Welcome To Simplydocs

Yearly Archives: 2017

Banning Orders for Residential Landlords and Agents from April 2018

Back in April we wrote about the introduction of new measures to tackle “rogue landlords”. Rent repayment orders and financial penalties have already been introduced. From April 2018, the government intends to bring in banning orders for landlords and agents who have been convicted of certain “banning order offences”.

What are the Banning Order Offences?

Draft Regulations have set out the list of banning order offences. If a landlord or agent is convicted of one of these offences, the local authority will be able to apply for a banning order against that person. The list of offences, including Housing Act offences and other serious crimes, can be found here.

What Effect will a Banning Order Have?

A banning order will prevent a person from letting or managing a property or carrying out agency work for a period of at least 12 months.

Database of Rogue Landlords and Property Agents

There will also be a new database of rogue landlords and agents. The database will include the names of people against whom a banning order has been made. It may also include people who have been convicted of a banning order offence but who are not the subject of a banning order.

Access to the database will be for the government and local housing authorities only. It does not appear that the public will be able to access it.

What Should I Do?

If you are a responsible law-abiding landlord, you don’t need to worry about banning orders. Banning orders are designed for landlords who deliberately and persistently fail to comply with their legal obligations. Their introduction gives local authorities one more tool to use in the fight against rogue operators.

A Tough Gig?

Time to deliveroo some über-important rights to gig economy workers?

Many of us have been there. You whip out your smartphone to book a taxi to take you home and, on the way, you order up a tasty takeaway to be sped to your house in a large box strapped the back of a student riding a bicycle. It’s convenient to be sure, but many (not least our drivers and box-backed riders) can’t help but notice that many legal protections bestowed upon employees are conspicuous only by their absence.

The gig economy has grown considerably in recent years and it can be highly beneficial, not only for businesses, but also for workers who value the flexibility inherent in the business model. Such benefits notwithstanding, however, the House of Commons Work & Pensions, and Business, Energy & Industrial Strategy Committees recently called on the government to close loopholes in employment law that currently allow gig economy businesses to force workers to be self-employed, denying them key entitlements such as holiday and sick pay.

This follows on from the Taylor Review, commissioned by the government in October 2016 and lead by Matthew Taylor, Chief Executive of the Royal Society of the Arts. The Review’s report (available here) was published in July 2017 and, at the time of writing, is yet to receive a full response from the government.

Shifting the Burden

There have been a number of court cases concerning the status of gig economy workers, including some which the persistently-embattled Uber has lost, but the default position for such workers remains mostly unchanged.

The Committees argue that “the current situation puts an unacceptable burden on workers to address poor practice through an expensive and risky court case while the companies themselves operate with relative impunity.” Under the new proposals, gig economy workers would benefit from a new presumption of worker by default, shifting the burden onto the companies who would have to either provide basic standards, rights, and benefits to their workers or prove that their workers’ true status reflected self-employment. Furthermore, the proposals include tough new penalties designed to outweigh any gains that companies might stand to make from unlawful practices.

Wage Premiums

The Committees’ proposals also include measures to compensate workers for the uncertainty inherent in gig economy work in the form of a wage premium for hours where work cannot be guaranteed. Not only would this help to balance out a situation in which the flexibility benefits can become quite one-sided, but it may also encourage companies to provide more clearly-defined hours or staff rotas.

A Good Gig?

Pleasing everyone may be difficult, of course. While it would be difficult to argue against improving the rights and protections afforded to gig economy workers, a trade-off that may stand to reduce the flexibility in the system may not be so welcome. Gig economy businesses, of course, maintain that everyone working for them loves the flexibility, and they most likely do, however the lack of protections and rights must surely be addressed in some manner that allows the flexibility in working hours to be preserved.

Do you work in the gig economy? Does your business take on staff on a self-employed basis like this? If so, how would you respond to a change in the law that required you to provide increased rights and benefits to workers while retaining the flexibility inherent in the gig economy of today? As ever, we value your input on the subject!

Processing and Transferring Personal Data

If you process personal data, that processing is currently subject to the Data Protection Act 1998. As of next May, the EU General Data Protection Regulation – the GDPR – will take over. Continuing the changes, the new Data Protection Bill introduced recently will bring much of the GDPR, with a few minor differences, into UK law post-Brexit.

Changes in the Law

Much media attention has been devoted recently to the GDPR. Some of this has provoked questions about the future legal position on data transfer not only within the UK but also to other countries outside the EU or EEA. The good news is that, in our view, what you will need to do in the future will not really change in practical terms.

