Commercial Client Reference Articles

Outsourcing the Processing of Personal Information - Guidance

The Information Commissioner’s Office offers guidance for smaller businesses on how to comply with the Data Protection Act 1998 (DPA) when you outsource the processing of personal information, such as your payroll function or customer mailing information.

In 2018, compliance with the General Data Protection Regulation (GDPR) will be enforced. This imposes strict data protection compliance measures backed by potentially massive fines.

If you use an outside organisation to process personal information on your behalf, you remain responsible for the processing and will be liable for any breaches of the DPA/GDPR. The Act requires that you take the appropriate technical and organisational measures to protect the information being processed whether this takes place in-house or whether someone else does it for you. In order to decide what measures are needed, the following should be taken into account:

  • what sort of information is being processed?
  • what harm might result from its misuse?
  • what technology is available to ensure the appropriate level of security?
  • what would be the cost of providing this level of security?

The guidance stresses that if you employ another organisation to process personal information for you, you must select one that you believe will carry out the work in a secure manner. Ongoing checks should be made to ensure that this is the case. Wherever the organisation is based, you must have a written contract with them. This should state that the personal data can only be used and disclosed in line with your instructions and that appropriate security measures must be taken.

If you are using an organisation based outside the European Economic Area, make sure the contract is enforceable in that country.

In summary, the good practice recommendations if you want to outsource the processing of personal data to an outside organisation are:

  • select a reputable organisation offering suitable guarantees as to their ability to ensure the security of the data;
  • make sure the contract is enforceable;
  • make sure the appropriate security measures are in place;
  • make sure that the organisation makes appropriate checks on its staff;
  • audit the organisation regularly to make sure it is up to standard;
  • require the organisation to report any breaches of security or other problems; and
  • put in place procedures that allow you to act appropriately if a problem is reported.


Money Laundering Regulations

Money laundering is the process by which criminals turn their 'dirty' income – which is usually earned in cash – into 'clean' money, by undertaking transactions which hide the original source of the cash and/or turn the cash into 'legitimate assets'.

The Government's battle against money laundering has caused a massive increase in the compliance burden for firms of all kinds engaged in financial transactions, following the passing of the Proceeds of Crime Act 2002. The main thrust of the regulatory regime is based on the need to 'know your client' (KYC), which is backed by the requirement to report any suspicious transactions. It is estimated that over 100,000 suspicious transactions will be reported to the authorities in the current year.

Money laundering now comes under the remit of the Serious Organised Crime Agency (SOCA).

Compliance with money laundering regulations can cause delays in the completion of quite innocent transactions when there is a need to get 'clearance' for the transaction in question. It is worth remembering that time may be necessary for this - especially when dealing with larger transactions with a foreign element. Do not be surprised, even as a client of long standing, if a bank or other financial institution asks to have sight of your passport before you are permitted to open a new account or undertake a transaction.

The regulation have been progressively tightened up since the Money Laundering Regulations 2007 were promulgated, the emphasis now being plaved on  management control and the need to carry out a proper form of risk assessment. In 2017, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 came into force, which further raised the bar, especally for professional and finance organisations, to do 'customer due diligence'.

More information on money laundering regulations can be found on the Office of Fair Trading website and guidance is available from HM Revenue and Customs' website.


Nuisance Calls and Texts Law

Since 6 April 2015, changes to the law have given the Information Commissioner's Office (ICO) enhanced powers to take action against companies making nuisance marketing calls and sending spam messages.

Previously, the ICO could only issue a civil monetary penalty if it could prove that the company engaged in nuisance marketing activity had caused 'substantial damage or substantial distress'. That requirement has now been removed and the ICO just has to prove that the company was committing a serious breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The Regulations permit companies to make marketing phone calls without a consumer's prior permission but they must first check the Telephone Preference Service to make sure the individual has not opted out of receiving marketing calls. Permission is required before sending marketing text messages and companies should always provide details of how the recipient can opt out of receiving any future messages.

In 2014, the ICO received 175,330 reports of nuisance calls and texts and issued £360,000 worth of penalties between April 2014 and March 2015. The level of penalties will no doubt increase now that the rules have been relaxed.

Anyone who receives unsolicited communications of this kind can notify the ICO directly (see or report the texts to their network operator by sending them, free of charge, to 7726.

ICO guidance on carrying out direct marketing can be found here.

Failure to adhere to the rules can lead to substantial fines which are publicised on the ICO website.

