Dear Subscriber,

Welcome to the July 03 issue of K-Zine, Kilroys Solicitors e-briefings for business™ from an Irish and European perspective.

In this issue our main focus is on the Data Protection (Amendment) Act 2003, an important piece of new legislation that came into force on the 1st July last with significant compliance implications for large and small businesses in Ireland.

In addition we look at some recent developments in Employment law; the implications of negligently giving an employee a reference; the Redundancy Payments Act 2003, the proposed Protection of Employees (Fixed-Term Work) Bill 2003 and the proposed Maternity Protection (Amendment) Bill 2003.

We also comment on the remedies available under the EU Public Procurement Directives and look at a recent Supreme Court decision in the case of Dekra v The Minister of the Environment, which ruled on the issue of Judicial Review as one such remedy.

Kind regards,
Kevin O'Brien


Data Protection
Important new Data Protection legislation in force since 1st July 2003 - the practical significance for Irish businesses
Employment Law
The Negligent Reference - where does the employer's duty lie?
Employment Law
 The Redundancy Payments Act in force since 25th May 2003 - a brief overview.
Employment Law
 The Protection of Employees (Fixed-Term Work) Bill 2003 - what is proposed?
Employment Law
 The Maternity Protection (Amendment) Bill 2003 - what is proposed?
Public Procurement
 An overview of the Remedies available for breaches of the EU Public Procurement Directives.

SEARCH
Search our online library
EVENTS
For more information on our forthcoming seminars
PRIVACY STATEMENT
To view our privacy statement
KILROYS.IE



Important new Data Protection legislation in force since 1st July 2003 - the practical significance for Irish businesses.

What does Data Protection mean?
 The relevant legislation is the Data Protection Acts 1988 - 2003 ("the Acts"). The 2003 Act came into force on the 1st July.

The legislation is concerned with protecting the privacy of individuals ("Data Subjects") and regulating the manner in which their personal information ("Personal Data") is used by entities ("Data Controllers") that collect, process or store such data. The Data Protection Commissioner is the statutory regulator and he has significant powers of enforcement.

There are specific requirements to be followed for the processing of what the Acts define as "Personal Data" and "Sensitive Personal Data" to be lawful.

Personal Data is data that relates to a living person and that can identify the individual on its own or in conjunction with other data in the possession of the Data Controller.

Sensitive Personal Data is data that relates to a person's racial origin; political opinions or philosophical beliefs; trade union membership; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence including the outcome of any proceedings.

Examples of Personal Data would include; an individual's name, address, telephone number, e-mail address, mobile number, PPS number, employment records, health details, financial records, credit history and family details.

In this article the use of the expression "Personal Data" includes "Sensitive Personal Data" where appropriate.

Why should my business be concerned?

If your business processes such Personal Data, it must ensure that this data is collected fairly and processed for legitimate purposes only. Your business must register annually with the Office of the Data Protection Commissioner (unless exempted) and cannot lawfully process Personal Data without being registered.

Failure to comply with these obligations exposes your business to the risk of criminal prosecution with a maximum fine for a conviction on indictment of €100,000.
People value their data privacy rights very highly and are becoming increasingly concerned that their Personal Data is being misused. Personal Data is a valuable asset of any business and as with any other business asset it should be properly protected.

Any business that allows Personal Data to be misused, lost or damaged runs the risk of seriously damaging its key customer/employee relationships; having complaints made to the Data Protection Commissioner; being investigated and possibly having some or all its valuable databases deleted; being sued in damages by aggrieved individuals or being prosecuted.

On the publication of his Annual Report for 2002, in April of this year, the Data Protection Commissioner announced that as and from July 2004 his office would begin visiting Irish companies both private and public to audit the state of their compliance with Data Protection law. You could find that your business is being audited in a little over 12 months time.

How would your business deal with such a "dawn raid" and its consequences, the possible adverse publicity and probable loss of reputation?

What does compliance with this legislation require?
The Acts set down the rights to be respected and the obligations to be adhered to before any entity operating in Ireland can lawfully collect, obtain, use, or store Personal Data.

It is worth remembering that the Acts extend to all Personal Data whether stored on computer or stored on manual files created since July 2003. Manual files in existence prior to July 2003 will only come under the remit of the Acts in October 2007.

The Eight Data Protection rules.

These eight rules lie at the heart of Irish Data Protection law. Every business needs to be familiar with, and to obey them.

1. Obtain & process fairly and lawfully
 Essentially to comply with this rule, the individual must be made aware at the point of collection of the identity of the person collecting his/her Personal Data; the purpose for which it is required; the identity of anyone to whom it will be disclosed and any other information that is relevant to determining whether the processing is fair.