To Where are You Transferring Personal Data?

You might need to transfer personal data within or outside the UK, to a location within the EU or EEA, or to a non-EU/EEA country (a “third country”). In addition to general requirements for processing personal data, particular requirements apply to transfer of data within the UK or abroad as outlined below.

Transferring Personal Data Within the UK or EEA

Where a UK data controller has a data processor within the UK or the EEA processing personal data for it, currently the law requires a written contract obliging the data processor to act on instructions from the data controller and to comply with obligations equivalent to those in the Data Protection Act’s Seventh Data Protection Principle. The GDPR also requires the contract to detail the processing and the data processor’s obligations. Our template document Data Processing Agreement – Personal Data Security (UK/EEA) meets the current requirements for such a contract.

There are no officially recognised standard clauses for such a contract. There may be in future, but there are none on the horizon, so you may continue to use our template. If the position changes, we will, in addition to making any necessary changes to our template, advise you accordingly.

Transferring Personal Data Outside the EEA

The Act’s Eighth Data Protection Principle and the EU Directive 95/46/EC (often referred to as the “Data Protection Directive”) only allow data controllers to transfer personal data outside the EU if the destination country has an adequate level of protection for the rights of the data subjects concerned. A number of alternative methods of ensuring such protection exist, as follows, but we believe that the “model terms” option (see below) is the best and easiest solution. This is because in practice another method may not be available or it may be relatively difficult to use it. The alternatives are as follows:

1) Recognised Destination

The EU Commission website lists those countries which it recognises as satisfying the test of “adequate level of protection”. The current Act and the GDPR provide for such recognition as a means of satisfying the test for an adequate level of protection. Transfer of data from the UK to the USA is complicated. The USA is not listed as “recognised” but a transfer will be permitted if the USA recipient (“data importer”) has self-certified compliance with the Privacy Shield framework.

2) Adequate Level of Protection

If the destination country is not “recognised”, then the requirements of the Act’s Eighth Data Protection Principle may be met if the data controller concludes that there is an adequate level of protection for the person who is the subject of the data, having regard in particular to the “adequacy criteria” set out in the Act.

It may not always be easy to properly apply these adequacy criteria. Further, the self-assessment basis of ensuring an adequate level of protection will be different and reduced under the GDPR. All in all, we think it will be very difficult for you to make proper use of this method.

3) An Exemption

Schedule 4 of the current Act provides several exemptions from the application of the Eighth Data Protection Principle. Similar exemptions will apply under the GDPR. If one of them applies, you would not need to consider whether there is an “adequate level of protection” or to take any other special steps in relation to the transfer.

4) Agreement on “Model Terms”

In view of the uncertainties and difficulties of ensuring an “adequate level of protection”, it will often be easier and preferable to make use of the following means instead.

The relevant EU Directive provides that an adequate level of protection will be achieved if a data controller and data processor sign an agreement governing transfer of data on model terms issued by the EU Commission for such purposes. The Commission issued the model terms in 2010. The current Act gives effect to this means of compliance and the Information Commissioner authorised the EU Commission model terms. This creates a “safe harbour” for UK data controllers transferring personal data outside the EU or EEA. Our template document Data Processing Export Agreement – Personal Data Security (Non-EU) contains the model terms and it may be used where transferring personal data outside the EU or EEA.

Although the GDPR supersedes the EU Directive, it does not alter the model terms regime so our template can be used after the GDPR and, subsequently, the new Act come into effect. It appears unlikely that the model terms will be amended in the foreseeable future. If they are, we will amend our template to take account of those changes.

Your Experience

Do you transfer personal data to another organisation to process it in the UK/EEA or outside the EU or EEA? If so, we would like to hear about how you ensured compliance with the current Act and the Directive, and how you plan to ensure compliance with the GDPR and the new Act. If you transferred data outside the EU or EEA, then, in order to do so, have you made use of the “model terms”? Have you relied on some other option instead? Are you confident that you are complying with all legal requirements relating to data transfer?

 

Ban on Letting Agents’ Fees – Update

A draft Tenants Fees Bill has now been published. As expected, the Bill bans landlords and letting agents from requiring tenants to make any payments as a condition of their tenancy, with certain exceptions.

The Bill applies to assured shorthold tenancies and licences but not to other types of letting such as company lets.

