In 2019, we are running two courses which will cover much of the knowledge and many of the skills needed to be a successful Manager of people.

We have designed both these courses to suit those who are new to Management, as well as being a useful refresher for the more experienced Manager who is looking to develop their existing skills and/or wants to be more successful by learning new/different approaches, as part of your personal/career development.

Our training courses are highly participative, practical in content, and are intended to challenge our delegates into recognising there are always alternative ways of dealing with people and/or situations.

Building Effective Working Relationships – Norwich – 4th April & Newmarket – 30th April

It is a major part of a Manager’s role to build effective working relationships. If done well, this will help create high performing teams, as well as further developing trust and respect from those that you work with, both internally and externally.

We will cover what is really meant by regular and open two-way communication skills, influencing skills (including bosses), managing boundaries and tips on how to deal with difficult situations and people (conflict resolution).

All of this will promote productivity, success and enhance well-being in the working environment.

Why Employees do and don’t turn up to Work – Norwich – 17th October & Newmarket – 13th November

Many Managers are prone not to look beyond an income stream as to the reason why people come to work. Whilst pay is important, social interaction, job satisfaction and recognition are other key motivators.

Whilst this course will look at effective methods to help control absence, we will also be encouraging Managers to better understand the root causes behind why people do not turn up for work.

Course content will include the dangers of presenteeism, the benefits of return to work meetings, and the importance of focusing on small scale, but high impact well-being initiatives, seeing as mental health and stress combined is the number one reason why people are off sick these days.

If absenteeism is a problem at work, and/or you are looking for some simple, yet practical tips on dealing with mental health issues, and improving well-being amongst your people, then this course is a must for you.

**** STOP PRESS ****
Brexit & Immigration Employment Issues Seminar – Newmarket – 9th April 2019

Immigration and Employment are very current and related hot topics. BackupHR and DavidsonMorris Solicitors are joining forces to discuss the impact of Brexit on your ability to retain and recruit EU nationals, as well as looking at the wider immigration landscape for employing non-UK nationals. We will focus on how you can assist your affected workforce (and their families), so that the Organisation and employees are ready for when the final proposals are agreed and enforced.

Immigration rules are complex and subject to frequent amendment. However, there are immigration provisions which you can use, especially lesser known immigration rules and proposed changes to the law, which could have a positive impact on retaining and recruiting your workforce.

We will also provide some practical guidance on the related employment issues and documentation that you also need to consider in a rapidly changing environment, and the costs/penalties for getting it wrong.

We are delighted that our keynote speaker is Anne Morris, a leading immigration lawyer. Anne will provide genuine insight into this complicated area of law, as well as offering real solutions on what to do. This seminar will be very engaging, and we encourage you to bring along your questions.

Medical conditions can be a complicated subject for employers. Medical conditions are a very personal subject with details that an employee might not want to willingly or fully disclose, yet the employee’s ability to work could well be impaired, that may lead to changes and adaptations being required.

Employers need to know where they stand to avoid breaking the law, but it is important to be sensitive to the needs of each employee beyond what the law requires. Simply being allowed to ask a certain question does not mean that you definitely should. Tact can go a long way in keeping communication as open and as regular as possible in building up a sufficient degree of trust, that encourages the employee to co-operate.

At a glance – What you can ask?

  • Employers can ask questions that help them to determine if they need to make reasonable adjustments. This might include an adapted working environment, or additional flexibility in the job role or working hours.
  • An employer can ask about a medical condition if it’s believed that the condition is currently, or might in the future, affect the employee’s ability to do their job.
  • An employer can ask a medical professional for an employee’s medical records, or information about their health, with permission from the employee.
  • Employers can encourage employees to volunteer information about any health conditions that arise during employment, so they can make reasonable adjustments to support the employee in their work.
  • If an employer wants to consider reasonable adjustments for an employee, but is unsure of what the options could be, then they can seek advice from the employee’s GP or an Occupational Health (OH) provider with the employee’s consent.

Recruitment

The ‘recruitment stage’ covers everything up until the point where a job offer is made. After the offer has been made to the applicant, the rules for employees apply.

During recruitment, employers are not allowed to ask any questions regarding health or disability. This is because Section 60 of the Equality Act provides that, in most circumstances, employers must not ask about the health of job applicants before making a job offer. This includes questions about the number of sick days taken at the applicant’s previous place of work.

Exceptions are made for questions that determine the applicant’s ability to take part in any assessments, and to highlight any adjustments that the applicant might require to have a fair shot at the assessment, such as personality tests, manual dexterity tests, or typing assessments etc.

This means that employers should not ask applicants to complete medical questionnaires at an early stage of the recruitment process – and should certainly not be asking OH professionals to get involved in assessing an employee’s health or fitness until a job offer has been made, other than where a specific exception applies.

This “freestanding” legal requirement has a complex interface with discrimination law. Asking prohibited questions will not, in and of itself, amount to discrimination against a job applicant. However, if inappropriate questions are asked, the burden of proof will fall on the employer to show that no discrimination took place as a result, or that the candidate was rejected because of the consequences of a disability rather than because of the disability itself. The former might be justifiable, the latter is not. In addition, the Equality and Human Rights Commission may independently investigate and take enforcement action against employers that are in breach.

There are also exceptions made for questions that determine whether or not an applicant can do a part of the job that is absolutely essential, i.e. intrinsic to the role, e.g. questions that determine whether applicants can climb or do heavy work. The obvious question surrounds the meaning of the words “necessary” and “intrinsic”. When does an important part of a job become intrinsic? And when is it actually necessary to ask questions? Unhelpfully, the legislation does not provide answers to these questions. Employers should consider carefully what functions are intrinsic, or as per the wording in the EHRC guidance, “absolutely fundamental” to the job being recruited for, bearing in mind the job specification. In most office-based jobs, the manual functions that are truly intrinsic to the role are likely to be few and far between. For example, in most office roles applicants would need to have modern computer literacy, so need not involve asking health questions.

The example used by the Equality and Human Rights Commission (EHRC) is that of a candidate for a scaffolder role being asked about their ability to climb scaffolding at height. This is a very unusual example, and we would prefer to use the example of roles that require frequent manual handling, then questions related to the candidates level of physical fitness may be permissible, providing this objective justification has been clearly stated in advance, both in the job description, person specification and preferably risk assessments. There is no guidance at present on more complex scenarios, such as an office role requiring multi-tasking and at times high levels of stress, however if there is clear evidence that a role generates a very high level of regular work pressure, e.g. dealing with customer complaints, then it might be legitimate to state that being able to have the mental resilience to cope with this is not unreasonable.

An employer may consider it necessary to ask a candidate whether they have any condition that would hinder such activity. The focus should not be on the disability, but the task(s). This means focusing on their recent experience of, e.g. heavy lifting or dealing with the full on pressure of customer complaints, rather than by focusing on health issues that may prevent them from doing so. While this seems an over-cautious approach, there is no case law on the approach that tribunals should take. As a rule, questions about current health are much more likely to be considered “necessary” than questions about past health. Employers should avoid asking questions that start with: “Have you ever suffered from….”

Adjustments during the Application Process

Employers are permitted to ask questions about health if it is necessary to do so, in order to ascertain whether or not any potential candidate with a disability may need reasonable adjustments to be made to the recruitment process (not the role) to allow them to participate, e.g. make special access arrangements to attend an interview. If applicants have to carry out any kind of assessment as part of the recruitment process, then allowances or arrangements may have to be made to ensure that a candidate is not put at a disadvantage.

Ideally, information in this regard should not be requested at the initial application stage, and should be sought only once a candidate has been selected to attend for interview. Candidates should be asked if there are any adjustments required, not whether or not they have a disability. Employers must not to let the knowledge of the fact that an applicant needs adjustments influence the recruitment decision.

Monitoring Diversity

Employers can still ask questions about applicants’ disabilities to monitor the diversity of their workforce. Diversity monitoring forms should be kept separate from other recruitment documents, and should ideally not be made available to any decision-makers in the recruitment process. There are a range of data protection issues to also consider when collating such sensitive personal data, which is another example of a special data category.  One final point though, if you decide to monitor such information, then make sure that the data collated is properly used to help improve your diversity to make a real difference.

Conditional Job Offers

The Equality Act restrictions fall away once the employer has offered the candidate the role. As such, an employment offer can be conditional on the individual passing a health assessment.

However, if the information reveals that the candidate is disabled, withdrawing the offer may be discriminatory, unless it can be shown that no reasonable adjustment could be made to enable the candidate to perform the role. To help manage the discrimination risk, where possible, use health questions that are tailored to the particular role, or, if you do use a generic questionnaire, make sure you base any decision on answers to questions which are relevant to the role. If questions or a medical check reveal a condition that will affect an individual’s ability to carry out the role for which they have been recruited, the employer will need to consider reasonable adjustments. This may require co-operation with OH providers, including discussions around how specific adjustments will assist the individual.

If there are no reasonable adjustments that can be made, it is possible for the employer to withdraw the job offer. Withdrawing an offer should always be an absolute last resort, as there is clearly scope for legal claims here, so any adjustments must be very carefully considered. If none are viable, the employer must have an objective business reason to withdraw the role.

Confidentiality of Information

Employers have a duty to maintain medical information about the health of applicants, employees and ex employees. The ICO provide guidance.

They start with general advice, such as keeping paper records under lock and key, and using password protection for computerised ones. Only staff with proper authorisation and the necessary training should have access to employment records.

