Practical guidance on the GDPR – Part 5

In response to our invitation to contact us with GDPR enquiries, one kind reader has bowled us this particular googlie:

Most people in business will have accumulated large contact lists in Outlook email systems or similar, containing many names and other contact details built up over a number of years. Will the GDPR really require that data to be reviewed or deleted or specific consent for it to be obtained? Or what remedy, if it were later found that this data were not validly held?

Continue Reading

US Immigration Update: Executive Order Travel Ban, DACA and What Employers Need to Know

Executive Order Travel Ban Update

In recent days, the US Supreme Court (SCOTUS) has once again weighed in and issued a preliminary ruling regarding the Executive Order Travel Ban (EO) challenge in Trump v. Hawaii. For background, please see our prior blog posts detailing the travel ban EO’s history and SCOTUS’ decision of June 26th.

On September 12, 2017, SCOTUS issued an order blocking the Ninth Circuit Court of Appeal’s September 7, 2017 ruling that would have exempted from the travel ban refugees who have a formal assurance from a refugee resettlement agency. Per this ruling, refugees are now barred from entry under the EO if their sole basis for establishing a “bona fide relationship” with a person or entity in the United States is based on a formal assurance from a refugee resettlement agency. However, SCOTUS order did not disturb the Ninth Circuit’s September 7, 2017 ruling with respect to grandparents, grandchildren, brothers-in-law, sisters-in-law, aunts, uncles, nieces, nephews, and cousins of persons in the United States. These individuals remain exempt from the EO travel ban. The Supreme Court will hear arguments on the merits of the challenge to travel and refugee ban on October 10, 2017.

DACA Phase-out Continue Reading

Recently-Released NLRB Advice Memo Favors Reversal of Precedent on Weingarten Rights For Non-Union Workers

On September 7, 2017, the National Labor Relations Board (NLRB or Board) released several advice memoranda issued previously by the Board’s Office of the General Counsel to local field offices.  Advice memos are used by the Board’s General Counsel to guide local offices on Board policy, and may serve to instruct the offices on a certain strategy or course of action in a particular case.  Advice memos are not generally made public, but may be released in certain circumstances after a case has closed.  These memos can then be used more broadly to understand the Board’s enforcement strategies.

One of the advice memos released by the NLRB this month (but originally issued on December 1, 2016) addresses Weingarten rights.  As you will recall from our prior post, Weingarten rights allow employees to request representation during an employer’s investigatory interview that the employee reasonably believes could lead to disciplinary action.  As we mentioned in that post, Weingarten rights consistently have been applied to employees in unionized workplaces.  However, the Board’s position on whether employees in non-unionized workplaces have Weingarten rights has fluctuated (to say the least) over time.  Continue Reading

Practical Guidance on the GDPR – Part 4

Here are answers to two more questions arising from next year’s GDPR, this time on website recruitment and data breach notification. More to follow in this series soon.

We have a contact form section on our website to allow people to submit details (name, email, phone number & CV) if they want to be informed of future vacancies in our business. Is this allowable under GDPR or should we remove it?

The GDPR will not prevent organisations from including such sections on their websites. As the collection and use of such information would amount to “processing” for data protection purposes, however, the employer will clearly be obliged to comply with the new obligations under the GDPR, e.g. providing much more information to individuals about what data is collected, how it will be used, who it will be shared with, etc. Specifically you would also be advised to include on the site information about how the decision will be made (if any such decision is made) to filter the vacancies to things the candidate might be interested in. Is it salary range, particular departments only, based on the formal qualifications entered, etc.? Is that decision made by a human being or a computer?

If a computer, does it need all the information your website requests in order to perform that function. Does the human being? In other words, are you sure that you are not asking at the website input stage for any data that isn’t necessary for the taking forward of your candidates’ interest to the next step? Make a record of your reasoning in this respect.

You will also wish to include somewhere reasonably prominent on the website details of the candidates’ rights and obligations in relation to the data submitted through it. The obligation is essentially to keep you updated if their details change, while the main rights are to require you to provide the usual data subject access to how you have recorded and used their information, to correct anything you have got wrong, to have all or any of it deleted and to complain to the ICO if they see fit.

