OTHER CHAPTERS
I. THE ORGANISATION
Ch.1: Setting up an organisation
Ch.2: Unincorporated organisations
Ch.3: Incorporated organisations
Ch.4: Charitable status, charity law & regulation
Ch.5: The organisation's objects
Ch.6: The organisation's name
Ch.7: The governing document
Ch.8: Registering as a charity
Ch.9: Branches, subsidiaries & group structures
Ch.10: Changing legal form
Ch.11: Collaborative working, partnerships and mergers
II. GOVERNANCE
Ch.12: Members of the organisation
Ch.13: Members of the governing body
Ch.14: Officers, committees & sub-committees
Ch.15: Duties & powers of the governing body
Ch.16: Restrictions on payments & benefits
Ch.17: The registered office & other premises
Ch.18: Communication & paperwork
Ch.19: Meetings, resolutions & decision making
Ch.20: Assets & agency
Ch.21: Contracts & contract law
Ch.22: Risk & liability
Ch.23: Insurance
Ch.24: Financial difficulties & winding up
III. EMPLOYEES, WORKERS, VOLUNTEERS & OTHER STAFF
Ch.25: Employees & other workers
Ch.26: Rights, duties & the contract of employment
Ch.27: Model contract of employment
Ch.28: Equal opportunities in employment
Ch.29: Taking on new employees
Ch.30: Pay & pensions
Ch.31: Working time, time off & leave
Ch.32: Rights of parents & carers
Ch.33: Disciplinary matters, grievances & whistleblowing
Ch.34: Termination of employment
Ch.35: Redundancy
Ch.36: Employer-employee relations
Ch.37: Employment claims & settlement
Ch.38: Self employed & other contractors
Ch.39: Volunteers
IV. SERVICES & ACTIVITIES
Ch.40: Health & safety
Ch.41: Safeguarding children & vulnerable adults
Ch.42: Equal opportunities: goods, services & facilities
Ch.44: Intellectual property
Ch.45: Publications, publicity & the internet
Ch.46: Campaigning & political activities
Ch.47: Public events, entertainment & licensing
V. FUNDING & FUNDRAISING
Ch.48: Funding & fundraising: General rules
Ch.49: Fundraising activities
Ch.50: Tax-effective giving
Ch.51: Trading & social enterprise
Ch.52: Contracts & service agreements
VI. FINANCE
Ch.53: Financial procedures & security
Ch.54: Annual accounts, reports & returns
Ch.55: Auditors & independent examiners
Ch.56: Corporation tax, income tax & capital gains tax
Ch.57: Value added tax
Ch.58: Investment & reserves
Ch.59: Borrowing
VII. PROPERTY
Ch.60: Land ownership & tenure
Ch.61: Acquiring & disposing of property
Ch.62: Business leases
Ch.63: Property management & the environment
VIII. BACKGROUND TO THE LAW
Ch.64: How the law works
Ch.65: Dispute resolution & litigation
|
|
UPDATED INFORMATION FOR CHAPTER 43:
THE RUSSELL-COOKE
VOLUNTARY SECTOR LEGAL HANDBOOK
This page contains information that has appeared on Sandy Adirondack's legal update website for voluntary organisations at www.sandy-a.co.uk/legal.htm. For current updates, including potential changes that are in the pipeline, see the legal update website.
These websites for each chapter update
the 3rd edition of The Russell-Cooke Voluntary Sector Legal Handbook by James Sinclair Taylor and the Charity Team at Russell-Cooke Solicitors, edited by Sandy Adirondack (Directory of Social Change, 2009). The websites are not intended as a comprehensive update and should not be treated as such.
To order a copy of The Russell-Cooke Voluntary Sector Legal Handbook, print out the order form at www.sandy-a.co.uk/bookserv.htm or send an email order by clicking
. It costs £60 for voluntary organisations or £90 for others, plus 10% p&p.
To avoid spamming, an email address is not given on screen. If you can't see the word 'here' or have trouble sending an email by clicking on it, the address is bookservice at sandy-a.co.uk, with the spaces and 'at' replaced by the @ symbol.
The information here covers the law applicable to England and Wales. It may not apply in Northern Ireland and/or Scotland. These news items are not a full or definitive statement of the law and are not intended as a substitute for professional legal advice. No responsibility for loss occasioned as a result of any person acting or refraining from acting can be taken by the author.
Chapter 43
DATA PROTECTION AND USE OF INFORMATION
The items below formerly appeared on the legal update website for voluntary organisations and are archived here. The content may be out of date and links may not work. For current updates to the chapter, see the legal update website for voluntary organisations at www.sandy-a.co.uk/managing.htm.