Where possible, sickness records containing details of a worker’s illness or medical condition should be kept separate from other less sensitive information, for example a simple record of absence. This can be done by keeping the sickness record in a sealed envelope, or in a specially protected computer file. Only allow Managers access to health information where they genuinely need it to carry out their job.

Employers are not responsible for all aspects of their employees’ state of health, but they are charged with a duty of care, ensuring the employee is medically fit for a certain job (for example, driving a bus). They must ensure that the work conditions do not cause adverse health effects on their workforce (such as an occupational illness). If you wish to collect and hold information on your workers’ health, you should be clear about why you are doing so, and satisfied that your action is justified by the benefits that will result.

The law requires openness. Workers should know what information about their health is being collected and why. Gathering information about workers’ health covertly is unlikely ever to be justified.

Once you are clear about the purpose, check that the collection and use of health information is justified by the benefits that will result. In doing so, remember that:

  • gathering information about your workers’ health will be intrusive;
  • workers can legitimately expect to keep their personal health information private, and expect that employers will respect this privacy;

Be aware that all information relating to a person’s health will be sensitive personal data, (now called special categories) for the purposes of data protection legislation. Appropriate consent will need to be obtained to ensure compliance with the legislation. Employees are permitted to make a data subject access request to access personal data held about them by their employer – this includes health and medical reports.

Medical information voluntarily offered up by a candidate during an interview

The fact that a candidate brings up their health at an interview does not change the position – discussions around a candidate’s health should not normally take place before a job offer is made.

Where this happens (and the information is not given in the context of discussing an intrinsic function of the job), the Manager should explain that they do not need to know about a candidate’s health at this stage in the recruitment process, and should then move on. Managers need to be aware that they should not make any comments during the interview about the potential impact of that condition on the candidate’s ability to perform the role, unless it is intrinsic to the job.

What if an employee subsequently reveals they have an existing medical condition?

It is difficult to rely on inaccurate or misleading answers in this context as the basis for a fair and/or non-discriminatory dismissal. This is because it is not clear whether or not an employee is actually obliged to reveal a medical condition; there is nothing in the Act that requires applicants to disclose their disabilities, and the EHRC Code recognises that people with disabilities may be reluctant to disclose them.

More extreme cases may justify dismissal where no adequate explanation for the inaccuracy is provided. For example, if the individual holds a role where honesty and integrity can genuinely be said to be a fundamental requirement of the role, or where the impact of the medical condition puts their health, safety or welfare, or that of others, at risk. If it turns out that an employee has a medical condition that prevents them from doing their role (and no reasonable adjustments can be made), the fact that they cannot do the role could justify dismissal, but proper consideration should be given to alternatives, such as whether or not there is a suitable alternative vacancy.

Tips for handling Health and Disability Issues in the Recruitment Process

  • Train your interviewers so they understand what questions they can and can’t ask candidates about health/disability.
  • Regularly review any health-related questions that are asked of successful candidates to ensure they remain relevant to the role.
  • If a successful candidate does have a disability and reasonable adjustments need to be considered, make sure those deciding how the role can be adjusted understand what compliance with the duty entails.
  • Questions should be restricted to whether there is any specific health reason why the individual cannot perform any of these tasks.
  • Questions should go no further than is necessary. Past medical history will probably be irrelevant.
  • Questions about a disabled person’s ability to carry out a particular role should be accompanied by a question about their ability to do so with reasonable adjustments in place.
  • Consider whether in fact a role specific application form or assessment process is appropriate.
  • Remember the provisions will capture not only questions asked of an applicant, but also those asked of a third party, for example, in a request for a reference made to the applicant’s current or previous employer.
  • Offers of employment should, therefore, be made subject, as appropriate, to satisfactory health checks; the outcome of which could potentially lead to reasonable adjustments being made or, provided it is justified, the offer of employment being withdrawn.

During Employment

Employees are protected by law when it comes to asking questions about medical conditions. The burden of proof is on the employer, who must be able to show that they had a valid reason for asking a question. If an employee believes that they were asked a question by reason of discrimination, then the employee can take legal action.

The law on access to medical reports is unfortunately not always very clear. The main regulations are the Data Protection Act legislation and the Access to Medical Reports Act 1988 (AMRA), but in addition, common law applies and Doctors must also take into account any guidance from the General Medical Council. The Equality Act is also important, as it protects against discrimination in the workplace.

To obtain a medical report, you must comply with the law which provides employers with a right to access medical reports for employment purposes provided by a medical practitioner who is, or has been responsible for, the individual’s clinical care.

There are many reasons why an employer would like to obtain medical reports, such as:

  • to understand when someone on long-term sick leave is likely to return to work;
  • to establish whether there is any underlying medical reason behind an employee’s regular short term absence;
  • to determine whether an employee is suffering from a condition which would amount to a disability and, what reasonable adjustments need to be made;
  • in relation to an employee who is at work, but whose fitness to undertake their role appears to have deteriorated, either following a period of absence or for other reasons;
  • to assist an employer’s compliance with its health, safety, and welfare (well-being) responsibilities;

What the Report should cover?

Rather than make general requests about the employee’s health or medical condition, the request should refer to the employee’s ability to do their job. It should ask specific and relevant questions, and be limited to the reason for the obtaining of the report. For example, if you have an employee who is on long-term sick leave and you are considering dismissal, you should ask specifically what their likely date of return to work is, if they have any disabilities, if there are any reasonable adjustments that could be made to accommodate their disability, or if they have any specific recommendations about redeploying the employee into other available roles in your business.

Applying for a Medical Report

There are strict conditions which need to be met if an employer wishes to make an application to see an employee’s medical report. They must:

  • inform the employee in writing of their intention to make this application;
  • notify the employees of all these rights under AMRA, mentioned above;
  • receive the employee’s explicit, written consent;

Employers should send evidence of the employee’s consent to the doctor when making the request.

How can the employee respond?

Employees can do any of the following:

  • decline to give their employer their consent;
  • consent to the application and agree that the report is sent directly to their employer;
  • provide their consent to the application but state they wish to see the report prior to it being sent to the employer;

What if an employee refuses to provide consent?

A provision in the employee’s Contract of Employment may oblige employees to undertake a medical assessment if requested, and allow employers to see medical reports. Depending on the wording of the provision, the employee would be in breach of contract and face disciplinary action if they did not provide their consent. However, the employer will still need to follow the procedure in AMRA, and need to make sure that the request is reasonable and proportionate.

If your contract does not allow this, you cannot force an employee to provide their consent. If they do not consent, you should explore the reasons why. You may be able to allay their fears. For example, if they are worried that everyone in the office is going to know their private business, you can confirm that this information will remain private.

Appendix 4 of ACAS’s guide: Discipline and Grievance at Work makes it clear if an employee does not give their consent, they should be notified in writing that the employer will take a decision based on the evidence they have available to them, and this could lead to dismissal. This may persuade an employee to give their consent. An Employment Tribunal will generally accept that the employer has little option but to make a decision, including a decision to dismiss, based upon the information that it does have.

Who should the employer instruct to undertake the medical report?

The choices of whom to instruct to undertake the report are generally:

  • The employee’s GP;
  • A specialist doctor, consultant, or other health professional e.g. physiotherapist or counsellor treating the employee;
  • An independent health or occupational health practitioner not involved in the employee’s medical care; or
  • The employer’s own doctor, or the employer’s regular Occupational Health service;

We would rarely recommend an employee’s GP.

Remember, an Employment Tribunal will consider whether you properly assessed the employee’s condition or illness to find out their likelihood of returning to work or ability to do a job. If medical evidence is sought and decisions are based on that report, an Employment Tribunal is likely to deem consequent action to be fair. If recommendations within a report are not implemented, then it is important that there is justification as to why it was deemed the suggestions could not be reasonably applied, e.g. too expensive or totally impractical.

We would also advise that in matters of employee health, you should seek expert advice very early on.  Our Consultants would be pleased to advise you on any element of the issues arising from this newsletter.

The GDPR and the new UK Data Protection Act is forcing a review of many business processes, and thereby challenging lots of processes and forms.

We are particularly concerned about new employees, and what is ‘done’ to them in two respects.

New employees need to feel at home, and become as productive as possible in the shortest amount of time. This requires some foresight and effort from Management prior to the start date, as well as planning your employee’s induction process, but in turn this can reap real and quick returns for everyone involved. The sooner a new staff member is made aware of the critical and regular policies and procedures within their new workplace, the sooner they are able to comply with company expectations. Your staff induction programme should be delivered in a simple format that explains any legal requirements that impact on their job role, e.g. health & safety requirements, as well as your working procedures, rules and practices, your expectations of them and their specific responsibilities.

In addition to helping new staff, an induction process can be useful for helping employees who are returning from extended leave, or are taking on a new role in the business.

