good morning everybody and welcome can everybody hear me at the back yeah I remember sitting up at the back at a fren show and I fell asleep so I hope I hope if you do you have a good one um my name is can't hear you you can't hear us can you hear me now huh yeah that's better okay my name is Kenneth Pinkerton and I am partner and head of Charities and third sector at broes got a little slide behind me to uh tell you a bit about grois we are a full service legal firm and what that means is from
a charity and third sector point of view is we do everything that will meet your legal and governance needs so anything you need we can deliver um as evidence of that I thought that rather than just doing your sort of Charity and governance seminar as I have done for years I would invite some colleagues from the Charities and third sector team to join me today to say a little bit about what they do and hopefully highlight some things that you might then think when you go back to your organizatio
ns we need to do that or we need to look into that a little bit further I think that any lawyer who comes along to these things are almost Duty bound to point out to Charities and charity trustees what their legal Duties are under the law um and it really flows through everything that we do so simply by way of reminder and with no apologies to anybody who knows this already just to point out that under the Charities and trustee investment Scotland act 2005 a charity trustees duties are generally
to act in the interests of the charity and what that means is that you act free from conflict and when you're in the room acting for the charity that is what is at the Forefront of your mind at all time and if you you can't say that you're acting in the interests of the charity I suppose what I would say is you have to do something about it you don't sit in your hands you act in a manner consistent with your Charity's objectives your Charity's Constitution so first point there is you have to kn
ow what the Constitution says I think fellow advisers remain amazed at the Charities who come to us for advice and we ask for a copy of the Constitution to say not quite sure where it is or that might not be the re most recent copy of the Constitution and finally you have to apply the appropriate standard of care and for charities in the 2005 act that is a standard of care that is reasonable to expect of someone looking after the Affairs of another person and that's generally taken to be a highe
r standard than if you're looking after your own Affairs so with that backdrop I will now hand over to my colleague Lynn who is in our employment law team Lynn okay thank you Kenneth can everyone hear me okay good um so I've been tasked with talking to you about some of the employment related risks that might arise in your sector um they are probably very similar to those that arise in lots of different sectors um employment law as you're probably aware is a really Dynamic area of law it changes
all the time so we're always getting new legislation we're constantly seeing new case law all of which impact on on you as employers um and can create various risks but what I'm going to do is just focus on some of the core risks that um always persist irrespective of changes in in legislation or New pieces of employment law that we see and those relate largely to unfair dismissal and discrimination complaints so any um charity who is is an employer and has employees working for them will or ma
y find themselves from time to time having to deal with issues arising with an employee whether whether that's a conduct issue a performance issue or an attendance issue or sadly you might also find yourself in a redundancy situation where you've maybe lost funding or there's just reduced work and you might be facing a redundancy situation and in any of those circumstances you might find yourself um having to dismiss an employee which gives rise to an obvious risk of unfair dismissal complaints
um now the reason that presents a risk there are there are some Financial risks that might materialize as a result of that because where um unfair dismissal Claims can be brought by employees who have two years or more service um if they're successful in employment tribunal the awards which can be achieved can be quite significant particularly for um could have quite a dent on your finances so the awards for unfair dismissal generally consist of a um a basic award which is like a statutory redun
dancy payment or a compensatory award and the limits on the compensatory award have gone up they go up every year but the cap on those are now sit £1 15,77 now a lot of employees won't achieve that because if their earnings are much lower they can only ever achieve 52 weeks gross pay but you can still quite quickly see that if they succeed in those sorts of claims it can be quite a significant financial exposure so it is important to think about um how those risks might materialize and the ways
in which you might mitigate against summarizing I I will also say that there are no employment tribunal fees at the moment those were scrapped a few years years ago so it's really pretty easy for employees to bring a complaint in an employment tribunal they might be spurious claims but I guess that's really just to highlight that everything that you might do might never really stop a claim from materializing you're always going to have that risk it's really about how you um mitigate against that
risk sort of turning into something that's a successful claim and I think that's where you can take steps to make sure that you do really mitigate against the financial consequences that can arise so in terms of thinking about that um the first step in defending any claim of that nature is to think about what the potentially Fair reason is that you're relying on for dismissal I've really just talked you through them so that is it conduct is it capability is it um a redundancy for example or the
re's another category of some other substantial reason which I won't go into in detail but pick your pick your potentially Fair reason and after that it's really a question of whether you have acted reasonably in treating that as a sufficient reason for dismissal at the time that you actually dismiss um and and that's where I think you can probably do the most to mitigate against any risks that might materialize because there's a bit of a question mark over what you need to do to be acting reaso
nably and that's a sort of million dooll question sometimes I think that is not set out in legislation so you won't find the answer to that in the employment Rights Act which is where the right to claim unfair dismissal sits that is really largely set out in case law but fortunately it is the sort of case law that is pretty well established it's not the sort of case law that's changing you'll all be probably seen lots of cases around things like holiday pay and um discrimination cases we've had
lots of cases about gender um gend as an expression of belief those sorts of cases unfair dismissal law doesn't actually change very much so that's good news um but what you need to do to mitigate against the risks of those sorts of claims succeeding is to know what it is you need to do to be acting reasonably um and and that will differ depending on the potentially Fair reason that you are relying on so for example if some is being dismissed for a conduct reason you will want to make sure that