Permitted Payments

The payments that can still be required from tenants are:

  • · Rent
  • · A refundable security deposit not exceeding six weeks’ rent (the original proposal was one month’s rent)
  • · A refundable holding deposit not exceeding one week’s rent
  • · Fees for management services carried out as a result of a tenant’s default (such as repairs arising from deliberate damage to the property or a breach of the tenant’s obligations)

Penalties

Enforcement of the ban will be carried out by local authority trading standards officers. They can impose penalties of up to £5,000. A repeated breach is a criminal offence but a civil penalty of up to £30,000 can be imposed as an alternative to prosecution.

There is also a mechanism for Tenants to recover unlawfully charged fees.

Implementation

The Bill is still in draft and has yet to be laid before parliament. The new rules are not likely to come into force before late 2018. However, lettings agents need to start thinking about how they will adapt their practices to comply with the new rules.

Short-Term “Airbnb-style” Lettings

Are you considering entering the short-term lettings market? It can be a fantastic source of income for property owners but there are downsides and risks. Here we look at the pros and cons and highlight some issues property owners need to consider before taking the plunge.

The Growth of the Short-Term Lettings Market

In recent years there has been a huge increase in the use of websites such as Airbnb, where home owners can advertise a room or a whole property as available for a short-term let. Originally, these websites were intended for consumer-to-consumer use – part of the “sharing economy” – but they are increasingly being used by property investors who see that there
is potentially more profit to be made from short-term lets than assured shorthold tenancies.

What are the Benefits of Short-Term Lettings?

There is a rapidly expanding market for short-term lettings, with many visitors preferring the independence of self-catering accommodation to a hotel stay. Agent websites such as Airbnb, HomeAway, and others make it easy for landlords to access this market.

Short-term lets are generally more lucrative for landlords than longer term lets, generating up to three times the income. In a prime area, granting short-term lets can be a reliable source of income.

What are the Downsides of Short-Term Lettings?

With a rapid turnover of guests, there is inevitably more work for landlords to do in terms of management and maintenance of the property. Landlords will either need to set aside the time to undertake this work themselves or appoint an agent to do it for them.

Using a property for short term lets can throw up issues with guests, neighbours, superior landlords and the local authority. Landlords need to anticipate the issues that may arise and be ready to deal with them if and when they do. For example, guests may complain about the facilities, neighbours may be unhappy with the behaviour of the guests, landlords may consider short-term lettings to be in breach of the lease covenants, and the local authority may receive complaints about noise or health and safety issues and take enforcement action.

The growth of the short-term let market in a particular area can have adverse consequences for local residents. Problems can include noise and disruption caused by guests, an increase in property prices, and a reduction in housing stock as investors look to acquire accommodation.

What do You Need to Consider Before Granting Short-Term Lets?

Here are some keys issues landlords need to consider before entering the short-term lettings market:

Planning Restrictions

In London, where living accommodation is much-needed, there are restrictions on using residential accommodation for short-term lets. Short-term lets are permitted provided they do not exceed 90 aggregate nights in any one calendar year. (Airbnb now restricts London hosts from letting their properties for more than 90 nights per year; other platforms do not impose this restriction.) If you intend to exceed the 90 night limit, consider applying for a change of planning use from residential (C3) to hotel use (C1).

Local authorities find this rule difficult to enforce as they do not necessarily know how properties are being used. It is possible that a notification requirement will be introduced whereby owners must notify the local authority of the dates when the property is being used for short-term lets.

Lease Terms

If you are a leaseholder, as opposed to owning the freehold of your property, does your lease allow you to grant short-term lets? Such lettings may fall foul of various restrictions in the lease such as:

  • · a requirement to use the property only as a private residence (the courts
    have held that short-term lettings are too transient to qualify as “private
    residence” use)
  • · a prohibition on using the property for a trade or business
  • · a prohibition on causing a nuisance (could be an issue in terms of the
    behaviour of guests)
  • · restrictions on subletting

If the short-term let use constitutes a breach of your lease your landlord may seek to forfeit (i.e. cancel) the lease or seek an injunction preventing you from using the property in this way. You may incur significant legal costs if your landlord takes such steps.

Mortgage Terms

Your mortgage terms may not allow you to use the property for short-term lettings. A breach of your mortgage terms may result in the property being repossessed unless you can repay the entire mortgage.

Buildings Insurance

Normal residential buildings insurance is unlikely to cover this sort of use. Check your policy and if necessary obtain specialist insurance.