Prepare an Induction Checklist

Most employers remember what they need to take a new employee through, usually based on what they did last time, invariably without checking whether the last inductee actually found it to be of any help and benefit. It is good practice to have a document that outlines:

  1. Pre-start – things like computer set-up, email set-up, vehicles etc.;
  2. On the first day – show emergency exits, explain software, etc.; and
  3. The first week – training sessions, larger overview of organisation;

It needn’t be that long. However, we would recommend at least some form of checklist that covers the basics of your employee induction process. For example, you can include items such as;

  • Introduction to Team Leader or direct Manager.
  • Obtaining/checking personal details.
  • Office/work times.
  • Checking understanding of employment contractual requirements, including the contents of the Handbook.
  • Performance standards and expectations of new employee over various milestones, e.g. first week, first month, probationary period and first year.
  • Introduction to team members with explanation of team roles and responsibilities.
  • Organisational chart and introductions to other key people outside of their team.
  • Showing them where they are working, layout and ergonomics of workspace.
  • Homeworkers will need to complete a home-working self risk assessment.
  • Security issues and access to the building.
  • Health, Safety and Welfare related procedures, rules, requirements and how to safely operate work equipment.
  • IT and any job-related data protection obligations.

We have taken the opportunity to review our template documentation to be GDPR compliant. The revised induction checklist addresses the issue which all employers need to deal with, i.e. ensuring training in data protection and being able to prove that training – Click here.

Employment Details Form and Personal Data

We recommend to our clients that there are important key checks that you need to undertake once you have made an appointment, and preferably establish before, if not soon after, they have taken up employment. One can also ask more legitimate, yet personal questions about an employee once they have been given a job offer than before. This includes checking they have the legal right to work in the UK, if they have claimed they have training qualifications then checking that they can provide proof of such assertions, and if they will be required to drive as part of their job requirements, that they hold the appropriate driving licence.

 

We have now taken the opportunity to review our template documentation to be GDPR compliant. The revised employment details form addresses the issue which all employers need to deal with, i.e. ensuring training in data protection and being able to prove that training.

The New Employee Employment Details form is designed to address two concerns:

  • Not to be discriminatory, and only elicit that information which can be justified.
  • To ensure that new recruits are clear on what information you are likely to hold about them, and what you do with it.

The form is, therefore, more likely to be justifiable in asking for medical information from new employees, and gives further details about data security – Click here.

Data Protection Regulations also require that you periodically check that the personal information you retain on your employees is correct. We recommend that you use our Existing Employment Details Form to ensure that the information you retain about your existing employees is up-to-date, but also reminds your employees about the key information you hold about them under the Privacy Notice contained within the form.  We believe that if you do this, they are less likely to submit subject access requests, which are probably going to be more time consuming and potentially more contentious. Perhaps more importantly, it means you are less likely to be contacting the wrong person should you need to contact their next of kin, or need to write to them – Click here.

 

 

We hope you find these forms of use, and as they are in Word format, you can adapt them further for your purposes. If you have any other questions on the issue of either induction or data protection, please speak with our HR Consultants.

 

The latest annual statistics, published by the Health and Safety Executive (HSE), indicate that in 2016/17 almost half of all working days lost due to ill-health were reported as being due to work-related stress, depression or anxiety. This estimate, based on figures from the Labour Force Survey (LFS), is further complemented by the Mental Health at Work Report 2016 produced by Business in the Community (BiC), which was based on the 2016 National Employee Mental Wellbeing Survey findings. They highlight the extent of mental health difficulties at work.

  • A majority of employees have been affected by symptoms of poor mental health. 77% of employees covered by the main survey said they had experienced symptoms of poor mental health at some point in their lives.
  • 62% of employees attributed their symptoms of poor mental health to work, or said that work was a contributing factor.
  • More than 10% of those surveyed described their current state of mental health as poor, or very poor.

There will inevitably be some debate about the accuracy of such statistics, but the key concern is that there is a major disconnect between these figures and those reported by employers, who believe the problem is not so large, and that they are doing all they can to support people.

According to the Society of Occupational Medicine, mental ill-health affects one in six people at work in the UK. The World Health Organisation predicts that if we do not proactively address wellbeing, mental illness will be the leading cause of disability and absence in the workplace by 2030. So, employers need to give mental health the same level of importance and investment (time and resources) that that have placed on safety over the years.

In 2016, the main causes of work-related stress, depression or anxiety were said to be:

  • workload pressures, including tight deadlines
  • too much responsibility
  • a lack of managerial support

Sickness absence is very costly in tangible financial terms, but also it usually means that when someone is off work that the workload burden then falls on others, so this can lead to a spreading negative ripple effect within the organisation.

The most common symptoms of poor mental health, in which work was a factor, were:

  • psychological symptoms (e.g. depression, anxiety, panic attacks):
  • behavioural symptoms (e.g. changes to appetite, irritability, procrastination, mood swings):
  • physical symptoms (e.g. raised blood pressure, muscle tension, sweating, dizziness, headaches or migraines):

The BiC report summarises the main conclusions from the survey as follows:

  • Employers need to recognise the scale of poor mental health in work, and take significant steps to reduce the risk of their workplace being a contributor to poor mental health.
  • Employers have a duty of care to respond to mental ill-health just as they would to a physical illness, such as cancer, diabetes or back pain.
  • Managers need to be equipped with the tools, support and the right organisational culture to do their job well, which includes managing employees with mental health issues.
  • Workplaces should be environments in which employees feel comfortable disclosing their current state of mental health. Employees need support at an early stage, and Line Managers should agree and implement a personalised plan that works best for that employee.
  • Better signposting to formal support mechanisms is vital. No one is expecting Line Managers to be mental health experts, but they need to know where to refer people for help, and what they can do by way of follow-up.

It makes good business sense to foster a culture of openness that supports employees with a mental health issue to remain working. The mental health charity Mind state: “Mental health is still the elephant in the room in most workplaces – employees are reluctant to raise the subject for fear of discrimination, while Managers often shy away from the subject for fear of making matters worse, or provoking legal consequences. This culture of silence means undetected mental health problems can spiral into a crisis, resulting in sickness absences.” It is certainly our observation that Managers worry far more about this type of sickness absence rather than when a more tangible physical illness is reported, and they usually “freeze” taking no action for a very long time when actually early contact with the employee is vital.

The same report recommends actions on a number of fronts, and at all levels within organisations that employers should do including:

  • Seek to embed well-being into organisational culture. You will see that in our 2018 Handbook updates we now talk about physical health and mental well-being in several of our policies.
  • Take simple, positive actions to build a culture that promotes good health
  • Send a clear message of parity of esteem between mental and physical health to normalise conversations around mental health.
  • Appoint a mental health champion from the senior team, with a remit to drive better mental health.
  • Ensure skills based learning is made available to Management teams to develop awareness, confidence and capability to deal with mental health.

Additionally employees should:

  • Be provided with basic mental health literacy, so they can spot the signs when they or a colleague may need help – see mental health first aid.
  • Know where to go for guidance, and be equipped with the confidence to start a conversation about mental health with colleagues they are concerned about.

Introduce a Well-being Framework

So, how can employers embed well-being into the organisation? As always it has to be led by Senior Managers. Ideas include:

  1. Train all Managers and employees (just as we train employees on codes of business practice and safety) in enhancing workplace well-being. This will help to:
    1. dispel the myth that depression and other common conditions are weaknesses, instead recognise that these are just other forms of illnesses
    2. aid employees in recognising symptoms in themselves, and in others
    3. provide guidance on how to manage someone in a team who might become ill
    4. demonstrate how to reintegrate someone into work after illness; after all, it is well established that work is good for us, and can be key to the recovery of someone who has been ill
  2. How an organisation successfully communicates on matters of mental health is key to the successful implementation of a well-being strategy. Normalising mental illness by encouraging senior and influential people to share stories of their associations with conditions, such as depression and anxiety. This is the most powerful means of breaking the stigma and generating discussion.
  3. Introduce mental hygiene techniques your employees can learn. Just as many employees have a personal trainer in the gym, think about encouraging mental hygiene techniques, such as good sleep, food and exercise practices, how to develop resilience and assertiveness to reduce the affects of conflict at work, mindfulness techniques to help reduce stress etc.

Other Practical Steps

View health holistically as a combination of Mental and Physical Health

Employers need to accept that all employees have mental health, in the same way that they have physical health. Mental health can move up or down a spectrum from good to poor, depending on factors in and outside the workplace just as physical health can.

Review how you describe employees with Mental Health Issues

To change adverse perceptions of people with mental health conditions, Managers should describe people with mental health conditions in more positive terms. Rather than labelling them as mentally “disabled”, and focusing negatively on what we assume (wrongfully in many cases) they cannot do, Managers need to have open discussions about how to help to enable them early on, thus avoiding actually disabling them as soon as their mental health condition is found out.

Line Managers, and where possible all employees, should receive training, which should deal with outdated unhelpful definitions of weakness and strength. Mental health problems are very often the curse of the strong, not the weak. For instance, it is usually high achievers that are likely to suffer unexpected and severe mental health burnout.

Swift early access to Medical Intervention

It is also critical that Managers help employees with mental health conditions to access the medical services and the support that they need quickly and swiftly, as early medical intervention will help them return to work sooner. Managers need to be taught that with the right support, mentally ill employees can return to the same or better performance than previously.

Mental Health First Aid Training

Line Managers or employee volunteers who complete the course will have mental health first aider status and will be able to spot mental health problems, take action to prevent them from developing into something more serious and help colleagues to recover more quickly.

Many employees are promoted into management positions because of their technical skills and ability, but without training, they will not necessarily have the right people management and communication skills to be able to deal with mental health issues in an open and supportive manner, so this course really helps.

The two-day course developed by Mental Health First Aid England:

  • Trains delegates to recognise the signs and symptoms of mental ill health.
  • Educates on what are the good mental health hygiene factors and self care.
  • Empowers delegates to provide help and support on a first aid basis though the power of building relationships that encourage people to talk about their problems and health.
  • By asking the right questions, it helps them guide people with mental health problems towards the right support services.
  • Covers a range of mental health problems, from stress through to more serious conditions such as depression and psychosis.
  • Develops understanding of the stigma that exists around mental health.