FREEDOM OF INFORMATION ACT: PUBLIC AUTHORITIES
Updated 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Ministry of Justice announced in January 2011 that it would extend the Freedom of Information Act (FOIA) to cover more bodies, including the Association of Chief Police Officers, the Financial Services Ombudsman and higher education admissions body UCAS, and would consult on bringing examination boards, some school inspectorates, the Local Government Association and some other bodies within the Act. The MoJ confirmed that although some specific named charities are covered under the FoIA, there is still no intention to extend FOIA to all charities, or to all contractors that provide services on behalf of public authorities.
In Scotland, the Scottish government consulted until November 2010 on proposals to extend the FOI (Scotland) Act 2002 (FOISA) to cover some contractors and other bodies that provide public services, such as trusts created by local authorities operating leisure and cultural facilities, or companies which run prisons and prison escort services, or which build and/or maintain schools. The consultation documents can be accessed via tinyurl.com/yzqx9en. The outcome of this consultation could mean that the FOIA and FOISA end up with different definitions of public authorities and "functions of a public nature".
Even if an organisation is not subject to FOIA or FOISA, information provided to a public body, for example as part of contract tender documents or monitoring of services, may need to be disclosed by the public body in response to a FOIA or FOISA request for information. And in some very specific cases, a court might find that a charity providing services on behalf of a public body is itself directly subject to the FOIA.
USING THE FREEDOM OF INFORMATION ACT FOR CAMPAIGNING
Added 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The National Council for Voluntary Organisations published in October 2010 a guide to using the Freedom of Information Act for campaigning at local and national levels. Voicing your right to know: A guide to using the FOIA in campaigning gives examples of how voluntary organisations have used to Act to obtain statistics and other information which can help in campaigning, and is at www.ncvo-vol.org.uk/yourrighttoknow. There's a summary of key points on the Guardian's Voluntary Sector Network at tinyurl.com/7bz8ock.
DISCLOSURE OF PERSONAL DATA IN FREEDOM OF INFORMATION & ENVIRONMENTAL INFORMATION REQUESTS
Added 19/12/11. This information adds a new s.43.2.3 ∧ 43.3.1 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Personal data as defined under the Data Protection Act is in most cases exempt from the Freedom of Information Act and the Environmental Information Regulations, and generally cannot be disclosed by public authorities in responding to a request under the FOIA or EIR. The intention of this exemption is to protect individuals’ privacy. However there are some exceptions, and organisations faced with a request which could involve disclosure of personal data should take specialist advice.
The Information Commissioner's Office issued updated guidance for these situations in March 2011. There is no direct link but it can be accessed from the ICO website via tinyurl.com/3f6fa57, then click on "Exemptions - freedom of information" then on "Section 40: personal information".
USING THE AUDIT COMMISSION ACT TO OBTAIN INFORMATION
Added 19/12/11. This information adds a new s.43.2.5 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Freedom of Information Act exemptions allow public authorities not to disclose, in some situations, information whose disclosure would prejudice the authority's commercial interests, and some confidential information. But under s.15 of the Audit Commission Act 1998 local authorities (but not other public bodies) are required to allow an individual or corporate local taxpayer to inspect and copy the "books, deeds, contracts, bills, vouchers and receipts" that relate to the local authority's audited accounts.
In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council, the court of appeal ruled in October 2010 that the Audit Commission Act requirement overrode the local authority's duty of confidentiality to Veolia, and contract details had to be disclosed to a local taxpayer who requested them. The decision is at www.bailii.org/ew/cases/EWCA/Civ/2010/1214.html.
While this allows organisations and individuals to access information about local authority contracts that would otherwise be unavailable, Unity Trust Bank has warned in a newsletter that "this case highlights one of the risks involved in contracting with local authorities and this should be borne in mind when considering whether to bid for these type of contracts".
Details of how to request information are in the Bates Wells & Braithwaite Charity and Social Enterprise Law Update, summer 2011, on p.14 at www.bwbllp.com/Files/Updates/CharityUpdateSummer2011.pdf.
DATA PROTECTION ROUND-UP
Added 17/3/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Lest anyone think that data protection is unimportant or does not apply to voluntary organisations: the Alzheimer's Society was in February 2010 found by the Information Commissioner to be in breach of the Data Protection Act 1998 duty to keep personal data secure, after several laptops were stolen during a burglary. The laptops were not locked away, and one contained unencrypted details of 1000 staff, including addresses and national insurance numbers. Ironically, the computers had been returned to the office for encryption.
The Society had to give an undertaking that "portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent; physical security measures are adequate to prevent unauthorised access to personal data; staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy; and the data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage". Further data protection breaches could lead to criminal prosecution.
In case you want to know what such a thing looks like, the Alzheimer's Society undertaking is at tinyurl.com/ylltcmp.