at the time you dismiss them you have a genuinely held belief that they have done the bad thing that they're alleged to have done um and at the time that you dismiss them you've carried out a reasonable investigation to show that you have reasonable grounds for holding that belief if it is not a gross misconduct dismissal um but there have been a series of um Mis misdemeanors then you'll also want to show that the employee has had a series of warnings that they've had an opportunity to improve t
heir conduct before you actually get to the point of dismissal and if you can do those things you will hopefully be able to successfully defend any claim that might materialize for something like Performance Management so somebody is not performing in their role again they should be given an opportunity to improve their performance before you get to the point of dismissal so that means putting them into perhaps a a dreaded action plan or performance Improvement Plan before you get to that that p
oint redundancy um there are slightly different things you need to do there um you will have to be able to show that there is in fact redundancy situation um you may also have to then carry out uh individual consultation with the employees affected so you'll need to tell them they're at risk you'll need to think about pools for selection what work is going and who's doing that work and how will you select them you'll have to have some Fair criteria to do that as well as conducting um a meeting w
here you can communicate the decision to them and of course any dismissal also requires a right of appeal so you can you can see that for each potentially Fair reason um you'll have to be thinking about what process you will want to have in place to mitigate against the risks arising so in terms of mitigation I think best advice is make sure you have processes and policies make sure they are up to dat there's lots of resources out there that you can use that don't even involve coming to lawyers
I should prob say that but you know you can you can look on acas website for example it's a really good resource for U making sure that your policies and procedures are up to date and anyone that might be conducting such dismissals or processes it is a good idea to have some form of training for them where you possibly possibly can um and to try and make sure that decision decisions are consistently made so in a conduct case for example if you're going to dismiss somebody for a particular kind o
f behavior and you have to make sure the same um sanction if you like is Meed out for other people who do the same thing or a similar thing unless you can justify not doing that um I'm just going to add to that that I've mentioned that these are sorts of claims that can be brought by employees um that that is it's only open to employees to bring unfair dismissal claims and you might have other kinds of workers in your organization as Charities you'll also have volunteers um volunteers do not hav
e the right to claim unfair dismissal but there in lies a bit of a cautionary tale because that is why it's so important to make sure that your um arrangements are put in place for volunteers are are are properly constructed and that you don't inadvertently give rise to a situation where you they're actually employees because as soon as they might fall into that category of being employees they will start to acrew employment rights so I think that is a a thing to think carefully of in relation t
o that um I said I would talk a little bit about discrimination this is probably a little bit more scary than unfair dismissal because discrimination complaints is something that we commonly find um arising across all sectors all kinds of employers but including Charities um and the reason for that is that you don't tend to find unfair dismissal claims come by themselves they're usually accompanied by a discrimination claim where where that's possible because there is no cap on the amount of com
pensation that can be recovered in a discrimination claim um so the $5,775 2 weeks gross airing you can sort of rip that up and slightly throw it out the window now it doesn't mean that somebody is going to get millions of pounds but it does mean that if there is a finding of discrimination um that they can recover all the damages and losses that flow from the act of discrimination and if people have maybe come to you for example from the public sector or they do just have a generous pension sch
eme or something has happened that they are in some way psychiatrically damaged by the discrimination and they say they will never work again suddenly those losses can be really very significant um and we have seen I think the last tribunal statistics quarter statistics which actually at the end of last year but the highest award that was made in a claim was 1.7 million now I don't know what kind of claim that was it might have been brought by a city Banker claiming sex discrimination and will n
ever work again that's maybe why it was so High um but you do the awards in these sorts of cases can be really significant so trying to mitigate against the risks of discrimination claims um and educating yourself on how they might arise is really important um and the equality act 2010 is the main piece of legislation that we have for that that's the the scheme of that act sets out what the protected characteristics are don't test me by trying to list them all cuz no matter how long I've been do
ing this job I can never remember them when I'm put on the spot um the one that we see most commonly actually coming across our desks is disability discrimination um so people alleging that they have some sort of physical or mental impairment which is placing them a disadvantage in the workplace that comes up a lot largely because there are specific disability related types of complaint around reasonable adjustments or discrimination arising from from disability that can come out of can come out
of that um how can you mitigate against the risks I I think the main way of doing that in the context of discrimination is again um you can put in place policies and procedures dignity work policies and you can train people that's uh probably a bit of a given particularly because and this is another sort of slightly scary point is that um if claims are being brought against an organization for discrimination they can be brought against the organization as Employer but they can also be brought a
gainst individuals so anybody that's essentially accused of the discriminatory action so that can include other employees line managers as well um and they and there can be findings of joint and several liability so that's something that's maybe a little bit more risky about discrimination complaints um I think having good governance in decision making so being able to really show the rationale for all decisions that you make in relation to your workers because it's another Point discrimination
claims don't just cover employees they do cover broader categories of work workers which is a much broader category being able to show how you got to your decision um and show a non-discriminatory reason for any decisions that you take is the main way of miting mitigating against any sorts of discrimination complaints um so that's discrimination the last thing I was just going to mention because I'm sure my time is is up I'm okay I'm okay um is really just to talk a little bit about some of the