Open and Supportive Culture of Communication

Employers should promote an open and supportive culture, where Line Managers have regular one to one catch ups with their staff, during which they check in on their mental health well-being (whether they are aware of a mental health condition or not), in the same way that they check in on work-related matters. It is important that employees feel able to be authentic and bring their ‘whole self’ to work, rather than pretending to be someone that they’re not, in order to conform and fit in. The stiff upper lip British attitude is not helpful in encouraging open conversations around mental health.

Address your Working Environment

Create an environment where individuals feel their work is meaningful, purposeful and they are treated with dignity. Creating a sense of purpose beyond profit and growth; encouraging a more respectful environment will go a long way to helping prevent mental illness in the workplace.

Back to Work

The way an employee is treated during their absence, and their initial return, has a major impact on their likelihood of returning to work. Once an employee has been off sick with mental health issues for four weeks or more, the chances of them returning to work are much slimmer, as they lose confidence and begin to feel alienated from the business. Keeping in touch in an appropriate manner is vitally important.

The Society of Occupational Medicine (SOM) has highlighted six key steps to support the return to work process following sickness absence due to mental ill-health.

For employers and employees, six steps have been identified as follows.

  1. Dealing with the initial absence.
  2. Developing knowledge and skills.
  3. Maintaining communication throughout the absence.
  4. Preparing for the return to work.
  5. The return to work conversation.
  6. Keeping healthy and productive at work.

The SOM points out that people often find it difficult to talk about mental ill-health, and sometimes do not recognise it in themselves. In severe cases of mental ill-health, an employee may feel numb and unable to ask questions, or ask for help. The guidance offers helpful tips regarding what to say, and what not to say, to the employee who is suffering from mental ill health.

Key actions for these steps are:

  1. If they do not contact you, contact them, focusing on recovery not return to work.
  2. Look after the rest of the team, and develop skills to have open constructive conversations with empathy.
  3. Not communicating makes things worse, so keep in contact regularly as it increases the chances of a successful return to work.
  4. Do not get people back too soon, but talk positively about how they can return, identifying possible adjustments so you can plan properly.
  5. Focus on having a good conversation not following procedures, and focussing on the future then prepare a plan.
  6. The employee may need long-term support, even if they only experience mental ill-health once. On-going review of the plan will give them the best chance of staying healthy and at work.

Finally,

We recognise that there is a lot of information to absorb on this topic, and it may seem daunting. Even if you just act on a handful of our guidance, you will be making a good start. Our recommendations would be:

  1. Get Senior Management commitment to being supportive about mental health issues, and communicate that to all employees.
  2. See what you can do to reduce stress and anxiety within your team.
  3. Keep in regular contact with people who are off work due to ill-health.
  4. Consider training a couple of people in Mental Health First Aid.
  5. Educate your Managers in commitment to being supportive, and giving them the skills to put this into practice.

 

Our Consultants would be pleased to advise you on any element of the issues arising from this newsletter.

Introduction

We occasionally get calls from our clients, stating that they have received a claim for compensation arising from either an accident or injury that the employee (Claimant) is alleging happened at work and is, therefore, the fault of the Employer (Defendant). The caller is often very indignant about the personal injury claim, as they do not believe such an accident or injury happened at work, and is invariably cross with the employee. The first advice we have to give is to park the emotion, as one is entering into dangerous employment law territory if an employee can prove they suffered a detriment arising from submitting a health or safety concern, or in this case, a health & safety legal compensation claim. The second piece of advice we give is to contact the appropriate insurance company, and follow their instructions.

Given the ease of access these days to ‘no-win, no-fee’ solicitors, the increase in personal injury claims has meant that employers’ liability insurance premium has increased for many organisations.

This newsletter will briefly summarise some of the key information regarding the legal principles behind personal injury claims, and what action is required when a claim is received, as well as some good practice that will help to defend these claims.

Employers must comply with:

  • The Employers’ Liability (Compulsory Insurance) Act 1969, which makes it compulsory for organisations to have employers’ liability insurance.
  • The requirements of the Civil Procedure Rules (as amended by the Woolf reforms).
  • The Health and Safety at Work, etc. Act 1974, the Management of Health & Safety at Work Regulations 1999, and indeed, all other health and safety regulations under which claims may also be made, if the regulations state that civil liability may arise.

Duty of Care

The leading case for personal injury claims was established in 1932 with Donoghue v Stevenson (1932), where it was deemed a duty of care is owed to “neighbours”. The case described neighbours as being those who we could “reasonably foresee” could be affected by our “acts and omissions”. Typical neighbour relationships include:

  • employer to its employees
  • employer to others’ employees
  • employer to contractor
  • occupier to authorised visitors or even unauthorised visitors, e.g. trespassers
  • employer to members of the public

The common law duty of care owed by an employer to its employees was further defined in the case of Wilsons and Clyde Coal Co v English (1938). In particular, this case decided that the employer’s duty of care to its employees was personal to the employer, and could not be delegated to, for instance, a Manager or other employees. Additionally employers must provide:

  • a safe place of work and equipment
  • safe systems of work
  • reasonably competent employees

These two cases are regularly cited in claims for personal injury. Since then, other cases have gone further in defining the true implications regarding the common law duty of care. If the employer knows of a condition in an employee that makes that employee more susceptible to injury, or makes the consequences of injury more severe than usual, extra precautions must be taken, as stated in Paris v Stepney Borough Council (1951). Therefore, employers must take into account any significant “special needs” in an employee, and take extra precautions. Employees with “special needs” could be:

  • disabled employees and/or with serious medical conditions
  • employees with learning difficulties
  • young and inexperienced workers
  • pregnant employees

Employers must also consider the mental well-being of their employees, such as work-related stress. The case of Walker v Northumberland County Council (1995) was developed further in Sutherland v Hatton (2002), when the Court of Appeal cited 16 practical propositions related to stress, including that employers should not have to pay compensation for stress-induced illness, unless such illness was reasonably foreseeable. This is not the ‘get out of jail free’ card that it initially sounds to be, as there is a lot within those 16 practical propositions that an employer must still do.

As these claims are bought in the civil courts the law of tort, i.e. ’wrongdoing’, will be used. Two particular torts are usually used, namely the tort of negligence and the tort of breach of statutory duty.

The Tort of Negligence

A claim for compensation based upon the tort of negligence requires that all four general conditions must be proved by the Claimant, as part of a causal chain, these being that:

  1. A duty of care must be owed by the Defendant (employer) to the Claimant (employee); and
  2. The duty of care must have been breached. (Did the employer do enough to take reasonable care? Often proved if sufficient records exist of good health & safety practices); and
  3. The injury or loss suffered by the Claimant must have been due to the breach of duty of care. (Was the injury or loss related to the acts or omission of the employer rather than an activity or incident which occurred out of work in the employee’s personal time?); and
  4. The injury or loss to the employee must have been a reasonably foreseeable consequence of the employer’s acts or omissions.

The Tort of Breach of Statutory Duty

An alternative route when making a claim for personal injury is for the Claimant to show that the Defendant was in breach of a relevant statute, and, therefore, liable to pay compensation. This was established in Groves v Lord Wimborne (1898), when a boy had his arm amputated due to an unguarded cogwheel when working at the Defendant’s factory. It was held that the applicable statute required the secure fencing of dangerous parts of machinery, and, therefore, the statute was relevant to the boy’s civil claim.

However, section 69 of the Enterprise and Regulatory Reform Act came into force on 1 October 2013, amending s.47 of the Health and Safety at Work, etc. Act 1974, which, up to that time, meant there was a legal presumption that all health and safety regulations involved civil liability, unless expressly excluded. The 2013 Act reverses this presumption, so now no regulation will impose civil liability unless there is express provision to that effect. There will be no civil enforcement for breach of health and safety regulations. In reality, this means that Claimants have to rely on actions for common law negligence.

Additionally, this means that the burden of proof, instead of being on the employer to show what steps were taken to protect an employee, has now shifted to the employee to prove negligence. Prior to the 2013 Act, employees needed only to show that a machine was inadequate or defective, but now they have to prove that an employer could, and should, have spotted the defect before the incident, and rectified it.

Finally, it is worth remembering that the enforcement of health and safety regulations is in the domain of the Health & Safety Executive (the HSE).

Contributory Negligence

One of the more important defences is that of “contributory negligence”, which permits the amount of compensation to be reduced if the employee was partly to blame for an accident through their own negligence. For example, if a Claimant failed to follow the employer’s procedures or defined working practices, e.g. not following what they were trained to do, or, not wearing the protective clothing or equipment provided for that job then their actions amount to contributory negligence, leading to any damages award being reduced. Where it can be shown that the injury sustained was due to the sole fault of the Claimant, the Defendant may not be deemed liable at all, but 100% contributory negligence rarely happens.