For example, the failure to disclose to the individual a purpose for which the data is then used would be unfair. Unless certain limited circumstances as defined in the Acts apply - the consent of the individual must be obtained when the Personal Data is being collected and the explicit consent of the individual must be obtained when Sensitive Personal Data is being collected.
2. Keep accurate, complete and up to date.
 Personal Data must be kept accurate, complete and up to date. This means that databases should be periodically reviewed, inaccurate data corrected and redundant data deleted. This requirement does not extend to "back up" data, kept for that purpose.

3. Keep for specified, explicit and legitimate purposes only.
 Personal Data may only be kept for purposes that are specific, lawful and clearly outlined in advance to the Data Subject and may then only be processed in a manner that is compatible with the stated purpose. A Data Subject has the right to know why his/her Personal Data is being processed and can demand an explanation of the reasons why it is being used.

4. Do not then process for incompatible purposes.
 Personal Data cannot be processed or disclosed in a manner that is incompatible with the purpose for which it was originally obtained, unless further consent to such processing is first obtained from the Data Subject or certain limited circumstances provided for in the Acts apply.

5. Ensure that it is adequate, relevant and not excessive.
 Personal Data that is not required to achieve the stated purpose should not be collected. Any Personal Data, which is irrelevant or excessive to that purpose, must be deleted from the database.

6. Retain for no longer than is necessary
 Personal Data must not be retained for longer than is necessary for the purpose for which it was first obtained. Redundant data should be periodically purged from relevant databases.

7. Keep it safe and secure.
 Data Controllers must ensure that appropriate security measures are in place to guard against unauthorised access to, or unauthorised alteration, disclosure or destruction of Personal Data.

In deciding what is "appropriate" a balance must be struck in each case between what is technically available and the associated implementation costs.

Security levels must be proportionate to the risks and the consequences for the Data Subject of unlawful access or damage or destruction to the data as well as the nature of the data concerned. The security requirements are higher for Sensitive Personal Data.

8. Comply with access requests from Data Subjects.
 Upon making a written request, a Data Subject has the right to access his/her Personal Data held by the Data Controller.

Within 40 days the Data Controller must; confirm whether such data is held; describe the data; state the purposes for which the data is held; disclose the identity of any person to whom it has been disclosed; provide a copy of the data; provide confirmation of the source of the data and if applicable the logic behind any automated processing of the data that forms the sole basis for any decision capable of legally affecting the Data Subject.

The Rights of the Data Subject

In addition to the access right referred to above, the Acts confer the following additional rights on Data Subjects.

1. Rectification, blocking or erasure.
 Within 40 days of receiving a written request a Data Controller must rectify any notified errors in the individual's Personal Data, or in appropriate circumstances, have such Personal Data blocked or erased.

If requested in writing, the Data Controller must cease processing Personal Data within a reasonable time or refrain from beginning the processing, if it would be likely to cause substantial damage or distress to the Data Subject or to another person and where the damage or distress would be unwarranted, unless consent has been obtained or one of a number of limited circumstances provided for in the Acts apply.

2. Direct marketing.
 If you propose to use an individual's Personal Data or anticipate that it may be used for direct marketing purposes, the individual must be informed at the point that the data is collected, of the his/her right to object in writing to such processing free of charge.

The individual has the right to demand that his Personal Data is not used for direct marketing purposes. If so requested, the Data Controller has 40 days to comply and must then confirm the position in writing to the Data Subject.

3. Automated Decision Making
 Personal Data may not be processed so as to reach decisions with legal effects for the Data Subject by means that solely rely on the automated processing of the data to arrive at the decision. Examples of such activities would include the evaluation of work performance, creditworthiness, reliability or conduct.

To be lawful there must be some element of human evaluation in the decision making process.

Transfers abroad.

Personal Data may not be lawfully transferred from Ireland to a country or territory outside the European Economic Area (EEA) unless that country or territory has adequate levels of data protection. To be lawful the transfer must have the consent of the individual or at least one of a limited number of conditions set out in the Acts must apply.

Any contract between a Data Controller and a third party located outside the EEA concerning the transfer of Personal Data must entitle the Data Subject to enforce any clause in the contract that confers rights on the Data Subject and to compensation for breach of the clause in the same way that the Data Subject could, if he/she was a party to the contract.

The Data Commissioner has the authority to prohibit the transfer of Personal Data from the State unless such a transfer is required or authorised by law.

Registration with the Office of the Data Protection Commissioner
A Data Controller cannot lawfully process Personal Data unless first registered with the Office of the Data Protection Commissioner.

Once registered, it cannot then lawfully process Personal Data, or obtain Personal Data from any source, or disclose Personal Data to any person, or directly or indirectly transfer such Personal Data to any location outside Ireland unless all of these details are included in its registration.