If you cease to send vacancy details after, say, 6 months then you should say so up front and delete the data at that time unless the individual expressly makes a fresh application or otherwise consents to your extending his time “in the system”. Do note that you will need positive consent to this, i.e. “Check the box if you want us to keep sending you vacancies”, not “Check the box if you want us to stop”.

Just as a side-note from the employment law perspective, it is not generally wise for employers to maintain lists of candidates just in case something comes up, without its pruning those lists on a regular basis. Otherwise one day you will fail to send details of a vacancy the individual thinks he/she should have got, and then you are into issues of why – was it race, sex, pregnancy, etc. – with the burden on you to show what happened. So just as for data protection purposes, the commitment to keep someone’s details “on file” (whether paper or a recruitment website page of this sort) should be expressly time-limited. That is the case whether you are holding that information as employer in relation to your own possible vacancies or as a recruitment business for other people’s.

Does an employer have to inform its employees if there has been a data breach by it or one of its data processors?

Potentially, yes. There are new data breach reporting obligations in the GDPR.

If there has been a data breach, the data processor must notify the data controller of the breach “without undue delay”. The data controller must then notify the ICO of the breach without undue delay (where feasible, within 72 hours of the breach) unless the breach is unlikely to result in a “risk” to the rights and freedoms of the individuals. Where the breach is likely to result in a “high risk” to the rights and freedoms of individuals, the data controller must also notify the individuals directly about the breach.

So if, for example, an outsourced payroll provider loses the salary and bank details of certain employees it would be required (as the data processor) to notify the employer (as the relevant data controller) of the breach without undue delay. The employer must then notify the ICO also without undue delay and, where feasible, within 72 hours. Furthermore, as the breach is likely to result in a high risk to the rights and freedoms of employees (because the loss of salary and bank details could leave them at increased risk of identity theft) the employer must also notify the employees directly about the breach.

ICO Guidance is expected on data breach notification obligations before the GDPR comes into force.

Webinar: Setting off on the right foot – key concerns about starting the employment relationship in the UK

Squire Patton Boggs and pre-employment screening specialists ADP present a webinar focussing on the common issues arising at the start of the employment process.

On 10 October 2017 at 4.00 p.m. UK time, David Regan and Annabel Mace from Squire Patton Boggs and ADP Pre-Employment Screening Manager Kevin Stone will consider:

  • Pre-employment screening
    • Why do it?
    • When is it permissible?
    • What are the risks?
    • Good screening practices
  • Immigration and visa issues
    • What obligations are there on employers to ensure staff have the right to work in the UK?
    • What does Brexit mean for prospective employees from the EEA?
  • Key legal pitfalls
    • Discriminatory job advertisements
    • What not to ask at interview
    • Common mistakes employers make

The webinar will last for 60 minutes – including an online question and answer session – and will be of interest to HR professionals, recruiters and in-house counsel.


The form labor agreement that’s making headlines in Japan

Last week, Japanese newspapers reported that a national medical research center in the suburbs of Osaka had entered into a so-called “36 agreement” with its doctors and nurses in 2012, allowing these employees to work up to 300 hours of overtime per month and up to 2,070 hours of overtime per year. (To be clear, these hours are in addition to the employees’ ordinary working hours.)

Japan has earned a reputation for long working hours, but 300 hours a month is shocking even by Japanese standards. By law, most workers are limited to 45 hours of overtime per month and 360 hours per year, unless extenuating short-term circumstances require them to work longer. The government has recently designated 100 hours per month as the “death by overwork line,” which employers should not cross for the sake of their employees’ health.

So what is going on at this research center? Why are all these medical professionals apparently required to work non-stop for months at a time?

Continue Reading

West Midlands employers – save time, save money, save stress

Event PosterHere we are, September already.  How did that happen?

Only two certainties lay ahead – first, that there will be Christmas stuff in the shops by the end of the month and second, that the abolition of Tribunal fees will be turning many employees thoughts to claims they might not have made before.  By all accounts it will be a busy run-up to the festive season for Employment Tribunal staff.