Vicarious Liability

We recently wrote a detailed article on vicarious liability so, a brief recap, is that in some situations an employer could be deemed liable for the negligence of its employees with respect to some other person being injured. The key conditions for vicarious liability to third parties are that:

  • the employee must have been negligent
  • the employee must have been acting in the course of employment, in other words, acting on behalf of the employer

The Supreme Court has recently given judgment in two landmark cases involving vicarious liability. The first, Mohamud v Morrison Supermarkets plc (2016) concerned an attack on a customer by an employee of Morrisons, where the Supreme Court ruled that the company was vicariously liable because the attack was sufficiently closely connected to the employee’s work. The second case is Cox v Ministry of Justice (2016), where the Catering Manager at a prison was injured when a prisoner dropped a sack of rice onto her. The Supreme Court ruled that the Ministry of Justice (MOJ) was liable to compensate her stating that it was fair, just and reasonable to impose liability on the MOJ.

Timescales Limitations for Claims

Any action for personal injury, or death, must be commenced within three years from the date of the accident, or where the Claimant first became aware of the injury, i.e. the date of diagnosis by a medical practitioner. In the case of a death, the Fatal Accident Act 1976 allows close relatives to make a claim on behalf of the deceased. Courts do have discretionary power to override the three-year period where it is equitable to do so.

Damages

Damages can be considerable under two headings:

  • Pecuniary: these involve monetary losses, such as loss of earnings, medical and travel expenses. It is the loss of future earnings up to retirement that can involved the biggest part of a damages claim especially if the Court accepts that the Claimant will not be able to work again.
  • Non-pecuniary: these involve compensation for pain and suffering, and loss of amenity, such as changes to lifestyle, e.g. being stuck in a wheelchair.

Claim Procedures

New rules have existed since 1999, following on from Lord Woolf’s enquiry, which introduced a number of “pre-action protocols” to provide for the early exchange of information. Parties who fail to comply with the protocols can be penalised by the Courts. A summary of the intended sequence of events are:

  • Letter of claim sent and received
  • Defendant must at least acknowledge receipt within 21 days
  • Claim investigated
  • Admit liability and settle out of court
  • Deny liability, either completely or partially
  • Relevant documentation disclosed
  • A “statement of truth” must be signed by someone from the defendant’s organisation

Letter of Claim

Following the decision to make a claim, the Claimant, or more usually their solicitor, must send two copies of a standard “letter of claim” to the Defendant. The letter contains information relating to the general circumstances of the claim, including the nature of any accident, a description of injuries sustained, and the documents which the Claimant would like to be disclosed. The Defendant must acknowledge the letter of claim within 21 days. If the Defendant does not reply within this timescale, the Claimant will be entitled to begin legal proceedings, and the Court will take into account the fact that the Defendant did not follow the protocol’s rules. This puts an important onus on employers to react quickly to letters of claim.

From 1 August 2013, Claimants in employer personal injury claims of up to £25,000 have had to use a Government claims portal although disease-related claims are excluded. The aim of the portal is to manage personal injury claims efficiently and quickly. It operates by way of a system of notifications and responses, which are input into the portal by the Claimant and the Defendant, or its insurers. A Claimant who is seeking compensation for a personal injury claim must register the claim on the portal by completing and registering a Claim Notification Form, which is like a letter of claim. It must include sufficient information for the Defendant to investigate the claim. If liability is admitted, the claim stays within the portal. If liability is denied, or an allegation of contributory negligence is made, the claim falls out of the portal to be dealt with in the normal way.

A Claimant can remove a claim from the portal if there are complex issues of law, or fact. The intention of the portal is to assist in the settlement of straightforward personal injury claims quickly, and within a framework of low fixed costs.

The Government has recently proposed reforms of the procedure for low value personal injury claims. The main aim of the proposals is specifically to reduce the number of road accident fraudulent whiplash claims, but, if and when the proposals are implemented, they are likely to also impact claims for workplace injuries.

Information that Defendants must disclose

Following the initial acknowledgement by the defendant of the letter of claim, the Defendant has three months to investigate the claim before replying. The protocols set out in some detail specific information that Defendants must disclose. For workplace injury claims, this includes:

  • Accident book entry
  • Any first aider report
  • Any initial management report

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) require that certain accident/injuries must be made to the HSE, so it is important to retain a paper copy of that report as well.

Where specific regulations apply, the protocols require additional documents to be produced. For example, in respect of the Management of Health and Safety at Work Regulations, the following should be disclosed:

  • pre-accident risk assessment required by regulation 3
  • post-accident risk assessment required by regulation 3
  • accident investigation report
  • any appropriate health surveillance records required by regulation 6

In cases where the Control of Substances Hazardous to Health Regulations (COSHH) is relevant, a similar disclosure of documentation is required by the protocols. This includes:

  • the risk assessment complying with the requirements of regulation 6
  • documentation relating to the maintenance of personal protective equipment

For claims involving the Workplace (Health, Safety and Welfare) Regulations, the documents required to be disclosed include:

  • repair and maintenance records required by regulation 5
  • housekeeping records to comply with regulation 9

You need to be aware that if the employer is unable to produce the relevant documentation, it may make fighting the case much harder, and your insurance company is more likely to want to settle the case. The argument being to have complied with the law, then appropriate records must be able to prove it.

Where the pre-action protocols do not result in agreement or settlement, the case will be allocated to one of three “tracks”:

  1. Small claims track jurisdiction, with a financial limit of £5,000.
  2. A fast track for relatively straightforward cases up to £15,000, with strictly limited timetables set up by the Court.
  3. A multi-track for cases over £15,000, providing hands-on management by the Court.

This should help achieve quick settlements of cases by the Courts.

Tips to help successfully defend a Claim

Having a good paper trail of evidence on all of the above and, indeed, other health & safety matters, e.g. regularly reviewed health & safety policy, annual health & safety actions plans etc., will help to make a difference. Other suggested actions include:

  • Make sure that what is said happens in the health & safety policy and associated policies and procedures, do indeed happen in practice, by regularly inspecting and periodically auditing all activities.
  • Ensure that health and safety is talked about regularly at either Board/Senior Management level, alongside other key business objectives.
  • Make sure that people are encouraged to report accidents, incidents and even near misses, in a spirit of openness and transparency. Clients that tell me that they never have accidents are just kidding themselves, they do, they are just not recorded which is far more concerning.
  • After an accident happens, ascertain immediately who did, or did not, see the accident, and get signatures under each heading. Ask witnesses to write down as soon as possible exactly what they did see, before they have a chance to revise or tone down what they saw, in order to minimise getting others into trouble.
  • Investigate any accident or injury that becomes RIDDOR reportable, and make sure the report is not focused on blame, but is rather all about better understanding how the accident happened and, as a result, what improvements could take place.
  • Make sure that important records, such as risk assessments, safe systems of work, safety action plans, induction checklists are not only kept, but are up-to- date and easily retrievable.
  • Make sure additional records, e.g. individual risk assessments or return to work programmes, are kept for those people with “special needs”, such as young persons, the disabled and/or people with serious medical conditions.
  • Have robust recruitment and selection procedures, including identifying in job descriptions where there are specific and objectively justifiable criteria, e.g. certain levels of physical fitness or mental robustness.
  • Check out whether future Managers understand their health and safety responsibilities, and what have they done to reduce known risks in previous jobs.
  • Use the discipline procedure for breaches of health and safety procedures and protocols, e.g. where people won’t wear PPE, or take unsafe shortcuts in working practices.
  • Train all staff to make sure that they can do their jobs safely. Train Managers on the additional duty of care responsibilities that they have towards their team(s).
  • Write into all Management job descriptions health and safety responsibilities, and include health and safety objectives in any formal performance management reviews.

 

Our Consultants would be pleased to advise you on any element of the issues arising from this newsletter.

What is it?

Developing resilience appears to be a hot topic in business circles, as it is the further evolution from stress management. Reading media publicity, authors and trainers, the concept is being pushed as a key to unlocking business performance, helping people cope more effectively and efficiently with the stresses and strains within the modern day workplace.

The importance of resilience really begins to emerge when we consider the range of different workplace situations where it is required – for example, dealing with organisational change, threats to job security, feelings of restricted control or autonomy, or a heavy workload. Some people will handle these situations better than others – those who are able to successfully draw upon a combination of their personality and learned behaviours will cope with the problems, and perhaps even turn them to their advantage, with resulting individual and organisational benefits.

Mind (the mental health charity) define it thus: “Resilience is not simply a person’s ability to ‘bounce back’, but their capacity to adapt in the face of challenging circumstances, whilst maintaining a stable mental wellbeing.”

“Emotional resilience” is more hard-hitting than many of the other methods promising to keep us cool, calm and collected. Originally developed to help victims of natural disasters and massacres cope with catastrophe, it is slowly infiltrating workplaces, schools and communities. No matter how you define resilience, most agree there’s less of it around than is actually required, and this could well explain the increasing incidences of poor mental health.

How do we get more of it?

Resilience is not just about survival, it helps us to grow and develop so that we can successfully navigate our careers in the modern world. Contrary to popular belief, resilience is not something that either you have or don’t have; we do not have a ‘fixed level’ of resilience so it can be developed.

Resilience training – which draws on elements of Cognitive Behavioural Therapy (CBT) and positive psychology – seems to have a real impact on peoples’ self-reported ability to cope. Robertson Cooper in their website “A Good Day at Work” state that resilience is derived from four principal factors: confidence, a sense of purpose, social support and adaptability – see diagram below. Many people typically rely on one or two of these but may need help to make the most of the strengths they have, and use those to build and maintain their resilience to find the best way through life’s challenges.

The best way to begin developing resilience is to understand these components, and identify which of them you tend to draw on naturally. From there you can start to adopt alternative and more constructive coping strategies in certain situations, and avoid any possible risks of over-using your strengths.