EPC

An energy performance certificate (EPC) is needed for a property rented out as a holiday let for a combined total of four months or more in any 12-month period. If this applies to you make sure you have a valid EPC to avoid the local authority taking enforcement action.

Security

There may be valuable items in your property and you will be allowing strangers to have access to it. How will keys be collected and returned? Who will check that the property is secure and your possessions intact?

Health & Safety

Ensure appropriate checks are made on gas and electrical installations and as regards fire safety.

Tax

Tax is a specialist area and beyond the scope of this note. Ask your accountant to advise on your tax position.

The Future of Short-Term Lets

Despite the pitfalls and obstacles mentioned above, the short-term letting market looks set to remain strong. Are you already involved in it? Are you tempted to give it a try? Have you been affected by the growth of short-term lettings in your area? As always, we welcome your comments below.

Government Plans to Introduce Ban on Letting Agents’ Fees

The government intends to introduce a Tenants’ Fees Bill before the end of the year. The Bill will ban landlords and letting agents from requiring tenants to make any payments as a condition of their tenancy, with the exception of:

  • – Rent;
  • – A capped refundable security deposit (currently proposed to be no more than one month’s rent);
  • – A capped refundable holding deposit (currently proposed to be no more than one week’s rent); and
  • – Fees for management services carried out as a result of a tenant’s default (such as repairs arising from deliberate damage to the property or a breach of the tenant’s obligations).

 

What is the Current Position on Letting Agents’ Fees?

Currently many agents charge prospective tenants a fee for carrying out work associated with the grant of a tenancy such as:

  • – Preparing a tenancy agreement;
  • – Conducting reference checks;
  • – Ensuring a tenant has the ‘Right to Rent’;
  • – Preparing an inventory and agreeing the inventory with the tenant; and
  • – Handling a renewal of a tenancy.

The average amount paid in fees is currently £223, according to government figures. However, housing charity Shelter reports that one in seven renters pays more than £500. Some tenants in London have been charged fees of up to £2,000.

 

The Government’s Aim

Lettings agents in England and Wales have been required since May 2015 to publicise a list of the fees they charge to landlords and tenants. The fee tariff must be displayed prominently at the agent’s premises and must be published on the agent’s website, if they have one. But the government feels that more needs to be done to tackle the ‘unfair’ fees charged to tenants. It hopes that the ban on fees for tenants will improve competition in the rental market and drive up standards by encouraging landlords (who will now bear the agents’ fees) to shop around for more competitive fees.

 

Are Landlords and Agents Concerned?

Within the property industry concerns have been raised that the fees ban will:

  • – Cause job losses for lettings agents;
  • – Lead to a lower service level for tenants;
  • – Make buy-to-let investments less attractive for landlords who will have to pay the agents’ fees instead of the tenants; and
  • – Lead to increases in rent as landlords pass the cost of the fees onto their tenants.

 

There are also concerns that the proposed cap on the security deposit of one month’s rent is too low. The current average deposit is equal to six weeks’ rent but sometimes a higher deposit is sought from higher-risk tenants. If this option is not available to landlords, they may simply decline to offer their properties to such tenants.

 

Implementation

While the Bill is expected to be published before the end of 2017, the new rules are not likely to come into force before late 2018. Lettings agents and landlords need to keep up-to-date with developments and ensure they are ready for the new regime.

 

How Does This Affect You?

Are you a landlord or letting agent who will be affected by the fees ban? Will the ban achieve the government’s aim of improving service provision for landlords and tenants or does it just add to the burden on landlords and agents and make investment in the private rented sector increasingly unattractive? Let us know what you think by commenting below.

The Data Protection Bill 2017

Back in August we published a post here on the Simply-Docs Blog with news of a new Data Protection Bill which the government planned to publish soon thereafter. That Bill has now been published and while it is likely to be chopped and changed as it makes its way through Parliament, there are some key things to know about it from the start.

What is the Data Protection Bill?

The main purpose of the Data Protection Bill 2017 is to bring the provisions of the EU General Data Protection Regulation – the GDPR – onto the UK statute book in readiness for Brexit. As many readers will now know, the GDPR comes into force on 25th May 2018, bringing with it new higher standards of data protection compliance and a privacy regime fit for the 21st Century. In its most basic form, the Data Protection Bill will lead to an Act of Parliament that replicates the GDPR, ensuring that UK data protection law remains consistent with EU law – something that will be essential for doing business in a post-Brexit world. There will, however, be some key differences.