things that might be coming up because as I said at the start employment law is very Dynamic and it's changing all the time so there are things that will be coming up in 2024 that you will want to be thinking about that might present risks um for your organizations and certainly what we can do to help with that is that um every year one of our employment one of my employment colleagues one of our professional development lawyers um will set out a a list of all the things that are coming up or is
essentially a checklist of things for you to be thinking about in the coming year so look out for that it's a comes out usually as a Blog at the beginning of the year um but next year what we might see and some of you might be relieved to hear this we might see some changes to holiday pay and how that has to be calculated some changes to legislation on that and some of you will be familiar with the House of Lords decision in the Harper trust case last year um which was about how you pay holiday
pay for part year workers which was a little bit testing for everyone there has also been a lot of case law there's just been another House of Lords decision in a case called agon which is about actually about the calculation of holiday pay but um largely is around how far back can claim holiday pay um and how it's calculated so we will possibly see some changes to that particularly um be because it it's one of the areas of European law that is the government are going to have to do something t
o save or change so look out for that the other one I think to be just look out for because it is a piece of concrete legislation is the employment relations flexible working act 2023 which has been passed but it's going to come into Force next year and that will change um slightly how FX flexible working requests can be made now that sounds a bit dull but I mention that because flexible working requests um if they're not granted can give rise to claims under those regulations they're not hugely
valuable claims but what is valuable are discrimination claims that can arise if you refuse flexible working requests and you don't have good reason for doing so so I think because of that act coming into force and the fact that it's going to change slightly how how um and when and who can make flexible working requests I I think we might see more flexible working requests being made and if they are refused then we might see also more discrimination claims arising as a result of them so there t
hey're just some things to look out for next year there's going to be more but there's some highlights thanks Lynn um we have built in time at the end for questions but we're also happy to take questions as we go along and one of the aims of me bringing together colleagues was um to really do that and to try and make a session as discursive as possible possible so as suppose I should say if you're walk away early no questions but um if as I say we're all happy to take questions as we go along so
on that does does anybody have a burning question just now or would shall we leave yes we do have mics or you can shout if you can project very well I can hear you if it's a question for Me Maybe question but other than is there anything that def don't become employes other than pay is there anything else that would would tip a volunteer into that legal definition of becoming an employee yes there's a whole list of factors sorry so so for the people in the room the question was that other than
pay is there anything that tips a a volunteer into the employment category yeah so there's a number of Badges of employment that you need to be concerned with so if you have um if you start to direct employees um or volunteers rather to work in a particular way so if you asking them to um do particular hours um at particular times if they are being very directed and I I appreciate that some of this can become quite great because there's an extent to which you probably have to direct them um but
if they are being directed and you start to create a bit of mutuality of obligation subjecting them to employment policies and procedures in your organizations could be something else that might tip them into being EMP so you probably want to make sure that for example they um do comply with things like your data protection policies and um health and safety policies and dignitate work policies but beyond that you probably don't really want to be involved in subjecting them to things like your di
sciplinary policies grievance policies so just being careful about how much um access you give them to those sort of policies but I think it largely is about control so how much are you controlling the the way that they do the work and when they do work and what are the expectations of them um that if those the dial goes too far one way they can become that's when they can become employees not giving them written contracts or just being careful how you document the arrangement and making very cl
ear that they are volunteers normally they should only really be getting paid out of pocket expenses as well so I think that's probably what you're referring to when you're talking about pay and presumably simply by saying you want them to uphold the values of the charity that that's fine yeah that's fine yeah cuz that's I think that's what we would all expect to see any other questions just now okay so um thanks for that Lynn and I'm now going to hand over to Martin thanks Kenneth can you hear
me have back yep good okay so I'm going to talk next 10 minutes or so um about data protection and cyber risk um guess in 10 minutes Fair High Level summary but I thought what might be worth doing is just picking up on I suppose highlighting that the charities in third sectors was not immune to cyber risk so you'll see lots of stories in the Press about organizations being hacked and subject to cyber attacks but we're also seeing an increasing number of those focusing on the third sectors so you
may have seen a couple of months ago a company called about loyalty um which was subject to in attack or one of their subcontractors was and they were providing services to Charities to help them understand their supporters and donors so they had a whole lot of data around um donors their subcontractor was attacked and that data was compromised and what what happened with that was that a number of Charities ended up in the Press over that um people like uh the rspca baty dogs home um and others
decided to go public with it um I'm not sure they needed to but actually they ended up in the Press there was a story in the the mail on Sunday and while that story focused on the fact that Elton John was a you know prominent SP supporter of one of those Charities was all the the CB angle they still actually impact you know had that damage to reputation that arose from being subject to to that um Cyber attack and I'm not sure necessarily that actually you know the strategy was quite right in te
rms of how they how they spoke about what they said to people I don't think it reassured people it actually probably caused more more worry than than reassurance but I think it's just a good reminder that a lot of Charities are dependent upon third parties to do certain things whether that's to run your it to look after the data that you have and that is a key part of your your risk as an organization in terms of how that data is handled and if it is any compromised or attacked um then that impa