People with a negative mind-set are far less resilient. For example, negative people may expect to lose their jobs as a result of change. This immediately puts them on the defensive so they perform less well, and consequently their fear ultimately can become a self-fulfilling prophesy. By contrast, more positive people see the opportunities in change and are likely to benefit accordingly. Changing mind-set is not an easy task, but it can be done.

It is also worth remembering that the fundamentals of good diet, plenty of exercise, rest, good quality sleep, minimal alcohol and other drug intake cannot be ignored, as they have a huge effect on how much pressure someone can handle. Resilience helps you to boost your own levels of confidence and emotional well-being, and gives you a brighter outlook on life. Resilient people are less likely to suffer from severe mental health problems, and even if they do, they are better able to manage it using resilience techniques.

Ways to build your emotional resilience

Resilient behaviour can be learned and developed to manage pressure, promote well-being and bolster resilience. The following might be termed self help:

  1. See crises as challenges to overcome; not insurmountable problems.
  2. Surround yourself with a supportive network of friends and family. Can you ask for support when it is needed?
  3. Accept that change is part of life, not a disaster.
  4. Take control and be decisive in difficult situations.
  5. Nurture a positive view of yourself – don’t talk yourself down or focus on flaws.
  6. Look for opportunities to improve yourself; a new challenge, social situation or interest outside work. Set goals and plan ways to reach them.
  7. Keep things in perspective: learn from your mistakes and think long-term.
  8. Practice optimism and actively seek the good side of a bad situation.
  9. Practice emotional awareness: can you identify what you are feeling and why?
  10. Look after yourself, through healthy eating, exercise, sleep and relaxation.
  11. Developing relationships and a passion for what we do.
  12. Take the time to learn, think and build knowledge.

The Resilient Manager

You will know that you are a resilient Manager when you display some of the following key characteristics, and can effectively implement a range of different coping mechanisms:

  • You are transparent: you can admit things are difficult and let others know this is how you are feeling.
  • You have realistic expectations of yourself: you are not a perfectionist and can give yourself a break.
  • You deal with problems effectively: feeling stressed may all be about (a) your perception about the meaning of events, (b) your reactions, and (c) knowing what can and should be changed as opposed to what cannot be.
  • You communicate assertively: you have achieved a balance between not bottling up feelings and not over-reacting, but communicating clearly in a way that is respectful of yourself and others, including saying “no” when you need to.
  • You have inner buoyancy: the confidence to feel that you will survive and come through hard times, a sense of optimism and engagement with life and work, underpinned by strong personal values.
  • You are able to return to a calm state after feeling upset or emotional, and think through possible consequences of actions – the ability to switch off and refresh.
  • You have an internal ‘locus of control’- i.e. not feeling like a victim.

Resilient people possess three characteristics — a staunch acceptance of reality; a deep belief often buttressed by strongly held values that life is meaningful; and an uncanny ability to improvise. You can bounce back from hardship with just one or two of these qualities, but you will only be truly resilient with all three. These three characteristics hold true for resilient organisations as well. Resilient people know that a situation, good or bad, has to be accepted before it can be changed. Acceptance is a key component of resilient thinking – don’t fight reality as you won’t win.

Organisational Approaches

Self development and training alone is not enough to change a culture. Training in resilience should not be seen as a sticking plaster covering up organisational weaknesses. Poor job design needs to be addressed. Targets and deadlines need to be realistic. Senior people must not condone a bullying culture which disregards organisational dignity at work policies. Resilience should be seen as part of your organisational well-being approach. As such, part of developing resilience is to encourage good social connections at work, so that people do not feel isolated.

In a Harvard Business Review survey, 75% of Managers said that the biggest drain on their resilience reserves was “managing difficult people or office politics at work.” That was followed closely by stress brought on by overwork, and by having to withstand personal criticism. These are issues which senior management can address.

The following are good organisational resilience strategies:

  • Develop your employees’ creative problem solving skills.
  • Provide training in handling difficult situations and how to deal with conflict skilfully and when to use mediation.
  • Facilitate emotional resilience in the workplace by providing a pleasant physical working environment (e.g. good lighting, ergonomic seating, etc.).
  • Promote healthy behaviour in the workplace (e.g. healthy eating, physical activity).
  • Provide training for employees and Managers to recognise and take early action to ameliorate conditions that can produce stress.
  • Create opportunities for ‘good work’ – i.e. characterised by employment security, task variety, autonomy, fair treatment and reward for effort, strong workplace relationships and effective development and use of skills.
  • Support employees with mental health problems (and other health issues).
  • Encourage Managers to think creatively about their own well-being and emotional resilience, helping them to identify their own stress triggers, and creating strategies to cope, should this be required.

Resilient people and companies face reality with staunchness, make meaning of hardship instead of crying out in despair, and improvise solutions from thin air. This is the nature of resilience, and we may never completely understand it. It is, however, important because it not only makes people more productive, but helps protects them against the development of mental health problems.

If you are interested in undertaking a free i-resilience report, then follow the link on the Good Day at Work website: http://www.robertsoncooper.com/improve-your-resilience/i-resilience-free-report-preview.

 

 

Our Consultants wouldbe pleased to advise you on any element of the issues arising from this newsletter.

Saying “you’re fired” may actually be an indicator of management failure, even though it has been popularised in the media.

This course looks at the three key areas, namely recruitment & induction, performance management and improvement, which if applied correctly, should minimise the need to consider terminating employment. However, the third key area is the effective use of the disciplinary procedure to formally improve performance standards, and only if that does not work, how best to dismiss.

We have designed this course to suit those who are new to Management, as well as being a useful refresher for the more experienced Manager looking to develop existing skills and/or want to be more successful by learning new/different approaches, as part of personal/career development.

This course will be highly participative, practical in content, and is intended to challenge our delegates into recognising there are always alternative ways of dealing with people and/or situations.

The course objectives will include: –

  • Recruitment & Induction
  • Performance Management
  • Performance Improvement
  • Discipline, Dismissal & Alternatives
  • Practical Learning Opportunities

We are running this course at the following venues:

Park Farm Country Hotel, Norwich – 18th October 2018
Rowley Mile Conference Centre, Newmarket – 21st November 2018

The course will commence at 8.30 am, with registration and refreshments from 8.00 am. The course will finish around 1.45 pm, with breaks for refreshments and lunch.

The cost for this training event will be £75.00 plus VAT per delegate, including lunch.

To reserve your place on this course, please contact Jackie Bolton either by e-mail: jackie@backuphr.com or call 01480 677981.

ICO Registration and Fees

Currently, many organisations pay a fee to the Information Commissioner’s Office (ICO) as a Data Controller. These registrations (or notifications) would have been removed by the application of the GDPR into UK law. However, a new registration and fee scheme for Data Controllers will come in from 25 May 2018, the same day the General Data Protection Regulation is introduced across the EU.

There was mention of a move by the ICO to levy new fees for Data Controllers last year on its blog and Twitter. These have now found their way into draft regulations presented to Parliament. Originally it was thought that fines would support the funding of the ICO, but to ensure the continued funding of the ICO, the Government has announced a new charging structure for Data Controllers. Until then, organisations are legally required to pay the current notification fee, unless they are exempt.

To help Data Controllers understand why there is a new funding model and what they will be required to pay, the ICO has produced a Guide to the Data Protection Fee which can be found at www.ico.org.uk . It should be noted that this is a draft at the moment, as the model has to be approved by Parliament before it is confirmed.

Key Changes and Information

If you have a current registration, you do not need to renew it on 25 May 2018, just when it runs out.

There are exemptions from the need to register – these are set out in the draft guidance, but may change in Parliament. There are some activities which trigger the need to register as well, though these have been widened from the current regime.

Charities and small occupational pension schemes just pay the Tier 1 fee.

Fee levels – these are between £40 and £2,900 based on number of staff and (for non-public bodies) turnover as well.

There is a default position of Tier 3, unless and until you can demonstrate to the ICO that you are a Tier 1 or 2 organisation.

Below is the revised Tier structure:

  • Tier 1 – micro organisations – cap of £632K turnover or 10 members of staff – £40
  • Tier 2 – small and medium organisations – cap of £36M turnover or 250 members of staff – £60
  • Tier 3 – if you exceed the caps in Tier 2, then the fee is £2,900.

For very small (micro) organisations, the fee will not be any higher than the £35 they currently pay, if they take advantage of a £5 reduction for paying by direct debit. The ICO explains that the fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater risk.

There is a monetary penalty (fine) for not registering of £4,350 regardless of organisational size.

Key FAQs on the website include:

Do I have to pay a fee? If you are a Controller and the exemptions don’t apply to you, you will have to pay the fee.

If my registration expires on or after 25 May 2018, can I renew early and pay my current fee? No. You must pay the correct fee under the new fee structure.

When will I have to pay the new fee? The new regulations come into effect on 25 May 2018, when organisations must apply the GDPR. But this doesn’t mean that everyone has to pay us a fee on that day. Controllers with a current registration (or notification) under the 1998 Act will not have to pay any other fee until their notification has expired (12 months from the day they made it). Controllers that are not currently notified will be liable for the new fee on 25 May 2018, unless an exemption applies.

If I renew under the old arrangements, will I have to pay again on 25 May 2018? No. If you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months. You will not need to pay the new fee until your current registration expires.

