desire.

New rights in the GDPR

Under the GDPR’s new right to erasure (a.k.a. the “right to be forgotten”), subjects may require controllers to erase personal data concerning them where the data are no longer necessary for the purposes for which they were collected or have been unlawfully processed, where the subject withdraws the consent upon which the processing is justified, or where the subject objects to the processing of that data. This has garnered criticism as, where personal data has been made public (e.g. by posting online), controllers are also required to take reasonable steps to inform all controllers processing the data of the erasure request, which is likely to be difficult to comply with in practice (although it is worth noting that in taking such “reasonable steps”, controllers are entitled to take into account limitations in technology and the costs of implementation).

Another contentious addition in the GDPR is the right to restriction of processing. If a data subject contests the accuracy of personal data held by a controller, they may compel the controller to cease processing that data (e.g. by removing content from a website) until the controller is able to verify its accuracy. The potential impact of this provision on freedom of speech is concerning; websites will undoubtedly be encouraged to comply with all take down requests (regardless of their validity) rather than incurring the time and expense of a verification process.

The right to restriction of processing also applies as an alternative to erasure where the processing is unlawful, where the controller no longer needs the data but the subject requires them in connection with a legal claim, and where the data subject objects to the processing (pending verification of any overriding legitimate grounds of the controller).

The GDPR also creates a right of “data portability” which allows subjects to require personal data to be provided to them in a structured and commonly-used format, or to be transferred between controllers. While designed to improve interoperability between processing systems and to prevent people from becoming “locked in” to a particular service provider, the impact on businesses that will have to comply with such requests is uncertain.

Additional protection for individuals

It is important to remember that a lot of the GDPR has been designed, generally, to increase data protection for individuals.

For example, consent remains an important lawful ground for processing personal data but will be harder to demonstrate under the GDPR, as it must be freely given, specific, informed, unambiguous and given by a “clear affirmative action” (goodbye, pre-ticked check boxes). There are also new rules allowing data subjects to object to decisions that have been made by the automated processing of personal data (including “profiling”, where subjects are evaluated by reference to certain aspects of personal data).

Some organisations may benefit from exemptions (implemented in the UK’s new Data Protection Bill but authorised under the GDPR) in respect of some of their processing activities. Exemptions exist for various public functions (such as the prevention of crime, immigration controls and regulatory bodies), public interest purposes (such as avoiding self-incrimination, maintaining legal professional privilege and freedom of speech), and also for data relating to healthcare, social work, education and child abuse.

In order to stay on top of the new rules, we recommend that businesses have in place robust data security and privacy policies, tailored to their particular circumstances and practices.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page


Author:

Buying a Dental Practice Checklist
Tuesday 28th November 2017

If you are considering buying a dental practice, but don’t know where to start, the below checklist might help:

  1. Register as an interested buyer with dental brokers. There are many specialist dental brokers in the UK. If you are unsure of the brokers operating in your area, our dental team can point you in the right direction.
     
  2. Educate yourself. The process of buying a dental practice can seem complicated and overwhelming. There are free guides available on the Brabners website and, in most instances, we will be happy to answer your initial questions without charge.
     
  3. Get your team in place. Specialist dental accountants and lawyers can be invaluable in guiding you along the process. Buying a dental practice is likely to be one of the most expensive acquisitions in your life: getting someone who knows the quirks of the sector to help you makes sense.
     
  4. Secure your finance. Knowing that a bank will back your acquisition will ensure that, when you make an offer on a practice, your bid stands out from a crowd. It will also speed up the process once you find the practice of your dreams.
     
  5. Understand what you are looking for. Weigh up what you are looking for in a practice, write it down. Are you looking for an NHS practice or private? Does location trump profitability? Do you want a practice that runs itself or do you intend to be hands on in developing the business?
     
  6. On finding a practice you are interested in, do your homework. A dental lawyer can help you to ask the right questions. A dental accountant can help you to understand the accounts.
     
  7. Set a target date. Once you have found the practice you wish to buy, finalising the purchase needs to be your priority. It is unfortunate that many dental acquisitions are often unnecessarily protracted. Setting a realistic target date (following discussions with your professional advisors) is likely to focus the minds of everyone involved.

The dental team at Brabners can talk you through the process, ensuring that the dream of buying your own practice doesn’t turn into a nightmare.

To download our free dental practice acquisition guide CLICK HERE.


Author:

UK website privacy notices are far from compliant with GDPR
Monday 20th November 2017

An international study has found that businesses in the UK need to improve their online privacy notices if they are to comply with the General Data Protection Regulation (GDPR) by the time it comes into force on 25 May 2018. With new fines of up to 4% of global worldwide turnover or €20million, whichever is higher, organisations should be keen to improve in response to this timely warning.

The study was led by the UK data protection regulator, the Information Commissioner’s Office (ICO), and included participation by 24 additional data protection regulators from around the world. In all, 455 websites and apps across a wide variety of sectors were assessed. The regulators were considering how easy it was from a user’s perspective to establish precisely what information was being collected, how it was being used, processed and shared, and what the purpose of the collection and processing was.

The study highlighted several issues that were present across all of the jurisdictions in which websites were assessed:

  • Privacy communications across all sectors tend to be too vague, lacking specific detail and relying on generic clauses;
     
  • Most organisations are failing to inform their web users what happens to their information once it has been collected; and
     
  • There is a general failure to specify with whom personal data is shared.

On the back of the report, several regulators in different jurisdictions have decided to take action to improve compliance with data protection legislation. Some regulators are working to provide guidelines to advise businesses on how to improve their privacy practices, and in more serious cases regulators have contacted individual organisations to set out remedial actions that need to be taken to improve control of personal data.

In the UK, 30 websites were assessed by the ICO as part of the study. They included websites from the retail, banking, travel and price comparison sectors. The assessments concluded that the privacy notices of these websites were inadequate. Key problems highlighted by the ICO in the UK included:

  • 26 of the 30 failed to specify how and where information would be stored. Additionally, the data that was provided was often unclear and vague;
     
  • 26 organisations failed to explain whether personal data would be shared with third parties and who those third parties would be;
     
  • 24 websites did not provide users with any clear means to remove their personal data from the website; and
     
  • 7 businesses did not make it clear how users could exercise their rights to access the personal data the businesses held about them (i.e. through a Subject Access Request)

The ICO manager involved, Adam Stevens, said of the poor results, “the GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the law.”

This month, the ICO have set up a dedicated advice line for small and micro businesses and charities. The main aim is to help those organisations without significant resources to prepare for GDPR, however, the service will also be able to advise on current data protection rules, electronic marketing and freedom of information requests. To get in touch, visit the ICO website here

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.

 


Author:

Pages