cts on you so even if you're trusting a third party to do these things for you um that uh could cause an issue in terms of um obligations under data Protection Law in terms of obligations towards Oscar needing for example to to report that instant so before I talk a bit about um what you can do to manage or mitigate cyber risk I thought it might be worth just also covering some data protection basics for those of you who um are perhaps new to to handling data and data Protection Law and for the
purpose of this session I think you can really just distill it down into the principles that exist in in data Protection Law so we have seven principles that are in in UK gdpr as we now call it um post brexit um one of them is about ensuring that you only process personal data where you're doing that and it's fair and lawful and you're doing it in a way that's transparent so you're telling people what you're doing you know what you're doing and you're only doing it for for the right reasons you
have a lawful basis for that secondly you only use the information you collect um for those purposes and you're not then using it uh for some other purpose the third principle is you're only collecting what you need for that principle so what we call data minimization you should only collect the information about your supporters your service users your employees your volunteers um where you need to have that information for that purpose you shouldn't collect more than that you should make sure t
hat information you hold is accurate it um so there an accuracy obligation and keep it up to date and where that is relevant um and then you only hold it for as long as you need to one of the things that we see quite a lot is organizations who hold onto data for too long they collected it four or five years ago they now no long going have an issue a reason to hold it but they've still got it because they don't have a record management policy in place they're not deleting that data when they no l
onger Le it and if I go back to cyber risk all that stuff that people had with about loyalty I suspect a number of them had data sitting there that was historic and they didn't need it anymore and that causes a compliance risk so it's really important to think about how long you're holding on to that data do you still need it or or do you not the sixth principle is around security so that's ensuring that you have an adequate level of security in place for for the information that you hold and th
at's tested based on the risk to the individual if that information is compromised so it's not an absolute obligation but it's adequate appropriate measures to protect that data and the more sensitive that information you have the greater the lens you should go to so for example if you're in the Health and Social care sector and you have medical information you would need to go a lot further than you would say for an email address or someone who had perhaps donated some money to you and then the
final principle and the one that came in under under gdpr back in 2018 is you actually have to be able to now demonstrate your ability to comply with all this as an accountability principle in the past a lot of people got by kind of retrospectively saying well we probably did the right thing now you have to be able to show that you had the policies and procedures in place to actually show show your compliance to those principles so what does that mean in practice well I think it means knowing w
hat data you collect and why you collect it you're not just doing that in a sleep walking way you're actually understanding why you've got that information secondly you need to be clear and explain to people why you have the information what you're doing with it so you may tell a different story to your service users to your supporters or donors to your members of Staff or your volunteers or your trustees you each of them you will use their data in a different way and you need to be able to expl
ain explain what that is so an auditing process is really good to actually look at what you're doing if you haven't done that for a few years it's worth doing that you got to be able to manage your compliance so internal policies and procedures we talked a bit about in terms of the employment side some of the policies you have in place helping your staff to understand how they should handle data how long they keep it for what they do with it how they keep it secure policies on remote working pol
icies on using your own devices um policies on data sharing all of these things you you want to look at and have in place and think about how you manage that accountability internally who is it that's actually taking responsibility do you need to have a data Protection Officer some of you will and some of you won't depending on what what it is you do risk assessments are really important in all this there sometimes they're required in data Protection Law but they can be a really good way of mana
ging risks so doing a data protection impact assessment before you start doing a new activity or or a new service or using a new piece of technology um they can help you to manage your risk and document how how you've approached that data security um is is key um you you may be very reliant on third parties for this but think about how you manage security how do you keep that information secure do you know what your third parties are doing if you're using a third party to run your email system o
r your document management or document storage how how are they keeping that information secure for you um and what are you saying to people around that what about paper records for those who still have paper records how do you manage manage that risk as well and then I mentioned data retention again really important to actually think about how how long you hold that data and what you do with it and then if you are engaging with third parties um then you want to ensure that you you have proper c
ontracts in place you've done diligence on your on your your third parties so that um you managing the risk with those okay so in terms of Cy cyber risk um I mentioned the about loyalty case and before there's been lots of other examples in in the third sector um of service providers impact in that but when we're talking about cyber risk we really think about anything where it impacts on an IT system system and it's not just about personal data it could be about any any system that you have coul
d be your email system a CRM system if you have one um things use for managing your Workforce um all of those systems could be potentially subject to attack you might run them you might use a third party and all of that could have could have an impact on on you the services you provide your finances um your ability to actually run run the charity so when we're talking about cyber risk really it's a very broad thing we're looking at it's not just about your core systems but also say your your ser
vice providers as well if you're really dependent on third party understanding um what what risks exist of them how how they manage their their it systems as well it might be a target attack someone's actually set out to attack you um it might be just someone exploiting vulnerability people sit and scan um websites It system to try and find a way in um it might be an insid effect you may have someone who is an grieved employee who decides to do something um and we that comes up quite often you s