And to help ensure your organisation doesn't get into such trouble, here is some new and recent guidance.
Clearly ICT security is essential — not just in relation to data protection, but to protect all of your organisation's information. The 34-page Computanews guide to ICT security, published in October 2009, is essential reading for all organisations. It covers how to assess the risks and policies needed, how computer security is affected by people and by the environment in which it is used (including public access computers and homeworking), specific steps to secure assets (everything from passwords through to end point security and the end of the computer's life), and checklists for assessing and dealing with risks. All that — and cartoons too. Download from tinyurl.com/ykxxlm3.
The Information Commissioner's Office issued in December 2009 a plain English guide to data protection, with an explanation about each of the eight data protection principles and practical examples of how they apply in practice. The guide can be accessed via tinyurl.com/372h3z.
The Trades Union Congress has produced guidance on the law on access to medical reports that are requested by the employer. The guidance also looks at how unions and safety representatives can ensure that the rights of workers are protected. It is at www.tuc.org.uk/h_and_s/tuc-17272-f0.cfm.
The consultation on the Information Commissioner's Office's draft guidance on collecting information online closed on 5 March 2010. The guidelines include broad principles such as not being secretive or deceptive in how personal data is handled; not trying to gain an advantage by using personal data in a way that people wouldn't expect or might object to; not collecting personal data that is not needed; ensuring adequate data security; and not ignoring the laws of other countries from which personal data is collected. The consultation documents are at ico-consult.limehouse.co.uk/portal/cop/pio.
British Standard 10012 on personal information management systems, designed to ensure compliance with the Data Protection Act, was issued in May 2009 and covers issues such as training and awareness, risk assessment, data sharing, retention and disposal of data, and disclosure to third parties. It costs £50 for BSI members and £100 for others. Information is at tinyurl.com/y89wer8.
The annual fee for notification to (registration with) the Information Commissioner's Office increased to £500 on 1 October 2009, for organisations in the public, private, or non-charitable voluntary sector with annual turnover of £25.9 million or more and 250 or more staff. The fee remains £35 for all charities, regardless of size, and for public, private, or non-charitable voluntary organisations below the threshold. The Data Protection (Notification and Notification Fees)(Amendment) Regulations 2009 are at www.opsi.gov.uk/si/si2009/plain/uksi_20091677_en.
Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) need to be aware of a decision by the European Commission on 5 February 2010. This requires, for new contracts with outsourcing companies, written consent for processing of personal data to be sub-contracted. Useful information is available at www.out-law.com/page-8169.
NEW PENALTIES FOR BREACH OF DATA PROTECTION
Added 4/4/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
From 6 April 2010 the Information Commissioner's Office has new powers to impose penalties of up to £500,000 for serious breaches of one or more of the eight principles of data protection law. A monetary penalty can be imposed only if the breach was of a kind likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.
The power to impose penalties is is ss.55A-55E of the Data Protection Act 1998, inserted by the Criminal Justice and Immigration Act 2008 s.144 (www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_1).
DATA PROTECTION BREACHES
Updated 31/12/11. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Since 6 April 2010 the Information Commissioner's Office has been able to impose monetary penalties of up to £500,000 if a breach of one or more of the eight data protection principles is likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.
The highest monetary penalty to date, £130,000, was served on 6 December 2011 on Powys County Council. In two incidents, documents about child protection cases were mistakenly sent to the same wrong person. In the more serious incident, it is thought pages from one document got muddled with pages from another when they were both being printed out on the same printer, and the document was then sent out without being checked.
Other monetary penalties served on local authorities have included Surrey County Council, £120,000 after sensitive personal data was emailed to the wrong people on three separate occasions (in one case, sending sensitive personal data about 241 people to taxi companies and other transport firms, and in another case, sending personal data to 100 people who had asked to receive a council newsletter); Hertfordshire County Council, £100,000 for accidentally faxing information to the wrong people on two occasions, including information about a child sexual abuse case and a care proceeding; Worcestershire County Council, £80,000 for emailing highly sensitive personal data about a large number of people by clicking on a group list of 23 people who should not have received it; and North Somerset Council, £60,000 after an employee sent five emails, two with highly sensitive information about a child’s serious case review, to the wrong NHS employee.
A data controller can also be held liable for the actions of someone who processes data on its behalf. In February 2011 a monetary penalty of £80,000 was issued to Ealing Council following the theft from an employee's home of two unencrypted laptops containing personal information about 1700 individuals who used the council's out-of-hours service. The service was also provided under contract to Hounslow Council, and 40% of the individuals were Hounslow clients. Hounslow faced a £70,000 penalty for not having a written contract with Ealing Council, and not monitoring Ealing’s procedures for operating the service securely.