What is the difference between the Data Protection Bill and the GDPR?

The GDPR will apply almost uniformly in all EU member states (including the UK until we leave). We say almost because it does provide for limited differences at the member-state level. A member state is able to introduce some exemptions from the GDPR, provided that those exemptions still respect the fundamental rights and freedoms of data subjects, and provided that an exemption is necessary with respect to highly important matters such as national security; the prevention, investigation, detection, or prosecution of criminal offences; judicial proceedings; and a number of other public interest, public administration, and legal matters.

The Data Protection Bill deals with some of these limitations, but it is not just a copy of the GDPR. It will, in some areas, go beyond it. The Bill will also cover:

  • ● Data processing that is not covered by EU law;
  • ● The implementation of the EU Law Enforcement Directive;
  • ● National security matters; and
  • ● The changing duties of the Information Commissioners Office in light of the new legislation.

 

What key changes will the Data Protection Bill bring?

The Data Protection Bill includes a number of key elements:

  • ● Making it easier for people to withdraw their consent to the use of their personal data;
  • ● Implementing the so-called “right to be forgotten” into UK law;
  • ● Requiring organisations to obtain explicit consent from data subjects when processing sensitive personal data;
  • ● Expanding the definition of personal data to make it more suitable in the modern world, including data such as IP addresses, cookies, and biometric data;
  • ● Improving subject access requests (including removing the right for organisations to charge for them in many cases);
  • ● Enhancing the remedies, such as compensation, available to data subjects in the event of data breaches where the effects of such breaches go beyond financial loss or distress; and
  • ● Creating new criminal offences that will apply in the case of certain severe data breaches.

 

Watch This Space!

As with any new piece of legislation, the Data Protection Bill now faces a long journey through Parliament where it will no doubt be subject to a number of changes – minor or otherwise – as it passes back and forth. Moreover, the European (Withdrawal) Bill, formerly (colloquially) known as the “Great Repeal Bill”, presently allows for significant modification of certain legislation by government ministers without it being subject to the normal levels of parliamentary scrutiny, so there is possibly even greater scope for changes that might not otherwise be palatable across the board. As ever, we will keep a close eye on things and keep you informed.

Charities and Loss of Personal Data

One of the major risks faced by UK charities is loss of data. “Loss” includes wrongful transfer, disclosure, corruption, or deletion of data, or wrongful access to data. Charities often hold large amounts of personal data, some of which is particularly sensitive. It may relate to donors or supporters, beneficiaries or service users (including children and vulnerable adults) and their families, carers, staff, or volunteers of the charity. The range of personal data held by charities is often very broad. For example, it often includes bank details, details of donations made, contact details (home or email addresses, phone numbers), dates of birth, information about mental or physical health, or care needs.

How Does Loss of Data Occur?

There are numerous ways in which data may be lost. For example:

  • ● loss or theft of a laptop or memory stick containing unencrypted personal details;
  • ● hacking into IT systems to obtain such details;
  • ● hacking or a virus attack which corrupts or erases data, e.g. ransomware which in effect locks up data until a ransom is paid;
  • ● leaving paper documents in places accessible to thieves;
  • ● unauthorised disclosure by staff or volunteers;
  • ● IT system breakdown or destruction where there is no data backup or disaster recovery facility;
  • ● staff responding to forged emails purporting to come from a legitimate source.

 

High-Profile Examples

There have been some high-profile cases of personal data loss. A break-in took place at the premises of the children’s charity Plan UK in November 2015, when five servers containing data including supporters’ contact and bank information were stolen, although in this case it would have been very difficult for the thieves to extract that data. In March 2012, a hacker broke into the IT systems of the British Pregnancy Advisory Service and obtained sensitive personal data about their clients. In January 2016, volunteers at The Alzheimer’s Society used personal email addresses to receive and share sensitive information about clients of the charity, stored unencrypted data on their home computers, and failed to keep paper records locked away. The Society’s volunteers had not been trained in data protection, did not understand charity policies and procedures, and had little supervision. The Society also suffered a hacking incident in 2015, and in 2010 unencrypted laptops were stolen from its premises. In 2011, a social worker at the charity Norwood Ravenswood left a detailed paper report about four children at the side of a house in London after attempting to deliver them to the children’s prospective adoptive parents, and the report was stolen.

What Are the Consequences of Data Loss?