ee that you you protect your perimeter but you're not aware of what's Happening internally and the biggest issues around fishing so if you're going to do some training on this or um is around actually training your your volunteers and your staff around fishing risk and being able to spot fishing emails because the vast majority of cyber attacks come out of someone clicking on an email that they shouldn't have done and that then compromises the system gives someone access to a password or whateve
r and then next thing you know your systems encrypted and you no longer have access to to your data so can happen lots of different ways and you as I mentioned it can impact on your ability to actually operate day-to-day can cause reputational damage say you have supporters or sponsors or uh donors whose data is compromised they might not want to support you in the future they might not want to to give the information it might impact on your ability to um support your your service users undoubte
dly going to cause Financial damage um or financial loss with the clean up cost um and uh management time that's spent in that and end there's also a regulatory angle as well so if there's personal data involved you may need to report that the information commissioner you might also need to report it to Oscar um or to the Charities Commission in England England and Wales um and we're seeing The Regulators think more and more of an interest in how um Charities are um handling cyber risk and what
they're doing about that and expecting to to be told about incidents so having having scared you with all that what what can you do what questions do you want to take away from today well firstly understand what what it systems you have what are you actually using whose systems are they and how are they being protected so ask questions of your it providers or whoever it is you you rely upon for this to understand what what you're doing um when you're using third parties then carry out diligence
on them there are lots of good questioners and things out there we we have something we can we provide to our clients um the questions you will want to ask people about how they manage their systems how they manage their data you want to do that you want to look at business continuity and Disaster Recovery I know that sounds like a might it's a very corporate thing to do but actually it's for every organization needs to understand how they would cope if that system went down if it's depends on y
ou what what you work around it might just be a bit of paper but you want to know what it is you would do in that situation if it is critical to you being able to operate um dayto day you want to work out who your instant response team is so who who is it internally that takes the lead on this if an instant happens who who gets told about it do they have external advisers in place or internal people who can help with the legal issues with the forensic issues um with the the IT issues reputation
management and if you got a plan so that the best thing you can do is have some form of instant response plan which says this is what we will do um when we suffer a cyber incident these are the questions we'll ask these are the steps that we take you want to do some staff training around this and to make sure people know what to do how they spot or are aware for things that might cause a potential cybern and then who they tell because quicker you can act the better and the the less of an impact
it will have the easier it is to recover and insurance is really important here I don't know how many of you have cyber insurance but the Cyber insurance does two things one it gives you money and pays for for all the things you need to deal with in cyber incident and the loss you might suffer the other thing it does is it gives you access to a whole load of experts um whether it's cyber frenic people whether it's lawyers and whether it is reputation management people that come as part of the pa
ckage and that is one of the biggest benefits of having that insurance that when you're there panicking because you've not been to this before you can call on people who will help you out so well looking at that if you don't have that um at the moment or your your general insurance doesn't cover that and then with all of this it's about just regular viewing what you do the policies you have in place testing them um running running scenarios um and making sure that your plans actually work um and
then ensuring you have someone who is sitting there actually responsible ideally at board level for this um and was able to then say take responsibility for that um and ask the right questions internally and with all of that if you can do that then hopefully that will put you in a good place um even when the the worst ever happens that was all I was going to say just now I'm sure there' be some questions now or later on yep Thanks Martin does anybody have any questions at the moment GIS thanks
so much for that can I just ask specifically around data protection um I'm concerned that people have sort of lost the plot on subject access which of course next year will be 40 years old as a right and people come up with all these sort of silly gdpr excuses and they just don't seem to be geared up to respond very well and I think this matters in the sector of two levels firstly there's um Charities that receiving request for access to the data they hold but also many Charities are making subj
ect access requests to third party organizations to try and support the beneficiaries they're working with and um do you do you agree that there seems to be a lot of confusion out there about about basic rights around that I mean it's meant to be a 30-day response in most cases I understand but people don't seem to be complying very well I think so I I suppose there's two two things in that so I think we've definitely seen an uptick in the number of people submitting subject to access requests p
articularly in the the employment context so employees who are in the midst of a dispute with their their employer or some form of grievance um but we're also seeing I think there's a much more awareness of it so people are asking asking about about that and they're trying to exercise their rights and they are becoming more and more complex to deal with because we all hold far more information than we ever held to actually review that as a incredibly difficult and complex task in terms of actual
ly finding what what's looking for so I think I think it is something where there is perhaps a lack of there's an awareness amongst people to ask a question sometimes people ask submit subject access to question without understanding what rights they have and what what they don't have a right to and then I think there's also a bit around sometimes organizations not being fully geared up to deal with that particular if they're not in a sector where they have historically received subject access r
equests um there's lots of good guidance out there from the information commissioner you know on this the very detailed guidance you don't need to pay a lawyer to to be told the basics on this um so do do look at that if you get a subject access request in um but sometimes you do get complex issues around I don't know privilege or um some the application some of the exemptions around um negotiations with individuals or third party personal data the other one we see aot if you got data that relat