In 2018, enforcement of the General Data Protection Regulation ('GDPR') will begin. This will provide potentially draconian fines where firms transgress its rules, which include the need to obtain 'infomed consent' for the targeting of marketing messages via email


ICO 'Must Do' Data Protection Guide

The Information Commissioner's Office (ICO) has published a guide to protecting personal data, ' which it describes as outlining the procedures organisations must follow to ensure data security.

In the wake of a fine of £200,000 being handed to a charity which suffered data protection breaches due to lax Internet security, clients are reminded that data protection breaches can prove to be very expensive indeed.

Although the guide deals with the technical aspects of data security, data protection breaches can also have a financial impact under other areas of the law – contract and employment law, to name but two.

The guide includes information on the use of several types of data including CCTV, 'Big Data' and data sharing.

We can advise you on the legal issues relating to data security and how to ensure that your risk of financial loss in the event of a breach is minimised.


Employee Fraud

Most corporate fraud is employee fraud. Although fraud has traditionally been regarded as hard to prove, the Fraud Act 2006 provisions make it easier to obtain convictions for fraud a than was possible under the predecessor legislation.

Under the Act, fraud offences are:

  • fraud by false representation. This is committed when a false representation is made which the person making it knew was or might be false and which was made with the intent to make a gain or cause loss;
  • fraud by failing to disclose information. This is committed when the perpetrator fails to disclose information which he is under a legal duty to disclose and which is withheld with the intent of making a gain or causing a loss; and
  • fraud by abuse of position. This is committed when the perpetrator is in a position of trust and acts dishonestly with the intention of making a gain or causing a loss.

There is also an offence of obtaining services dishonestly. This involves obtaining services for which payment is due and failing to pay, in whole or in part, where this is done with the intent that payment will be avoided.

Click here for advice on reducing the risk of employee fraud.

Cookie Law

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 require consent to be obtained for the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment, such as their computer or mobile phone. The Regulations came into force on 25 May 2011. However, the Information Commissioner’s Office (ICO) announced that organisations would be allowed a year-long period to work towards compliance with the changes. That grace period has now expired.

Previously, privacy rules only required websites to tell users about cookies they used and provide information on how to ‘opt out’. Most organisations did this by putting information in their privacy policy. The new rules require that in most cases websites wanting to use cookies must gain consent, which must involve some form of communication whereby the individual knowingly indicates their acceptance. The ICO made last-minute changes to its guidance on how to comply with the new cookie law in order to clarify the following points with regard to implied consent:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies;
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent;
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand; and
  • In some circumstances, for example where you are collecting sensitive personal data such as information about an identifiable individual’s health, data protection law might require you to obtain explicit consent.

A 'session cookie' exists only to make website functions work for the duration of a browser's session. These are anonymous and are not therefore wihin the scope of the GDPR.

Direct Marketing Via E-mail - Regulations

UK law relating to the sending of unsolicited direct marketing material by electronic means are based on the EC Directive on Privacy and Electronic Communications and are modified by the General Data Protection Regulation which will start to be enforced in the UK in May 2018.

A major aim of the Directive was to cut down on the amount of ‘spam’ that e-mail users receive from companies with whom they have never had dealings. The Department of Trade and Industry defines spam as ‘unsolicited commercial bulk e-mail sent without the consent of the addressee and without any attempt at targeting recipients who are likely to be interested in its contents’.

Whilst the intention behind the law is clear, the regulations only apply to UK businesses and will do nothing to prevent spam originating in countries where the relevant laws are less strict or, indeed, non-existent. For genuine UK businesses seeking to increase sales of their products to a targeted market, the effect will be more red tape in order to ensure they do not fall foul of the regulations.

The regulations apply to unsolicited commercial e-mails and text messages (SMS) sent to individual subscribers, rather than to company addresses, so much business-to-business e-marketing is not affected. However, under the regulations the term ‘individual subscriber’ includes sole traders, non-limited liability partnerships and their employees.

All direct marketing e-mails, regardless of whom they are sent to, must include clear sender and contact details. In addition:

  • businesses must gain prior consent in that an individual must have actively opted in before they are sent unsolicited marketing e-mail;
  • if your website uses cookies, or other tracking devices, to recognise previous visitors or to capture information about a user’s preferences, you must tell them this and inform them as to how any collected information will be used. Consumers must be given the right to refuse cookies;
  • individuals are given greater rights to decide whether they wish to be listed in subscriber directories. Directory providers will have to give them full information and a reinforced chance to be ex-directory.