Loss may impact the charity’s own activities, for example, where a database of individuals’ details is deleted or corrupted, and the charity has no other record of them to use as a backup. Alternatively, loss may adversely impact the individuals who are the subject of data held by the charity, for example, where an unauthorized third party gains possession of the data. Apart from the direct financial cost (and other effects) of recovering from its data security being compromised, a charity is likely to suffer damage to its reputation and that may have an adverse impact on the level of donations and trust of donors, supporters, volunteers, and beneficiaries. Indirect possible effects include substantial fines being imposed by the Information Commissioner’s Office (ICO) where the charity is in breach of data protection legislation – the ICO is no longer reluctant to issue substantial fines to charities just because they are charities.

Increasing Risk of Data Security Breaches

It is clear that the risk of data falling into the wrong hands is prevalent and has been rising significantly over the past few years, both for charities as well as other organisations. Although the ransomware attacks in 2017 did not appear to target charities, experts think they could well be prime targets in future because of the large amount of sensitive stakeholder data that they hold – they often hold more sensitive data than other organisations, and personal data is often a saleable commodity. Charities are often seen as easy targets partly because they, more than larger commercial organisations, often lack the resources and expertise to guard against security breaches.

Tighter Regulation

The new requirements of the General Data Protection Regulation (GDPR), which comes into force in May 2018, reflect the degree to which a data breach is now regarded as a very serious issue. In particular the GDPR will require any organisation suffering a breach of personal data to report it to the ICO without undue delay unless it is unlikely to result in a risk to the rights of individuals.

How Can My Charity Prevent Data Loss?

It appears from a Third Sector Insight survey, conducted in 2016, that the majority of charities are not sufficiently well protected against loss of personal data. So, what steps do charity trustees need to take to improve the security of personal data? Here are some measures that might be implemented:

  • ● Review (“audit”) the activities of your organisation, identify weak spots, assess the risks and take steps to mitigate them.
  • ● Adopt a data protection and handling policy. Not only will this assist your charity to comply with the law, it will also confer a range of other benefits: adopting and implementing an effective data policy within a charity will protect your charity’s reputation, while also increasing donor, supporter, and volunteer confidence in the running of the charity. It will also, by making sure all information is kept accurate, save your charity time and money when you market to your fundraising base.
  • ● Appoint a Data Protection Officer to take responsibility for GDPR compliance.
  • ● Have procedures to detect, report, and investigate a personal data breach.
  • ● Make sure that all charity staff and volunteers are fully trained so that they understand their legal obligations (i.e. under the Data Protection Act (DPA), and, when the GDPR comes into force, both the GDPR and the parts of the DPA not repealed at that time). Training should be appropriate to ensure that they know in practical terms what they must do to comply with the law. For this purpose, you should adopt and implement procedures and organisational measures designed to meet the requirements of the legislation. New employees and volunteers should receive data protection training to explain how they should handle, store and transfer personal data. Existing employees and volunteers should be provided with refresher training every couple of years.
  • ● Make sure you use strong passwords on files and portable devices: a weak password, easily guessable, is very poor protection for personal information. Use combinations of upper and lower-case letters, numbers and (where possible) symbols in passwords (If you want to see how long it would take a computer to crack your password, try it out at How Secure Is My Password?).
  • ● Encrypt laptops, backup discs, USB memory sticks, and any other portable devices or media. Also consider installing a remote ‘wiping’ solution that will delete your hard drive in the event it is stolen.
  • ● Consider whether your IT servers (including email) and connected devices (on or off site) are as secure from unauthorised access as they reasonably can be.
  • ● Look at what data (in electronic or hard copy form) might be lost in transit or when staff and volunteers work remotely (e.g. at home), and ensure that your data policy and procedures extend to how they should deal with data not kept at all times within the charity’s office.
  • ● Ensure that when data leaves your charity, the most secure means is used (for example, use VPNs for electronic data and couriers for hard copies).
  • ● Only keep data for as long as necessary. Make sure your charity has established retention periods and has put a process in place whereby personal information is deleted when it is no longer required.
  • ● Implement a system to update information. If you can, ask those whose details are on your database to check and update those details. You can do this via email or by checking their details if they telephone you.
  • ● Make sure that your premises (and physical records and IT equipment there) are secure, that there are proper controls over who comes into the building, and that you know who (including staff, volunteers, cleaners, visitors) is able to and does enter your premises.
  • ● If you outsource data storage to specialists (larger charities may need to do so) then first check their data protection policies and credentials to ensure that they are trustworthy.
  • ● If you store personal or other data on your own systems (i.e. you do not use third party systems), then you would be well advised to frequently backup your data on separate media or secure cloud storage.
  • ● Adopt a data and/or disaster recovery plan, and consider including, as part of that plan, arranging for third party backup data centre facilities to be available so that you can recover data if you suffer an IT failure, data corruption, or a hacking incident.

