IGA News

Be Aware - December 2018

Be Aware - December 2018

30 November 2018

GDPR: Employee imprisoned for unlawfully accessing personal data

Companies have been under a duty to protect personal data for over 20 years. However, with GDPR coming into force 25 May 2018 and Data Protection Act 2018 increasing these protections and setting a new standard, data protection been in the forefront of the industry over recent months.

On 12 November the ICO released details regarding the prosecution of a motor industry employee under the Computer Misuse Act 1990. (more details can be found here).

In this case a rogue employee of a Bodyshop had been using the company access to the Audatex system to remove personal data using a colleague’s log-in details. The employee would then sell the details to accident management companies resulting in nuisance calls and complaints This conduct had continued for over 9 months; even after he left the first bodyshop, and only came to light when the first bodyshop concerned noticed a sharp increase in complaints regarding customer data and reported the issue to the ICO.

After an investigation the employee concerned was charged with securing unauthorised access to personal data between 13 January 2016 and 19 October 2016 and was sentenced at Wood Green Crown Court in north London to 6 months imprisonment.

The employee concerned is now also the subject of proceedings under the Proceeds of Crime Act, which could result in the recovery from the employee of any benefit obtained as a result of the offending.

Mike Shaw, head of criminal investigations at the ICO, said:

“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour…

Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies, causing unnecessary anxiety and distress.

The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”

Conclusion

With GDPR and data protection being in the forefront of the industry recently this is an important case and provides some interesting guidance; both as a warning and a reassurance, for business whom may have been caught out by rogue employees.

This is a landmark case as the ICO has, for the first time, used the Computer Misuse Act 1990 to deal with a data breach, thereby giving the courts a wider range of sentencing powers. With this case the ICO appears to be signalling that they will use all the tools at their disposal to deal with data breaches where they result in a significant impact on data subjects.

What is reassuring is that the ICO does not appear to have taken action against either the bodyshop concerned or Audatex. Both organisations co-operated with the investigation and took steps to secure data going forward. This is good news for commons sense.

Members are under a duty to take reasonable steps to minimise the personal data held and to secure the same whilst in their possession. We would strongly advise that any RMI members who have not reviewed their data processing or security processes recently consider doing so. Remember, as an RMI member you have access to lawyers who specialise in the motor industry as well as precedent document and other resources designed to give you a head start when constructing your own policies and procedures.

Investigations and unfair dismissal

A key element in any fair dismissal of an employee with over 2 years’ service is that the employer must follow a fair procedure and conduct a reasonable investigation into any allegations, especially where misconduct is alleged Such an investigation includes gathering all relevant evidence that it is reasonable to investigate. The investigation does not have to be perfect, but within a band of reasonable investigations that another employer could have undertaken in the circumstances. The extent and depth of the investigation also clearly depends upon the seriousness of the matters being investigated.

In the case below the Employment Appeal Tribunal (EAT) supported an employer when it failed to take some evidence from potential witnesses. It concluded that the employer was reasonable in excluding such evidence, under circumstances where the excluded evidence could not have really changed the employer’s view.

In Hargreaves v Manchester Grammar, Mr Hargreaves was a teacher with an unblemished record until it was alleged that he had grabbed a pupil, pushing him against the wall and putting his fingers to the pupil’s throat. He was dismissed. The tribunal found the dismissal fair. Mr Hargreaves appealed to the EAT, contending the employer’s investigation was inadequate, given the career-changing impact of the allegation. Also, the employer had failed to disclose to the disciplinary panel evidence from potential witnesses who had said they had seen nothing.

The EAT dismissed the appeal. The tribunal had correctly directed itself as to the higher standard of investigation that might be expected, given the very serious nature of the allegation. It was within the band of reasonable responses to decide not to put forward to Mr Hargreaves and the disciplinary panel details about interviews with those who had seen nothing. It did not follow that, because those individuals had seen nothing, nothing had happened. The tribunal permissibly concluded the employer had reasonably formed the view that the excluded evidence was immaterial and could not assist.

The tribunal was entitled to conclude the employer had conducted a fair investigation and that the dismissal was not unfair.

Comment

The above case shows there is some degree of latitude for employers in such matters however employers should generally be careful to investigate with all potentially relevant witnesses and that remains the safest option. Employers must remember that, in any investigation, they are looking for all the evidence (not only evidence that supports the charges against the employee).

Business to Business contracts

“I regularly buy and sell vehicles from and to other businesses in England and Wales. I have been told that these are sold as seen and there are no liabilities or ability to claim if there is a fault is that correct?”

It is correct that there are a number of differences between a business to business and a business to consumer transaction. What conditions apply will depend on the agreement between the parties.

In a business to business sale there is no protection at all.

That is not true. Whilst the Consumer Rights Act 2015 (CRA) replaced the Sale of Goods Act 1979 (SOGA) for business to consumer transactions, the SOGA continued to protect business to business transactions. The SOGA contains almost identical protections with regards as described, satisfactory quality and fit for purpose etc… and as such these will also be conditions of a business to business contract.