es to more than one individual how do you manage that how do you identify what relates to that person and not to the other and that's a timec consuming process and the biggest challenge I see for for Charities not not Charities for many clients is they don't have the resource internally to actually review 10,000 emails or whatever it is their it search has come up with um and that makes it a very expensive time consuming process so there are tools out there that can help you with that um but it
it's it's they are complex and challenging things things to to deal with do you want to come I was just going to add because you mentioned the employment side of things we that is something we see an awful lot of our data subject access requests and I always find myself when I'm advising clients to generally on anything to do with employment laws so have you got a data retention policy what data are you keeping don't keep it if you don't have to because if you get a subject access request as Mar
tin says it's you end up with hugely disproportionate amounts of information relating to an individual that have got nothing to do with the thing that's actually in dispute and also I think there's not there's not a sufficient awareness sometimes about the data that's being captured in organizations so in the employment context particularly you get what people are doing is they're making these subject to access requests because they think they're going to get a Smoking Gun something that's you k
now that there's something really awful and discriminatory comment or something in an email between a couple of people and you know to be honest quite frankly sometimes there is so what people write down and what people retain is really important they should just don't write stuff down if you don't need to write it down anywhere on a bit of paper or or or electronically um think about why you're creating stuff and why you're keeping it and how long do you really need to keep it for so Microsoft
teams this the current biggest issue because teams by default retains everything forever unless you change it um and people write in teams a whole lot of stuff that they don't think anyone will ever read um I can I can say that with with certainty because I've seen some of the stuff that has been turned out in search on that um it's used as a chat function people are not aware of that so again there's a huge education piece around how people communicate as as Lynn says what what they commit to w
riting electronically and as opposed to saying on a on a phone call or or whatever or text messages text messages WhatsApp yeah it it's just yeah it's um quite opening sometimes and yeah did I see another another hand yes sir thank you it's Nigel over I support um smaller rare disease Charities so either have maybe one partment part-time member of Staff or is volunteer red now my question follows on from this question of um data retention is um there's different requirements under legislation fo
r lengths of period that you need to retain data board meetings for instance is 10 years Financial is um six years after the current year um if it's a disciplinary action on uh staff members that could be about six six months um but good practice is the expectation on organizations to take um planned backups And archiving so typically backup on a daily a weekly a monthly a fre monthly an annual basis maybe even retaining those annual archives for potentially seven or or 10 years to meet these um
legislative requirements but this conflicts then with um the things like employment law and losing of data um which always gives questions of how do we manage this one and is there actually anywhere a comprehensive guide as to what data needs to be retained under which piece of legislation and for how long that's very a very very good question and I I don't know I mean the there are things out there and certainly we we' a a um a records management textbook which we have in the office which is a
n excellent guide that but I don't know of any publicly available sources but it's certainly something that I think is worth looking at whether we can we can help you with more more guidance in that because data Protection Law doesn't set out any required period it just says You must not keep data long no longer than it's necessary for the purpose but you have to be able to justify that purpose so as you say that for financial information there are minimum requirements beyond that there's not a
huge amount of other things where you have to keep it it's more that if you say um you might want to keep something for six years in case you are sued under a contract or buy by an individual um and so you would want to keep it for that in order to protect your own position but after that time period has passed there's actually probably not very much you ever need to keep um certainly for for most sectors you there are specific rules in some areas but for the most part there's not is more that y
ou would want to keep it to manage your risk and that's where you have this confli what what is the necessary period Well I want to keep it for six years because someone may may have five years to sue me on a particular um thing and I want to have clear records from that period okay thank you uh last question for the minute and then we'll make come back at then if as an organization you you don't um sanction the use of WhatsApp but you know it's being used by colleagues possibly even senior coll
eagues or um does that mean it is by default almost sanctioned even though you have a policy against it and would WhatsApp messages be recoverable in the event of AAR yes yeah so if if if they are being used if you know that Senior Management is using it or even Man line managers are using it for work purposes or charity purposes then it's within scope because you know about it even if you say you shouldn't be using it if you if you know about it it's happening and therefore it's within scope so
um the answer to that I think is say Well if you know people are using something like that either put in place a policy to allow them to use it or provide them with another communication tool that is just as convenient and easy to use use and people then don't fall back in using WhatsApp and and the biggest you know one of the issues kind of I've been talking about recently is people who have say WhatsApp on a personal device because it's on avable in your personal device with a whole load of m
essages what happens when that person ceases to be an employee or a trustee of that charity what are they doing with that how is the charity then managing that in terms of saying you should be deleting all of that how do they know what's there um but yeah you can't get round data Protection Law or indeed any disclosure process under litigation just by doing something in WhatsApp rather than do an official email account okay thanks Martin um we'll now move on to our my final colleague today Kate
who is in our insurance and risk team um over to you Kate Hi can everyone hear me okay yeah um I advise charities in a range of circumstances really which can be very diverse as diverse as the activities of a charity and I advise before things go wrong I suppose about how the risk of them happening can be reduced but also after things have gone wrong when really what we're looking at is reducing the impact of what's happened and so today I wanted Julie just to highlight two things that have come