 

What Are Your Experiences?

Are you a trustee or employee of a UK charity? Do you think your charity is well protected from a potential data breach? Does your charity follow the recommendations we have set out above? Has your organization suffered a loss of data, and what was the result? What should have been done to prevent that loss?

We are, as always, keen to hear your views.

What Is The Data Protection Bill 2017?

First mentioned in the Queen’s Speech back in June, the proposed Data Protection Bill was in the news again last week after the Department for Culture, Media & Sport issued a press release outlining the proposed legislation in more detail. The Bill is expected to be published in September and, given its stated purpose, should be ready for the statute book by the time the UK leaves the EU in 2019.

What About the GDPR?

The EU General Data Protection Regulation comes into force on 25th May 2018. This will not be affected by the new Data Protection Bill. Indeed, the primary purpose of the Data Protection Bill is to bring the GDPR into UK law so that our legal standards of data protection remain consistent with those throughout the European Union after Brexit. Not only does this mean that businesses already complying with the GDPR will face little or no disruption in transitioning from the GDPR regime to that introduced under the Bill; but it also means that handling personal data across European borders will be undisturbed by Brexit. In short, carry on preparing for the GDPR. That comes into force first, and there shouldn’t be any major differences under the new domestic data protection legislation that follows.

What Will the Data Protection Bill Do?

As we’ve already stated above, the main purpose of the Bill is to bring UK domestic data protection legislation into line with the GDPR. The UK’s current data protection statute, the Data Protection Act 1998, is quite literally from a bygone era and is no longer adequate to deal with current methods of data collection and processing, nor with current forms of personal data, for that matter. The Data Protection Bill will bring data protection law up-to-date and, according to the DCMS press release, will include measures to do the following:

  • ● Make it simpler for data subjects to withdraw their consent for the use of their personal data;
  • ● Allow data subjects to ask for their personal data to be erased;
  • ● Enable parents and guardians to give consent to data processing on behalf of their children;
  • ● Modernise and strengthen data protection law to fit with the digital economy;
  • ● Make it easier (and free) for data subjects to require organisations to disclose the personal data those organisations hold about them; and
  • ● Make it easier for consumers to move data between service providers.

(Read the press release in full here)

 

Will There Be Any Differences Between the Data Protection Bill and the GDPR?

Yes, it appears that there will be some slight differences, exercising the derogations in the GDPR that the UK government originally negotiated. This will include giving young people the right to require social media websites to delete information held about them when they reach the age of 18. The government has also stated that the derogations will allow for ‘a simpler shift for both businesses and consumers as we retain many of the enablers of processing essential to all sectors of the economy, from financial services to academic research, under the new legislation’.

What Should I Be Doing to Prepare?

For now, simply keep getting ready (or start if you haven’t already) preparing for the GDPR. There are no indications that the Data Protection Bill will represent a radical shift from the GDPR – as we’ve already pointed out – its main purpose is to bring UK law in line with the GDPR, subject to some minor differences which aren’t likely to make a big difference to most SMEs in any case.

In the mean time, here at Simply-Docs we will be monitoring the progress of the Data Protection Bill, as well as publishing new documents and guidance focused on the GDPR as May 2018 draws nearer. As always, if you have any thoughts or questions about the Data Protection Bill, we would love to hear from you in the comments.

Charity Fundraising and Data Protection

Damage to a charity’s reputation often diminishes the level of trust in the charity on the part of its donors and supporters, leading to a decline in funding. Reputation of a charity is a key influencing factor in a prospective donor’s decision to donate to that charity.

 

Damage to Reputation

Reputational damage can arise from a number of causes. For example, supporters might become aware of a serious incident which reduces their confidence in the charity. A serious incident at a charity might consist of fraud, theft, significant financial loss, abuse or serious harm of beneficiaries, links to extremism, investment in or support by an organization whose aims or activities are at odds with those of the charity, or loss of personal data (e.g. theft of a charity laptop containing personal details of beneficiaries, staff or donors, or the hacking of IT systems to obtain such details).