What is the difference between notifying under the Data Protection Act 1998 and paying the data protection fee? Aside from the level of the fee, the main difference is that under the 1998 Act, Controllers had to give details of the types of processing they did. You will not need to provide this information from 25 May 2018.

How will I know my renewal is due? The ICO will email you before your previous payment expires and your new payment is due.

What happens if I don’t pay my fee? The ICO will send you a reminder explaining when you need to pay. If you don’t pay, or tell them why you are no longer required to pay a fee, they will issue a notice of intent 14 days after expiry. You will have 21 days to pay or make representations. If you do not pay, or fail to notify them that you no longer need to pay, you may be issued with a fine of up to £4,350 (150% of the top tier fee.)

Data Protection and SMEs

Many small firms are still not sure what GDPR means, but they need to start paying attention, as the new UK legislation in the form of the Data Protection Act 2018 will soon apply. The Federation of Small Businesses (FSB)  has found that that a third of small businesses have not started preparing for the introduction of the GDPR, while a further third are only in the early stages of preparations. Only 8% of small businesses have completed their preparations.

FSB National Chairman Mike Cherry explains: “The GDPR is the biggest shake-up in data protection to date, and many small businesses will be concerned that the changes will be too much to handle. It is clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”

On average small firms will spend seven hours per month meeting their data protection obligations, which equates to £1,075 per year, according to the FSB. Recognising that some small businesses will not be compliant ahead of the May deadline, the FSB has appealed to the regulator, the ICO, to take a proportionate approach to enforcement and not immediately to resort to fines.

What actions need to happen before 25 May 2018

We have been reviewing our own Data Protection Policies, and we have now issued to all our clients a Data Sharing Agreement, along with mailing out our policies on how we will ensure that we protect and handle client data.

We are also updating all our client’s Handbooks with an Employment Data Protection Policy, which will cover your employees’ responsibilities and rights. It is not meant, and indeed does not cover, what data you hold about your customers or others, and what practices you have in place to keep it secure. So you need to be taking steps to prepare for this.

It is likely that the ICO will not be able to, or inclined to, start enforcement action against SMEs unless they are blatantly doing something terrible, but that is not an excuse for procrastination. We are already seeing signs that large organisations will be expecting their suppliers to have in place relevant Data Protection policies, or answer rigorous questionnaires, so it is best to be ready for this, and be able to show what you do to keep their data secure. Data holders (Controllers or Processors) will have to ensure that they have safeguards in place to prevent the accidental loss, destruction or damage of data or unauthorised access. They should also review how they seek, record and manage consent to personal data being held by their organisation.

Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.

New Statutory Figures

The annual increase in compensation limits have been confirmed.  The limits apply to dismissals (redundancies or detriments etc.) occurring on or after 6th April 2018.

  • £508.00 – the maximum amount of a week’s pay for calculating statutory redundancy pay and the basic award; (up from £489.00)
  • £15,240.00 – the maximum statutory redundancy payment or basic award, i.e. 30 weeks (up from £14,670.00);
  • £83,682.00 – the maximum compensatory award which can be made for unfair dismissal (up from £80,541.00)  or one year’s gross pay whichever is the lower

These increases mean that the maximum total unfair dismissal award is now £98,922.00, although uplifts can add a further 25%.

Employees may be entitled to receive guarantee payments for up to five days of lay-off in any three-month period. The maximum amount of such a statutory guarantee payment will increase to £28.00 (from £27.00) for any one day.

The new rates take effect where the ‘appropriate date’ for the cause of action (such as the date of termination in an unfair dismissal claim) falls on or after 6th April 2018. If the appropriate date falls before 6th April, the old limits will still apply, irrespective of the date on which compensation is awarded.

Fit for Work – No more

From 15th December 2017, ‘Fit for Work’ has no longer been running its referral and assessment service. Free, professional advice is available in a number of ways. All of the advice and guidance elements of ‘Fit for Work’ remain in place, as the website (the most highly used aspect of the service) and helpline remain open.

The service was part of the Government’s efforts to find solutions to keep people in work (and off benefits). Reforms to Statutory Sick Pay (SSP) will be set out in a separate consultation paper, to include proposals designed to allow greater flexibility in the payment of SSP (for example, to support phased returns to work).

The ‘Fit for Work’ service was meant to aid employees who have been absent for more than four weeks, and to plug the gap in access to Occupational Health services. It was conceived just over two years ago as a way to boost medical interventions, by allowing employees to be targeted by GPs by referring them for ‘specialist help’. The scheme never really took off and has now been scrapped due to low take-up rates. Given that a survey in August showed that 65% of GPs had not referred a single patient and of those that had, only 40% had seen someone return to work.

We were never fans as we doubted whether the Government could attract and retain good quality staff that would actually see people, and make considered individually tailored recommendations that were reasonably practicable. We would nearly always recommend to employers that they use a reputable professional OH service to review the health and work of sick employees. We always advise clients that asking employee’s GPs for a report is unlikely to be too helpful, as the quality of response is often poor, reflecting their lack of knowledge about the employer’s jobs/environment.

Actions:

  • There is no need to have a retained OH provider but it is useful to know of one (or know someone who does)
  • Conduct return to work interviews which should pick up if people are returning to work when not fully fit
  • Do not let people drift once they have gone beyond four weeks of absence; get them referred to a reputable OH provider
  • Ensure that you give an OH provider a clear and realistic brief.

We would be pleased to recommend a good quality OH provider to employers who need this assistance.

Looking Ahead – Payslips

Arising from the Taylor Review into modern working practices, the Employment Rights Act 1996 (Itemised Pay Statement) (Amendment) Order 2018 has been laid before Parliament. This is a small but important amendment, which will require employers to set out on payslips the number of hours that an employee is being paid for; and where different hourly rates apply for different hours, to specify this. Where an employee’s pay varies as a consequence of the time worked, their itemised pay statement must contain information about the number of hours worked. This should make it easier for employees to understand what they have been paid for – and whether they have been underpaid.

We believe this is because the current legislation focuses on deductions, but for many people with variable hours, the difficulty lies in calculating gross figures.

The Order doesn’t come into force until 6th April 2019 so employers have plenty of time to prepare.

Our Consultants would be pleased to answer questions on any of the above, or you can find much of the data on our website, by clicking on Frequently Asked Questions.

The General Date Protection Regulations (GDPR) will apply in all EU Member States from 25th May 2018. It is important to stress that the GDPR is about much more than employee data. It is becoming increasingly clear to us that our extensive range of clients have a wide range of data protections issues, far beyond the employee information which they hold, and many do not meet the current Data Protection Act, let alone the even more onerous GDPR, so they are just not prepared. Our previous newsletter focussed on employee data. This newsletter will concentrate on broader issues which you need to thinking about with regard to what personal data as an organisation you process, store and dispose of.

One of the first things to consider is whether the organisation is processing personal data as a controller or a processor. A processor just acts on the instructions of the controller.

Countdown to 2018

The GDPR will harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about, and control over, how it’s used. There are a large number of national derogations. It is also likely there will be differences in the way the Regulation is interpreted and enforced in different Member States. It is believed that the British Data Protection Bill will not be ‘gold-plated’, i.e. not made more onerous than the EU Directive, on its way to becoming an Act of Parliament. The new law gives individuals more say over what organisations can do with their personal data (which can be anything from physical, physiological, mental, economic or cultural data and more).

The new law retains the same core rules as the Data Protection Act 1998 (DPA), and continues to regulate the processing of personal data, but there are some significant changes. These include the right to be forgotten, the right to request the porting of one’s personal data to a new organisation, the right to object to certain processing activities and to decisions taken by automated processes.

The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. The actual term ‘sensitive personal data’ has been dropped, but is now re-termed as falling into ‘special categories’, i.e. information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

Board or Senior Management Issues

Data protection needs to become a boardroom issue, as the law is designed to put data protection at the top of the agenda for all organisations. This is done by creating a culture where everyone contributes to maintaining data privacy standards, ensuring compliance, thinking about how their own personal information to be processed, as well as handling the personal data of others, i.e. the people they deal with, such as customers/clients, patients, guests, residents, other stakeholders, members of the public etc.

Also, it’s not just about the threat of financial penalties. Individuals need to trust the organisations they are providing their personal information to, and have confidence that their information will be handled appropriately and securely, as without that trust there will be huge organisational challenges to overcome.

The GDPR introduces the principle of accountability which runs through the core of the legislation. Accountability needs to be entrenched in an organisation, requiring a change in mind-set and for organisations to take a proactive, methodical and accountable approach toward compliance. The Senior Management Team need to understand the potential exposure to fines, and other sanctions under the GDPR, and must get buy-in for compliance at all levels across the organisation.

Compliance

Organisations must be able to demonstrate their compliance with the GDPR’s principles, which will include adopting certain “data protection by design” measures, staff training programmes, and having suitable data protection policies and procedures.

You will need to identify means to “demonstrate compliance” – e.g. adherence to approved codes of conduct, “paper trails” of decisions relating to data processing and, where appropriate, privacy impact assessments.

Your internal governance processes will need to demonstrate how decisions to use data for further processing purposes have been reached and, that relevant factors have been considered.

Consent and Legitimate Interests

You need to ensure you are clear about the grounds for lawful processing relied on by your organisation, and check these grounds will still be applicable under the legal requirements. Consent is not the only mechanism for justifying the processing of personal data.