If the recipient of the e-mail was a customer prior to 11 December 2003, you may continue to market to them providing:

  • their e-mail or SMS details were obtained through the sale, or negotiations for the sale, of a product or service;
  • the product or service you are marketing is a similar one;
  • the individual had the opportunity to opt out of receiving direct marketing material at the time they gave their contact details and is given the chance to unsubscribe or opt out on each new message that is sent; and
  • the identity of the sender is not concealed.

However, where a customer has previously registered an interest in a company’s products or services, but has neither bought anything nor entered into negotiations to purchase which then fell through, then that individual’s consent must be sought before you can contact them again for direct marketing purposes.

The Office of the Information Commissioner is responsible for enforcing the regulations by issuing enforcement orders to those who do not comply. Breach of an enforcement order is a criminal offence liable to a fine of up to £5,000 in a Magistrate’s Court or an unlimited fine if the trial is before a jury. Any individual who has suffered damages as a result of a breach of the regulations has the right to sue the person responsible for compensation.

View regulations.

The GDPR requires that consent to be sent marketing email must be unambiguouis and freely given and that the recipient must be given adequate information on how their information will be used.

Contractors Are Your Responsibility

A handbook produced by the Health and Safety Executive (HSE) outlines the responsibilities of both the contractor and the client in situations in which work is carried out by contractors rather then employees. It does not apply to circumstances in which the Construction (Design and Management) Regulations apply or to work done by agency workers.

The leaflet begins from the premise that 'all parties must co-operate to ensure that health and safety is properly managed'.

Under health and safety law, both the contractor and the client have responsibilities. The client must identify all aspects of the job that they want the contractor to do and then carry out a risk assessment. They must satisfy themselves that the contractor they have chosen is competent to carry out the job without unacceptable health and safety risks and must explain their procedures and systems to the contractor sufficiently well for them to understand them and act in accordance with them.

The risk assessment should be carried out with the contractor, who will normally be responsible in the same way as the client for any sub-contractors, who should also be part of any relevant risk assessment.

Clients, contractors and sub-contractors must keep their employees properly briefed on any matters that may affect their health and safety.

The guide is another illustration of the Government's intention to improve compliance with health and safety regulations. What is most problematic here is the need for the client to assess the competence of the contractor, which is a potential source of problems for many firms. We can advise you on any legal issues arising out of health and safety matters.

Recent case law has made firms responsible for a number of actions taken by subcontractors, especially where they are under the direct control of the ultimate employer. Just because a person is employed directly by another business they will not necessarily be their responsibility alone.

In April 2008, the Corporate Manslaughter and Corporate Homicide Act 2007 came into effect, which has profound implications for businesses. The Ministry of Justice has issued a comprehensive guide.

As of November 2014, nine prosecutions had been commenced under the Act - all against smaller companies - and successful prosecutions obtained in all cases so far decided. Fines of up to £500,000 have also been imposed.



Patent Searches

Checking for existing patents in force is easy (and free) if you use the UK Intellectual Property Office's (UKIPO) patent databases which are accessible online. The new databases replace the Patents Journal and are designed to make obtaining information sought a quicker process.

The first of the databases contains current UK patents that are open to licensing agreements.

The second database contains patents that are no longer in force.

Using the databases allows businesses to look for commercial opportunities, such as patents which they may be able to exploit for themselves if they can reach an agreement with the owner of the patent, or patents which have effectively come into ‘free use’ by expiring.

In addition, patent applications that are filed but not yet published will be able to be examined online within a few weeks of filing.

The UKIPO has also offers a toolkit  to assist businesses in helping them understand how counterfeit goods enter the supply chain and step by step guidance on what to do if counterfeit goods are detected.



Step by Step Plan for Health and Safety Compliance

The Health and Safety Executive (HSE) has published a ‘step by step plan’ for businesses for protecting the health and safety of workers and others. The key recommended actions are:

1. Register a new business with the appropriate authority (HSE or your local authority);
2. Take out employers’ liability insurance and display the certificate as required by law;
3. Make sure you have someone competent to help you comply with health and safety regulations;
4. Decide on your health and safety policy (how you will manage health and safety issues);
5. Carry out an assessment of risks (potential dangers and appropriate precautions to take) and act on the findings;
6. Provide basic welfare facilities, such as washing and toilet facilities;
7. Provide appropriate health and safety training for employees;
8. Consult with workers on health and safety matters;
9. Display the required health and safety law poster or give workers a leaflet containing the information; and
10. Report as required any work-related accidents, diseases or dangerous incidents.


  • Page 2 of 9