Improper Processing of Donor or Supporter Personal Data

Other matters can also adversely affect reputation, and in this post, we are focusing on one in particular: a charity’s failure to deal with donor/supporter data correctly. A number of well-known charities were recently fined by the Information Commissoner’s Office (ICO) for misusing donors’ personal data. Media coverage adversely affected not only the reputation of the particular charities involved, but also that of the charity sector generally.

The ICO found that the charities concerned had been using personal data of individual donors in ways which breached the Data Protection Act 1998 (DPA). The breaches comprised failure to be sufficiently transparent about the charity’s use of donors’ personal data, and failure to obtain their consent to that use of data. The charities had been sharing personal data with other charities, using personal data to estimate donors’ wealth (wealth screening), and using what personal data they had about individuals to discover missing information (data matching), all without being transparent or having consent from those donors to do so.

How Will the GDPR Affect Fundraising?

These issues have come increasingly to the fore because of the impeding implementation of the European General Data Protection Regulation (GDPR) which will require all organizations, including charities, to comply with new consent and transparency requirements that will be tougher than those under the DPA. If a charity fails to comply with those GDPR requirements, there will be a consequent decline in its reputation because people will tend not to trust it to deal properly with their personal information. That distrust will have a clear and direct adverse twofold impact on donations. Firstly, potential supporters/donors will be disinclined to donate to the charity (or even make contact with it with a view to supporting it in some other way). Secondly, current or past donors will no longer be inclined to donate, and they might ask the charity to no longer contact them and to delete their personal information. In order to ensure that donations to charities do not fall due to misuse of donor information (and to avoid the risk of substantial fines for breaching the GDPR) it will now be more important than ever that charities review their fundraising practices to ensure that they comply with the transparency and consent requirements of the new GDPR in relation to personal data of donors and others. The ICO has issued draft guidance on data protection and consent under the GDPR, and the Fundraising Regulator has recently issued a best practice guide, “Personal Information and Fundraising; Consent, Purpose and Transparency”, available here, designed to help charity trustees understand their responsibilities under the GDPR.

Even if a charity has met the transparency requirement to tell individual donors that they are processing their data, what it is being processed for, and any other information needed to make it fair to process the data, the charity also needs to establish a clear legal basis for using the data. We will not try to cover that in any detail here, but in general terms this means – depending on the particular circumstances – either having a “legitimate interest” for that use, or consent to that use. Where consent is required by the GDPR (e.g. for direct marketing by electronic means), it will be express consent that will be required. This will be stricter than under the current law, and as a result it is now a hot topic. The existing DPA consent requirements will be tightened up under the GDPR so that from May 2018, the data subject must have the right to withdraw consent at any time and it must be as easy to withdraw as it is to give, and consent mechanisms will need to be genuine and granular (‘catch-all’ consents will likely be invalid), and individuals must take affirmative action to provide their consent such as signing a form or ticking a box.

What Will be the Effect of Complying with the GDPR?

There are two opposing general attitudes to these changes, and we would like to hear your views about them.

One view amongst charities and critics is that those outside the charity sector (including legislators and regulators) do not understand fundraising and have approached it in a legalistic way without taking account of reality, with the result that the GDPR and the manner in which it is interpreted by regulators will lead to fundraising being destroyed in some charities. In particular, they see “opt in” (express) consent as leading to decline in fundraising because it requires a positive act whereas the normal tendency is towards inertia. The argument is that when one looks at the donor experience in practice, donors do not need or want to have to opt in, and they would be just as satisfied with an effective system that allows them to opt out of contact quickly and easily. Those against the new strictures of the GDPR also point out that the burden imposed by the GDPR on fundraising involves charities having to spend a great deal of time and money working on implementing strategies and processes to comply.

The opposite view is that the new requirements of the GDPR actually create an opportunity for charity fundraisers to increase donations and contact with supporters. The argument is that by complying with the GDPR, charities will actually improve and increase engagement with donors, and will build and strengthen trust amongst existing and prospective donors, and that this will outweigh the issues raised by those who take a negative view of the effects of GDPR on fundraising. The proponents of this positive view say that complying with GDPR will entail charities explaining why data is being collected and what it will be used for, that this can be coupled with an explanation of how the funds raised will be used, and that this will encourage individuals to “opt in” to being contacted and to allow use of their data in the way the charity has explained.

On which side of the argument do you stand?

Top