The processing of personal data will only be lawful if it satisfies at least one of the following conditions:

  • Consent of the data subject – this is broadly the same as under the DPA, but the GDPR has a narrower view of what constitutes consent, meaning that it will become harder to obtain consent. In practice, this means that data controllers will have to fall back on other processing conditions.
  • Necessary for compliance with a legal obligation – this is broadly the same as under the DPA. However, under the GDPR, the legal obligation must be an obligation of Member State or EU law to which the controller is subject.
  • Necessary for the performance of a contract with the data subject, or to take steps preparatory to such a contract – again, no change from current law.
  • Necessary to protect the vital interests of a data subject, or another person where the data subject is incapable of giving consent – this should only be relied on when there is no other ground available, e.g. medical emergencies.
  • Necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of legitimate interests – this condition can no longer be relied on by public authorities, but is probably the most important for many other organisations.

If you are relying on “legitimate interests”, ensure that decision-making in relation to the balance between the interests of the controller (or relevant third party) and the rights of data subjects are documented, particularly where this affects children. Make sure also that data subjects would reasonably expect their data to be processed on the basis of the legitimate interests of the controller or relevant third party. You will also need to make sure that you advise people of this reason in the information that must be supplied to data subjects. A legitimate interest ‘must be real and not too vague’. For example, it may apply to an organisation’s data processing as part of fraud protection, security measures or transferring that data between different parts of an organisation.In some ways the best reason is that the individual has consented to you processing their data. The standard to obtain valid consent has, however, been tightened up. Consent must be specific, freely given, informed and unambiguous. The conditions for obtaining consent have become stricter. To justify consent from a legal perspective, ensure that:

  • consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
  • consent to processing must be distinguishable, clear, and not “bundled” with other written agreements or declarations; there is a presumption that forced consent mechanisms will not be valid, so it must be clear exactly what people are assenting to;
  • consent requests are separate from other terms and conditions; organisations should avoid making consent a precondition of a service, unless necessary for that service, and must not be used as a vehicle to get consent to something else, e.g. receiving email;
  • the data subject must have the right to withdraw consent at any time, but this will not affect the lawfulness of consensual processing before its withdrawal;
  • there are simple methods for withdrawing consent, including methods using the same medium used to obtain consent in the first place;
  • separate consents are obtained for distinct processing operations; and
    • consent is not relied on where there is a clear imbalance of power between the data subject and the controller;

Further guidance is expected, but organisations will need to review existing consent mechanisms, to ensure they present genuine and granular choice. Granular means that you give a thorough explanation of options to consent to different types of processing wherever appropriate. You will need to determine whether any of your current processing is based on assumed consent and if so, this must be stopped, unless you can get consent, or have another legal basis for the processing. You must audit data privacy notices and policies to ensure that individuals are told about their right to object, clearly and separately, at the point of ‘first communication’. For online services, ensure there is an automated way for this to be effected.

Security

Controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The assessment of what might be appropriate involves considering the context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.

Appropriate measures are set out as possibly including:

  • pseudonymisation (separation of data from direct identifiers so that linkage to an identity is not possible without additional data to re-identify the person);
  • anonymisation irreversibly destroys any way of identifying the data subject;
  • encryption and other measures, such as firewalls, to prevent hacking;
  • ensuring confidentiality, integrity, availability and resilience of processing systems and services;
  • ability to restore availability and access to personal data in a timely manner in the event of an incident; and
  • the regular testing and evaluating of technical and organisational measures designed to ensure security of data processing;

The best way for organisations to deal with this is to minimise breaches, but also to have policies in place to enable staff to assess risk in order to show compliance. As with so much of the GDPR, being able to demonstrate that the proper precautions and steps were taken will be crucial. If your security measures are currently fit for purpose, you are unlikely to need to do much more. However, it would be worth reviewing these measures to ensure they are up to date with the latest technology and threats. However, many changes are not about technology it is simple stuff like not leaving files on photocopiers, or on desks or screens when we are not there.

In a recent case against Morrison Supermarkets, the High Court has held that an employer was vicariously liable for the actions of a disgruntled employee who disclosed the personal information of around 100,000 colleagues on the internet. Although the disclosure took place outside working hours, and from the employee’s personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct for it to be right to hold the employer liable. There is no suggestion that Morrison was negligent, but they are facing a potentially large amount in compensation. This highlights another warning about how the employer can be held responsible for the acts, lawful and unlawful, of its employees.

Subject Rights

Many existing rights are retained or enhanced in GDPR, and there are some new ones. Here is a selection:

Subject Access

The right is retained, but it will no longer be permissible to charge a fee, and the time limit is reduced from 40 days to a month.

Rectification

The Data Subject can have incorrect data corrected and incomplete data completed.

Erasure (“right to be forgotten”)

The Data Subject can tell you to erase their information and you must do so unless you have a good reason (from among the options set out in GDPR) to retain it.

Restriction of Processing

The Data Subject can restrict your processing of their data if there is an unresolved question of its accuracy, and in some other specified situations.

Portability

In certain cases (mainly where the Data Subject has signed up to online services), they can have their data transferred directly to another provider.

Direct Marketing

As now, the Data Subject has the right to stop you from sending them any direct marketing, and you must make sure they know about this right. If you currently send email campaigns, you need to make sure your audience has opted in to receive information, and that you have a record of when and where that person opted in. (To prove it was a person and not a ‘bot’, a ‘double opt-in’ is required). This may mean re-opting in all the people on your mailing list before May next year.

Profiling & Automated Decision-Making

There is a new right giving people the right, in some cases, to prevent “a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her’.

Complaints and Compensation

Data Subjects have the right to complain to the ‘supervisory authority’ – i.e. the Information Commissioner – and have the complaint investigated.

Data Sharing with Other Organisations

If you process personal data as part of work in collaboration with other organisations, then both or all organisations are likely to be joint Controllers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards, and you’ll want to work with businesses who are GDPR-compliant. You must set out ‘in a transparent manner’ your respective Data Protection responsibilities, and to make the ‘essence’ of the arrangement available to your Data Subjects. Data Subjects may exercise their rights against any of the joint Controllers.

Work with relevant partners who may collect data on your organisation’s behalf to assign responsibility for notice review, update and approval. You need to review all your collaborative projects and activities to ensure that, where applicable, your agreements are clear on each party’s Data Protection responsibilities.

Controllers and processors are also required to ensure anyone acting under their authority accessing the personal data, does so only in accordance with their instructions. Compliance may (but does not have to) be demonstrated by adherence to an approved code of conduct or certification mechanism.

Controllers and processors should agree to report to other controllers or processors that are involved in the same processing, any relevant compliance breaches and any complaints or claims received from relevant data subjects. They should agree on their respective obligations for data protection compliance, their respective liabilities for data protection breaches and mechanisms for resolving disputes regarding respective liabilities to settle compensation claims.

Action

Assign responsibility and budget for data protection compliance within your organisation. Whether or not you decide to appoint a Data Protection Officer (DPO), (or have to) the GDPR’s long list of data governance measures necessitates ownership for their adoption being allocated within an organisation.

Ensure that a full compliance programme is designed for your organisation, incorporating features such as: Privacy Impact Assessments (PIAs), and regular audits of data, data protection updates, and training/awareness raising programmes.

Monitor the publication of supervisory authorities/EU and industry published supplier terms and codes of practice to see if they are suitable for use by your organisation. If you are a supplier, consider the impact of the GDPR’s provisions on your cost structure and responsibility for signing off the legality of your customer’s activities.

Implement measures to prepare records of your organisation’s processing activities. If you are a supplier develop your strategy for dealing with customer requests for assisting with the development of such records.

Teamwork not just IT

You should establish a GDPR compliance team with the necessary skills and experience to develop; implement and coordinate a compliance plan. Initially this will mean analysing existing data processing activities across the organisation’s employment lifecycle to identify high-risk areas.

Develop a timeline to implement a GDPR compliance programme.

Next Steps

  1. Carry out a risk assessment (PIA) and then act on the results:
    1. Document all current processes and data flows
    2. Analyse any potential areas of weakness or vulnerability
  2. Document:
    1. What personal data you hold and why?
    2. Where it came from?
    3. Who you share it with?
    4. Business relationships with service providers, data providers and contractors and ensure they are GDPR compliant.
  3. Identify the lawful basis for your processing activity.
  4. Review/establish processes for seeking, recording and managing consent and refresh consents if they do not comply with GDPR.
  5. Document the procedure in place to detect report and investigate personal data breaches and audit them.
  6. Document and review procedures for communicating privacy; dealing with individuals rights re erasure, subject access requests, objections; transfer of data etc.

Checklist

  • Make someone responsible for managing GDPR and data strategy.
  • Add opt-ins to all your digital marketing, and ensure you get a double opt in.
  • Restrict access to personal data to only those who need to have access to it.
  • Ensure you have up to date security systems, such as firewalls, backups, encryption and authentication and test them on a regular basis.
  • Explain to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple, appropriate, and contain all the required information.
  • Develop a detailed breach response plan, including when to notify regulators and individuals, as well as how to handle data breaches from a media perspective.
  • Consider making financial provision to handle transitional costs, any data breaches and taking out insurance to cover data breaches.
  • Keep records of any data breaches, what data was compromised and how the breach was dealt with as well as what steps are being taken to ensure that type of breach does not re-occur.

We are not saying that this is all you need to know about Data Protection, but if you address these issues it is likely that you will have covered all the most important matters.

 

Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.