Taylor Review Deliveroo’d

The hotly anticipated Taylor Review (Good Work: The Taylor Review of Modern Working Practices) was published last week, having been commissioned by Theresa May last autumn. Matthew Taylor was tasked with chairing a review of employment law practices, the rights of workers and the obligations of employers. It was deemed necessary in light of rapidly changing business models, particularly amidst concerns about exploitation in the so called gig economy (think Uber, CitySprint, Deliveroo all involved in recently publicised employment tribunal cases).

Employment Status

The Review made a number of recommendations in relation to employment status. It recommends that the existing three-tier approach to employment status should remain. However, in respect of the middle category of “worker” (being somewhere between self-employed contractor and employee) these should be renamed as “dependent contractors”. Also, for these workers/dependent contractors, the current requirement for them to provide personal service should be removed and replaced with a greater emphasis on control (with legislation to outline what is meant by “control” in a modern working environment).

On the same note, the Review notes that the various factors to be taken into account when determining an individual’s employment status (control, personal service, mutuality of obligations and whether the person is carrying a business undertaking) should be enshrined in updated legislation. There is also provision for a claimant to bring an employment tribunal claim to determine their status without incurring tribunal fees. Where an employer disputes that a claimant has employee or worker status, the Review suggests the onus should be on the employer to dispute.

Further relevant points

Here are some of the other employment law related recommendations:-

  • Extend the requirement to issue a written statement of terms and conditions to workers/dependent contractors in addition to employees. Make this a day-one requirement (currently employers have two months to arrange this) and include a description of statutory rights within the statement.
  • Today, an employee wishing to claim to an employment tribunal for a failure to issue a statement of terms and conditions must piggy back this onto another valid claim (e.g. unfair dismissal). The Review suggests making this a standalone claim for compensation (presumably attracting a fee for the employee). An employee can claim for 2 or 4 weeks’ pay.
  • Continuity of employment can be broken by any gaps in employment of one week or more – this should be extended so that only breaks of one month or more would break continuity.
  • To prevent seasonal workers being shorthanded on holidays, increase the reference period for calculating holidays for those whose pay is variable from 12 weeks to one year.
  • Individuals should have the option to receive “rolled-up” holiday pay which is effectively an extra payment (12.07%) on their wages instead of paid time off. This practice is currently unlawful as it incentivises employees not to take time off by paying them more money instead of taking holidays.
  • Allow zero hours contractors to request guaranteed hours after 12 months (is this is to be backed up with a sanction for employers who don’t grant such requests? Will there be a list of permitted grounds for rejecting the request akin to the flexible working request scheme?). (All questions which we don’t yet know the answers to).
  • Agency workers can request a contract of employment with the hirer after 12 months of engagement with the same hirer.
  • Anyone who has worker/dependent contractor status would be treated as employed for the purposes of the tax regime.
  • Consideration to be given to implementing a higher rate of National Minimum Wage (“NMW”) for non-guaranteed hours in a contract. Businesses would in essence have to pay a higher wage for the flexibility from which they benefit when using zero hours contracts.
  • The NMW legislation should be varied so that gig economy (“platform workers”) are categorised as performing “output work” and will not be entitled to NMW for each hour that they are logged into the app at times where there is not any work available.
  • Amend SSP rules so that it becomes a basic employment right which accrues with length of service. Employers should not have to honour the full 6 month entitlement for short service employees.
  • Provide enforcement powers to HMRC in respect of holiday pay (as they have already for SSP/NMW).
  • The Government should simplify the process for enforcing payment of employment tribunal awards by vesting the power in itself to pursue unpaid awards.
  • Review the information and consultation obligations so that these can be triggered when requested by just 2% of the workforce, as opposed to the current 10% required.

Summary

These are interesting times in the field of employment rights and workplace relations.

Watch this space as to which of these recommendations the Government implements.

Many of the suggestions are probably good to go straight off the shelf. Employers would be prudent to review the composition of their workforce to assess the likely implications.

However much thinking will need to applied to some of the suggestions before they will be capable of implementation.

Good luck to the draftsman!

Jack Boyle
Associate Solicitor, Employment
@EmpLawyerJack
www.blackadders.co.uk

Blackadders’ award winning employment team present: Preparing 4 Change

Thursday 24th August
Dundee and Angus College, Arbroath
12.15pm registration for 12.30pm start (finish at 1.30pm)
Free seminar

4 hot topics
4 engaging presenters
4 key steps

Are you prepared for change?
Do you know what the future holds?
Are you aware of the potential risks?
Do you want to avoid a fine of up to €20,000,000?

For the answer to these questions (and more!) come along to this free seminar in Arbroath College on 24 August at 12.30.

#Preparing4Change

Gender Pay Gap
Following the introduction of the Gender Pay Gap Regulations in April 2017, Jack will give an update looking at the implications of these regulations. To whom do they apply? What needs to be reported? What is included in the calculation of pay? This is an issue which is currently topical even in Hollywood as actress Robin Wright was recently reported to have demanded the same pay as co-star Kevin Spacey in the popular “House of Cards”.

General Data Protection Regulations
With under a year to go until the new data protection regulations come into force in the UK, lots of questions are arising.  Does GDPR apply to me?  Is there any change in how I can use data?  Do my policies and procedures need to be updated? What happens if I do not comply with GDPR? Ruth will give a brief outline on the impact of these regulations and discuss the key steps employers should be taking. 

Subject Access Requests
What are they? What are the processes? What information about an individual employee can and cannot be withheld? Andrew will discuss the changing law surrounding subject access requests and why employers should be careful about what they say about their employees.