up recently when I've been speaking to Charities and they cover I suppose both sides of that um and the first is understanding and reducing the risk of things happening that you don't want to happen uh and that really is a good example of understanding what your duties are as well so in terms of health and safety duties an employer uh owes a duty to manage the risk to the health sa safety and Welfare of not just its employees but also of any individual who might be impacted by your activities s
o that would be service users but it might be someone that's walking past a shop front that you have and a sign blows off and whacks them on the face it's not just the people that you are you're you're sort of Clos working with um so you have duties towards people that are not maybe within your your your immediate scope of vision but also you have duties in relation to what other people do so kind of tying in to what Martin was saying about where you use a third party provider for um your it nee
ds um where you're using third parties to come in and do stuff for you it might be painters and decorators it might be cleaners it they have their own duties but they could put put your people at risk and you might be liable if something goes wrong and equally you could be um liable if something happens to those people that are coming onto your premises or doing things on your sites and so it always sounds really TR when we give this advice but if you are to manage your health and safety respons
ibilities and to keep the risks as low as you're obliged to you need to understand the risks generated by your organization you need to understand what it is you're doing and that that's not always straightforward for example if you have merged with other Charities or if you've taken on responsibilities or activities that were previously done by other organizations people who are making the decisions about health and safety might not have visibility of that or they might have lost sight of actua
lly just what all of what you do is and so having that overview of what it is you do is key and understanding the RIS generated by it to so if we're looking at third parties doing stuff for you you don't have an absolute duty to ensure that what they do is entirely safe and you're not going to be liable just because something they do results in an accident but you do have to do and again going back to what Martin mentioned due diligence who is it that you're you're dealing with have you gone for
the cheapest person that's probably not going to be uh the least risky option you would need to satisfy yourself that the organization or person you're Contracting with is qualified to do what it is you want them to do and also that they're responsible and once you've decided that this this is the right organization to go with you need to ask them well what what is your health and safety policy and how do you manage risk how do you train your employees and also on a practical level what is it y
ou're going to be doing when will you be on my site who will be on my site what will they be doing um and that's important to protect your people from them but also to protect them from things that might put them at risk on your site so there might be access issues there might be areas you don't want them to go to because you can't keep them safe there there might be things they can't do on your premises for reasons particular to your operation so there's an there's an element of communication t
hat needs to go on and it can't be a case of Simply thinking well that's a third party organization that's their problem um we've done our bit by by paying them and we've kind of was your hands of it it is an ongoing responsibility and there is an ongoing responsibility to check that they are doing what they say they would do so you know quite often organizations will come on Board and they'll say this is our policy this is our training policy this is how we deal with things in reality on the gr
ound that's not what you're seeing and so you couldn't turn a blind eye to that much like with the WhatsApp messages if you know it's happening you really you are under a duty to do something about it so so I mention that really just because it's the kind of thing that people are maybe blind to and it might not might not be aware of the duty until something goes wrong and it's a horrible surprise to find out that your organization could have liabilities second thing I wanted to touch on was insu
rance so obviously Insurance cannot reduce the risk of something happening just by having an insurance policy you've not protected yourself against that but it can reduce the impact it has on you in terms of Finance in terms of the Practical elements of the time it takes to deal with a claim but also the emotional impact of a claim on an organization um when it comes forward so the first thing is to ensure that you actually have insurance cover and so things like cyber risk for example abuse are
things that are very often taken out of general liability policies they're not included by default you would actually have to ask the insurer to add them in you have to essentially buy it as an extra so it's ensuring that what your policy has even if it's badged as all risks checking actually does it cover all the risks that I would like to have cover for um and then once you have the cover it's understanding what it is that's covered is it covering you for things that happen things that go wro
ng During the period of the policy or is it covering you for claims that are made During the period of the policy and that can have quite a big impact on your cover um and it's also a recordkeeping issue because it where your policies cover you for things that happened during the policy period you need to know what policies you had in place 20 years ago if you're if you're going to face a claim for something that's what we call a longtail risk so see a disease claim for someone that's been expos
ed exposed to asbestos you're not going to know that you've made the mill for at least 20 years so you need to know when they come forward what policies you had in place back then um and the final thing I wanted to mention is complying with your insurance policy so ultimately an insurance policy is a contract your insur agrees to give you money um when certain things happen but you agree to follow um certain rules and meet certain conditions in return for that financial payment um and back to th
e in the context of abuse claims the condition of cover for abuse claims is often that you have a safeguarding policy that meets certain requirements those are generally the kinds of requirements you would already have in place but you just need to be clear that you understand what you've signed up to and what you've agreed to do in return for the cover there are other requirements and and these can often be missed in the in the midst of something going wrong and a key one is notification so if
something happens or if circumstances come to your knowledge that you think actually that might give rise to a claim hasn't there hasn't been a claim yet and no one said they're going to make a claim but there are circumstances which I could anticipate might lead to a claim you must notify your insurer um and that can really that can be quite disastrous if you don't and it's understandable why you might not because you might be told about something and you might be dealing with reporting it to O