Where the SOGA differs is that these conditions can be excluded in a business to business transaction, and often are. You therefore have to decide when buying or selling a vehicle whether you wish to exclude the SOGA and where you want to sell vehicles sold as seen etc…that you have an express term within the agreement that exclude them.

The seller can exclude anything they like

That is not true. Whilst the courts are a lot less likely to interfere with the terms of a contract in a business to business transaction, this does not mean that it is the wild west and that anything goes. The Unfair Contract Terms Act 1977 (UCTA) sets a number of contractual clauses that are unenforceable.

  • A business cannot exclude liability for death or personal injury due to their negligence
  • A business can limit their liability for any damage caused due to their negligence, but only if the term itself is reasonable and sufficiently brought to the other party’s attention
  • A business can limit their liability for any damage caused due to a misrepresentation on their part but only if the term itself is reasonable and sufficiently brought to the other party’s attention

What is reasonable will depend on what the court decides is reasonable ‘having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made.’.

When deciding what is reasonable the court will consider what or ought reasonably to have been known to the parties when the contract was made and will also consider:

  • The strength of the bargaining positions of the parties relative to each other,
  • Whether the customer received an inducement to agree to the term,
  • Whether the customer knew or ought reasonably to have known of the existence and the extent of the term,
  • Where the term excludes or restricts any relevant liability if some condition was not complied with, whether it was reasonable at the time of the contract to expect that compliance with that condition would be practicable;

It is important to note that it is for the party seeking to rely on the clause to prove that it is reasonable.

The seller is liable for anything within the first 6 months.

That is not true. This is correct under the CRA where a business contracts with a consumer, but in a business to business contract there is no such assumption. As such it will be for the purchaser to prove that the issue complained of was a fault and was more likely than not present at the time of sale.

If I wasn’t aware of a contractual term within the contract, I can’t be bound by it.

That is not true. In a business to business transaction the court is far less likely than in a business to consumer transaction to interfere with the agreement. Where you have been provided with terms and conditions and have signed them the court will assume that you have read, understood and agreed to be bound by them and it will be very difficult to avoid them unless they are deemed unreasonable (see above).

The court is a little more likely to interpret a contract where there is no signature. However, refusing to sign a contract is not a bar to the terms being binding. If you receive terms and conditions and then continue to trade with a company the starting point for a court is that these terms will be binding.

Conclusion

Contractual disputes are complicated and will depend on the nature of the agreement and the extent of any contract. Where position ensures that all terms are in writing and never enter into an agreement without fully understanding the terms, carefully document all conversations and to evidence all telephone calls, emails and letters for future reference.

Also, this advice is general in nature and will need to be tailored to any one particular situation. The outcome of any contract dispute will depend on the facts of the case. As an RMI member you have access to the RMI Legal advice line, as well as a number of industry experts for your assistance. Should you find yourself in the situation above, contact us at any stage for advice and assistance as appropriate.

Managing Return To Work

“We have had a member of staff come back from maternity leave in June. Following a request from her to reduce her hours, her role in the company also changed. Where do we legally stand if the hours she now works do not suit the needs of the business? She works Wednesday, Thursday and Friday mornings but our busiest times are Monday and Friday afternoons. Her hours therefore could cause us issues going forward. In addition, since her return she has had a bad attitude, complaining that she is doing more work than others and this is affecting morale.”

A change in hours following a flexible working request is a permanent change. If you need to change her hours now you will ultimately treat it as a variation of terms and conditions, consult with her and seek her consent to enforce the change.

If she refuses to accept the change, and the business cannot continue this status quo (which could be exploring whether you can find alternative employees to carry out the busy periods) then there are two options:

1. Enforce the change as unilateral change,

2. Dismiss and seek to re-engage on the new terms.

Both carry risks as with the first it would risk a breach of contract if consent is not given. If the employee has more than two years’ service, she could resign and claim constructive dismissal. With the second option, clearly as there is a dismissal then she could not accept the re-engagement and claim unfair dismissal. Due to the risk therefore, it is best to try to seek the employee’s consent, explaining the problems caused to the business in relation to her working hours against the needs of the business and see if you can obtain consent.

In relation to the bad attitude, this can be addressed either informally or formally. If you decide to take it as a more formal route then you should follow your disciplinary procedure and if this is the first case where there have been problems with her, and there is no other live warnings on her personnel file, it is likely to result in a first stage warning, i.e. either a verbal warning or a written warning subject to what your policy provides.

Conclusion

Don’t forget, this advice is general in nature and will need to be tailored to any one particular situation. As an RMI member you have access to the RMI Legal advice line, as well as a number of industry experts for your assistance. Should you find yourself in the situation above, call us via the direct member helpline or 0845 305 4230 at any stage for advice and assistance as appropriate.