There is nothing we can do to help you with the cost, distraction and stress of Christmas, but here is something to address the other certainty. We are proud to be the only lawyers speaking at the Civil Mediation Council’s Conference in Solihull on 19 October, Save Money, Save Time, Save Stress.  With a panel of professionals experienced in workplace dispute resolution, this session will show you how your business can use mediation as a robust and pro-active part of your internal grievance mechanisms.  We will cover how to sell mediation to your management and staff alike, avoiding the pitfalls of over- or under-promising in relation to it and (our piece) how even unsuccessful mediations can still be of great benefit to your management of the workplace disputes which otherwise, like the Sales, may be everywhere by the New Year.

Whether you are a mediation sceptic willing to learn a bit more or already a convert in principle but unsure how to implement it in your workforce in practice, this is the conference for you.

Please do come along – the feedback from when this conference was run in London earlier in the year was fantastic and if you reach a mediated settlement to just one claim which would otherwise have gone to Tribunal, you have recouped the attendance cost many many times over.

Register for the event

Practical Guidance on the GDPR – Part 3

This is the next in our series of posts on questions raised at our recent GDPR webinar.  If you have any views or further queries in these areas, please do get in touch.

What impact will the GDPR have on Model Clauses?

Model Clauses are standard contractual terms adopted by the European Commission for the transfer of personal data outside the European Economic Area.  They are one of several approved ways of ensuring adequate safeguards for personal data transferred outside the EU.  Those clauses will continue to be valid under the GDPR.

In a departure from the current position, however, they will no longer require authorisation from the relevant data protection authority.  In future, the European Commission may also update or replace the existing Model Clauses as it sees fit from time to time.  Notwithstanding the UK Government wittering about “taking back control”, it is highly likely that post-Brexit the UK will still slavishly follow the current and future versions of the Model Clauses so as not to create any perception that our protections for employee data are weaker than the rest of Europe.

In addition, it will remain the case that merely having those clauses in your contracts with overseas (non-EU) processors – cloud suppliers, group companies, payroll providers, etc. – will not be enough.  Reasonable steps should also be seen to be taken to monitor that third party’s compliance with those clauses and, if necessary, to enforce them by commercial and/or legal threat.

Continue Reading

Trump White House Halts EEO-1 Pay Reporting Requirements

In another example of reversing Obama-era initiatives, the White House Office of Management and Budget on August 29 indefinitely stayed the deadline for employers to comply with the new EEO-1 form that would have required the collection of annual pay and hours worked data.  The EEO-1 form was revised in September 2016 to require employers with at least 100 employees to collect wage and hours worked data for its employees grouped in various job categories.  (See out prior post here.)  Due to the anticipated heavy burden and cost of gathering, aggregating and reporting the information and also questions regarding the data’s utility and confidentiality, the revised form’s requirements were met with staunch opposition from business groups, including the U.S. Chamber of Commerce.

In a memorandum to the EEOC, the OMB’s Office of Information and Regulatory Affairs informed the agency that the 2016 pay data requirements were being stayed immediately and directed the agency to submit a new information collection package for the EEO-1 form for OMB’s review.

As a consequence, according to EEOC Acting Chair Victoria Lipnic, the earlier approved EEO-1 form remains in effect, and employers with 100 or more employees and federal contractors will be required to submit only the data required before the September 2016 changes.  The deadline to submit EEO-1 forms remains March 17, 2018.

Texas Federal Judge Invalidates Obama-Era Overtime Regulations

In 2016, the Department of Labor issued long-awaited amendments to the Fair Labor Standards Act (“FLSA”) regulations that would have raised the minimum salary for employees exempt under the so-called “white collar” exemptions from $455/week ($23,660 annually) to $913/week ($47,476 annually) (the “Final Rule”). The Final Rule also would have required an upward adjustment to the minimum salary level every three years, with the first automatic increase scheduled to occur on January 1, 2020.

On November 22, 2016 – the eve of the December 1 effective date of the Final Rule – we reported that Judge Amos L. Mazzant of the Eastern District of Texas preliminarily enjoined the Final Rule’s implementation, finding that the Department of Labor (“DOL”) exceeded its Congressionally-delegated authority by raising the salary threshold. That decision – which preliminarily enjoined the implementation of the Final Rule nationwide – was appealed to the Fifth Circuit Court of Appeals. Continue Reading