scar you might be dealing with a police investigation or a health and safety investigation and telling your insurer May well not be top of the list of things you feel you really must do but in order to preserve the insurance cover notifying your insurer when you become aware of the circumstances or the fact that Something's Happened is key and it it's not the case that you don't have to do anything until the claim comes um in in the mail um and so these are things I just really mentioned that th
ey've they've come up to me personally in the last few months as issues that Charities are grappling with and really to try and highlight some pitfalls that I think that can be easy to walk into um but equally easy to avoid if if the right approach is taken um up front thanks Kate um any questions for Kate you may all be rushing home to check that your your insurance is I suspect and that wouldn't be a bad thing if if that was the one thing that people did I would say that we've achieved what we
set out to do um for my part um and just circling back uh to the beginning I outlined the charity trustee duties and I think what we've evidenced today is how complex it is to be a charity trustee we are after all volunteers and many of us do our charity trustee obligations fulfill them in the evening on a on a laptop some of us um on a phone and I recall Morin Malin the first year that she was appointed um as chief executive of Oscar saying your charity trustee duties come into play on day one
of you becoming a charity trustee we don't have a year to bed in sometimes we have that in our mind when we join a board or you know year one we'll we'll get to grips of what happening in the charity but from a legal perspective that liability and that obligation to fulfill duties starts on day one and so how can we help ourselves how can we help our co-trustees with that and I think one of the things that we can do to help mitigate the risk of challenge around that is have a good induction pro
gram for trustees coming on the board and indeed um I'm a member of Scotland's thirdd sector governance forum and we commissioned a piece of work a few years ago and what that showed was that we can do better as a sector we can better help our oncoming trustees and that would be as basic as sharing the Constitution is there a code of conduct a a pack of papers teach them help them that is how we will get people into the sector That's How we'll get more volunteers we will you know make them feel
comfortable with their legal duties there are lots of sessions like these we have Shameless plugs up on the screen I'm being sent up to iness next week to deliver charity trusty training there's one in our office that we are delivering with WRA bones and saffre on the 50 of November there's a lot of free training out there there's a lot of really good stuff that will help charity trustees get to grip with their obligations and then there is during your trusteeship um do you ask your trustees hav
e they attended any seminars during the year some form of ongoing learning is very important it's not a matter of you turn up for a 4minute session at the start of your charity trustee uh role when you might have a million other things in your head getting to grips with the people the chair the personalities involved um are you thinking about that and then when it comes to the end and and I've had a couple of questions recently about people ending their trustee ships um and what do they do there
um have you resigned properly what do you actually do when you come off and it made me think I don't know if I've ever gone and checked company's register's house um to make sure that I've actually been taken off uh company's house I have now um but it came up and it came up in connection with a ski which then went into liquidation and the the charity well the former charity trustee got in touch um to say I've got a chain of emails I I think I've resigned have I resigned and of course what we h
ave for skios at the moment is just an obligation to keep a trustee register which would almost be um definitive and hopefully that with um the new changes coming around the corner in the 2023 act and Oscar having um you know a live upto-date register as it were for individual Charities that you can go in and see you'll be able to double check that but I think that other end is important as well when you resign make sure that you have effectively resigned don't rely on just sending an email to t
he chair make sure the chair has told anybody everybody if you're a trust then make sure there is a minute of registration done or resignation rather done and on that circling back to another piece of advice that Martin and I have been involved in recently with a resigning trustee who had organized the Halloween party had um personal data of other individuals um and she came to us and the one thing I want to mention um and Martin if you can come in here some of the information was on a a domain
name with the charity and some was on her personal email and she was asking us about okay I've dealt with the handing over the codes and the password for the Charity's name but what do I do with the stuff that I've got on my own personal email address and I suppose that comes back to a question as well as to why it actually is important to have the domain name as the charity yeah I mean certainly what we say to char so with the Charities hat on is try to avoid trustees volunteers whoever using p
ersonal email accounts for um charity business because if they're using their own account you have no idea how secure that is they might just have password one is their is their password um there could be a whole lot of sense information in there that they they see in their role that you are responsible for under data Protection Law but you could no way of managing that risk so recommendation number one is to try and avoid people doing that that if if you have people who are um using personal ac
counts then when someone leaves you want take them or you need to delete all of that from your system give them guidance around that policies rather they manage that ensure they have a secure password during their time and they move it at the end I suppose that if you are that individual and you're leaving then you should be deleting that stuff you may feel there some stuff you want to get hold on to and for particular reasons and in this case the individual did want to retain some things becaus
e they they were concerned they might need to back to that you got to make a judgment on that as to whether you know you you're comfortable doing that and you can keep it in a way that's secure but if if you were an employee of an organization when you leave you no longer get access to your email account so all the stuff you did during your your your time as employee you wouldn't have access to why would it be different if you're a if you're a trustee so that's kind of the lens to look at it thr
ough but from a a Charity's point of view then actually you know if you can set up and provide say trustees staff with an email account that you can manage you're much more able to manage your your risk Thanks Martin um we are pretty much at the end of the session um it's left to me to thank my colleagues Lynn Kate and Martin for joining me today and to thank you for coming along we will be about for the next 10 15 minutes if you want to catch us in the Foye to ask a question do sign up for a re
gular updates um from broes and from the Charities uh unit we'd be delighted to hear from you and it's just for me to say to you I hope you enjoy the rest of your day and tomorrow as well if you are staying thank you
Comments