The Art of the Reference
When asked about an ex-employee, what can you say? More importantly, what can’t you say? Is there a duty to tell the truth? Simon will discuss the law relating to references and give some helpful guidelines for best practice for employers.

All you need to know on these key topics in under an hour.
If you go to one seminar this year, choose this one.
If you go two, come along twice.

If you are interested in attending, please RSVP to:
lesley.rorrison@blackadders.co.uk

 

 

GDPR: Changes are Coming – Are you ready?

Most people will have by now heard the four letters which will change the landscape for data protection in Europe next year – GDPR. The General Data Protection Regulations, or GDPR, will apply automatically within the UK when they come into force on 25 May 2018. While it seems a long time until compliance with GDPR is required, the changes introduced represent a substantial challenge for businesses within the UK and steps should be taken now to limit any issues (or fines) in the future. In the first of several updates on data protection and GDPR, I have set out the main changes for organisations to be aware of (with greater detail to follow on certain key areas in subsequent blogs).

Key Changes

Jurisdiction

GDPR will have extra-territorial application. This means it will apply to all EU organisations processing personal data (whether the processing takes place within the EU or not) and to all organisations processing data of people residing inside the EU (whether the organisation is within Europe or not).

Fines

The current maximum fine which the ICO can impose is £500,000 (although the fines imposed are normally well below this figure). Under GDPR, the fines are substantially increased. Where an organisation has committed a breach of record keeping, contracting or security clauses, the maximum fine will be greater of €10,000,000 or 2% of worldwide turnover. If an organisation has breached one of the basic principles or Data Subject rights, the fine can be up to €20,000,000 or 4% of worldwide turnover.

It is important to note, most ICO fines at present would be subject to the lower fine levels which may signify a change in what is now important in data protection rules.

Individuals also have a right to claim compensation for damages cause by infringement of data protection rules. Going forward, damages will include non-material damages for distress etc (rather than simply proven financial losses).

Data Processors

The current rules generally cover data controllers only (ie those responsible for determining the purposes and means of processing personal data). The GDPR creates specific obligations on data processors (those engaged by a data controller to carry out the processing of personal data). These include (i) maintain adequate documentation, (ii) put appropriate security processes in place, (iii) carry out data protection impact assessments and (iv) comply with rules on international data transfers. Failure to comply with the new obligations could result in fines and potential claims for damages from individuals.

Consent

Going forward, organisations can still rely on consent to process personal data but will need to ensure such consent is freely given, specific and informed. Practically, this means organisations should not rely on opt-out or auto filled consent boxes. Instead, organisations should ensure requests for consent are clear and distinguishable from other matters with options to consent to different types of processing. It is also necessary to highlight consent can be withdrawn at any time in a quick and easy way.

Businesses will need to maintain evidence showing consent has been obtained and have appropriate mechanisms to deal with withdrawal of consent. Given that consent is only one basis for lawful processing of data, organisations may consider if there is another basis for processing which is more appropriate.

Breach Notifications

Under GDPR, any data breach which is likely to risk the rights and freedoms of the individual should be notified to the ICO without undue delay and within 72 hours of first becoming aware of the breach. Where the breach is likely to result in high risk to the individuals affected, the individual should also be notified.

A breach is defined by the ICO as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to, personal data”.

Organisations will need to have an appropriate process in place for identifying any breaches and preventing any further breach of data, assessing the potential impact of any breach and thereafter notifying appropriate parties.

Data Subject Rights

A data subject is the individual whose personal data is held by an organisation. The rights that a data subject has under GDPR are broadly similar to the current rules, although some have been expanded. These rights include the right to access information held (or subject access rights), requirement on organisation to rectify incorrect data and the right to be forgotten.

The GDPR has removed the right for organisations to charge a data subject for access to their personal data. If a request is made to an organisation (letter, email and via social media are all acceptable methods), an organisation should provide all information within one month.

Data Portability

A new right created under the GDPR is data portability where an individual can request data held by an organisation is transferred to another organisation. The transfer can be via the individual or between the two organisations directly and must be provided in a commonly used format which is machine readable.

The introduction of this new right will enable individuals to transfer between service providers quickly and easily. It may require organisations to introduce appropriate procedures for transferring data quickly and securely.

Accountability & Privacy By Design

Simply complying with GDPR will not be sufficient for organisations – they should be able to show compliance by having appropriate policies, procedures and training in place.

Organisations should look to keep detailed records of processing operations, perform impact assessments for high risk processing, keep comprehensive records of any breaches and take data protection risks into account from the start of any process, rather than as an afterthought. The key concept is that personal data is only processed where necessary, for a specific purpose and stored for no longer than required.

Data Protection Officers

Going forward, certain organisations will need to appoint DPOs to oversee the protection of personal data. The DPO should report to the highest level of management and will advise on all relevant data protection laws, monitor compliance with GDPR, deal with data protection impact assessments and liaise with the ICO. A DPO is required for all public authorities and bodies and where an organisation has core activities requiring (i) regular and systematic monitoring of individuals on a large scale or (ii) processing on a large scale of special categories of data (sensitive personal data) and data relating to criminal convictions.

There is nothing preventing other organisations appointing a DPO but if appointed, a DPO will have to comply with all relevant obligations under GDPR.

It is important that organisations are aware of the new rules coming into force so they can consider what impact these may have on their own policies and procedures and what changes might be required before May 2018. For more information on data protection or to discuss your GDPR requirements in more detail, contact the Corporate Team at Blackadders.

Ruth Weir,  Senior Solicitor – Corporate  :  @CorpLawyerRuth www.blackadders.co.uk