To date most monetary penalties have been served on public sector bodies. But employment services company A4E was served a £60,000 penalty following the theft of an unencrypted laptop from an employee's home. The computer contained full names, date of birth, postcodes and income level for 24,000 people who had visited community law centres in Hull and Leicester.
Stolen laptops also led to the Alzheimer's Society being warned they could face criminal prosecution if they did not put proper data protection procedures, including encryption of personal data, in place (see archived item at www.sandy-a.co.uk/vslh/43info.htm). More recently two charities have had to sign undertakings to improve their procedures. Asperger's Children and Carers Together, a Sheffield-based charity, had a laptop stolen from an employee's home, with 80 children's names, addresses, date of birth and medical information, and Wheelbase Motor Project had a hard drive stolen from its office in Nottingham, with personal data on 50 young people including information on criminal convictions and child protection issues. The Alzheimer's Society case was before the ICO had power to impose monetary penalties, and the other two charities were not served with monetary penalties.
In another case that led to an undertaking but not a monetary penalty, personal details about six people who were being supported by North Lanarkshire Council's housing and social work services department were in a support worker's unlocked bag which was stolen. The ICO emphasised that papers containing sensitive personal information should never be left in an unlocked bag without necessary precautions.
A breach of data protection law can occur not only when personal data gets into the wrong hands, but when it is destroyed. At Dartford and Gravesham NHS Trust, 10,000 records which should have been archived in a dedicated storage area were, because of lack of space, put in a disposal room and not surprisingly were disposed of, and this was not discovered for three months. The Trust confirmed that records were several years old and the loss of the data did not pose a clinical risk to the patients. The Trust has had to put better procedures in place, including systems to keep track of where information is at all times.
Individuals who access data which they do not have a right to see, or use data for purposes for which it was not intended, can be prosecuted for breach of the Data Protection Act and can be fined. For example two former employees of T-Mobile who stole and sold customer data from the company were ordered to pay a total of £73,700 in fines and confiscation costs.
Despite the potential risk of a penalty, the information commissioner stresses that serious breaches — based on potential harm to the data subjects, sensitivity of the data, and the volume of personal data lost, released or corrupted — should be reported to him immediately.
Links to ICO press releases about the above cases and others can be accessed via tinyurl.com/bux6gej.
CODE OF PRACTICE ON PERSONAL INFORMATION ONLINE
Added 5/1/12. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office (ICO) code of practice on personal information online outlines good practice for organisations that do business or provide services online and that collect and store information online. It should enable visitors to websites to make an informed choice about whether they should sign up for a particular service. The code covers information processed online and the Data Protection Act 1998, marketing goods and services online, privacy choices, operating internationally, individuals' rights online, things to avoid, and preserving privacy online. It was published in 2010 and does not include the rules on cookies [see below] that came into effect in May 2011.
The code can be accessed via at tinyurl.com/3ctj7vt.
SHARING PERSONAL DATA WITH OTHER ORGANISATIONS
Added 19/12/11. This information updates s.43.3.4 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Data Protection Act generally prohibits disclosure of personal data to other organisations or bodies unless safeguards are in place. When deciding whether to share personal data with other organisations or agencies, even on a one-off basis, the basic principles include identifying the benefits and risks, taking reasonable steps to safeguard personal information, considering whether consent is needed, being transparent about what is being shared and why, ensuring information is up to date and accurate, and ensuring compliance with the Data Protection Act and other relevant legislation.
Failure to implement proper safeguards can lead to penalties — see article above about data protection breaches, with Hounslow Council having to pay a monetary penalty for failing to ensure the security of personal data processed on its behalf by Ealing Council.
The Information Commissioner's Office official code of practice on data sharing, published in May 2011, applies to both routine and one-off data sharing by public, private and voluntary sector organisations. It covers:
-
what to consider when coming to a decision about whether to share personal data;
-
fairness and transparency: when and how individuals should be told their personal data will or may be shared, and when it can be disclosed without the individual's knowledge;
-
security and staff training measures that should be put in place
-
governance issues;
-
individuals' rights to access their personal data;
-
what to avoid;
-
data sharing agreements.
The code includes case studies showing how the Data Protection Act applies to data sharing and, at the end, useful checklists and templates. Failure to comply with the code is not in itself an offence, but can be taken into account in relevant legal proceedings.
The code can be accessed via tinyurl.com/5txcfsy.
TRANSFERRING PERSONAL DATA OUTSIDE THE EEA
Added 19/12/11. This information updates s.43.3.4 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) must, since May 2010, include model clauses drawn up by the European Commission in new contracts with outsourcing companies outside the EEA which will process the data. The model contracts also cover sub-contracting to sub-processors, and require the original exporter of the data to keep track of all sub-contracting. A guide to the requirements and the model clauses is at www.out-law.com/page-11028.
|