Data Controllers and Data Processors (unless exempted) must register annually with the Data Protection Commissioner and pay the appropriate annual registration fee. Failure to register is an offence under the Acts.

 Conclusion

We believe that it makes sound commercial sense to take a proactive approach to ensure that your business has addressed its data protection obligations in a reasonable and proportionate way.

No system or process can be completely error proof. However it is far better (in the event of any complaint or inspection arising) to be able to point to a system or process - imperfect though it may be - that at least demonstrates an honest and conscientious attempt to address these very important legal obligations.

Compliance makes good business sense.


For further information contact:
Patrick Ryan at
Email : pryan@kilroys.ie
or see detailed article on our website at
www.kilroys.ie/library/it/data_protection_act_july_03.htm
© Kilroys Solicitors 2003
The Negligent Reference - where does the employer's duty lie?

An employee in the UK who discovered that a reference provided by his previous employer cost him his new job has recently instituted legal proceedings.

The former employer is reportedly being sued for £10 million in lost salary and pension rights. The plaintiff was sacked from Deutsche Bank, on the grounds of the reference from the former employer, which allegedly described the employee as "incompetent" and the writer of the reference said working with him had been the "most horrendous episode that I have ever experienced in my working life"

The reference came to light after the attempt to sue Deutsche Bank for wrongful dismissal failed and the tribunal dealing with the matter found on the basis of the reference that Deutsche Bank had acted properly.

The legal position

Employers have a duty to take reasonable steps to establish the facts and to ensure that they support the opinion expressed in any reference. If there is a misrepresentation in the reference, the former employee can sue his or her former employer.

However a legal distinction must be drawn between a reference that is positively misleading and one, which is not comprehensive. The employer is not obliged to include all material facts but he must not include misleading information in the reference.

It will be interesting to see how this UK case is decided. Employers must be careful not to include unsubstantiated statements in references because to do so is to risk costly litigation from former disgruntled employees.
For further information contact:
Anthony Layng at
Email : alayng@kilroys.ie

© Kilroys Solicitors 2003
The Redundancy Payments Act 2003 in force since 25th May 2003 - a brief overview.
Key changes to the Redundancy Payments Act came into force on 25th May 2003.

The most important points are:
  • Employees will have an entitlement to 2 weeks' statutory redundancy payment for every year of service regardless of age. Under the old regime employees received a half-week's pay for service between the ages of 16 and 41 and one week's pay over 41.
  • There is no change to the requirement that employees must have 2 years' service to receive a statutory payment and the bonus week will be retained.
  • There will be a simpler way of calculating service.
  • The rebate of 60% of the statutory payment will continue so that the cost to the employer will only be 40% of the payment after the rebate is taken into account.
  • The notification requirements have been simplified and the RP1, RP2 and rebate claim form will be combined into one single document.
Employees of insolvent companies will be able to make claims for minimum notice entitlements under the Insolvency Payments Scheme without having to first obtain an award from the Employment Appeals Tribunal.
The Protection of Employees (Fixed-Term Work) Bill 2003 - what is proposed?

The Protection of Employees (Fixed-Term Work) Bill 2003 was published on 23rd May 2003 and it is expected that the Bill will be enacted shortly.

The main provisions are:
  • Employers can no longer discriminate in terms of pay or pension provisions as well as any other employment condition.
  • A fixed term employee can be treated in a less favourable manner if there are objective reasons for that treatment and it must achieve a legitimate objective of the employer.
  • Once an employee enters their fourth year of continuous employment with the same or an associated employer the fixed term contract may only be renewed once more. A breach of this provision will mean that the contract will automatically be for an indefinite duration.
  • An employer must inform fixed term employees in relation to vacancies that arise to ensure that he or she has the same opportunities to secure a permanent position as other employees. They must also be included in opportunities for training and career development as far as reasonably practicable.

 

Maternity Protection (Amendment) Bill 2003 - what is proposed?

The Bill to amend the Maternity Protection Act 1994 was recently published but no guideline has been given as to when it will be enacted.

The principal changes that are proposed in the Bill are:
  • Expectant mothers are to be allowed to attend a complete set of antenatal classes without loss of pay;
  • A right of fathers to be paid for time off to attend two antenatal classes;
  • An adjustment of working hours or breaks for breast feeding mothers for four months after the birth;
  • Termination of additional maternity leave in the event of illness subject to the agreement of the employer. The employee shall not be entitled to the untaken period of additional maternity leave.
  • If the employer agrees the employee can postpone maternity leave or additional maternity leave if the child is hospitalised to allow the employee to return to work.
For further information contact:
Anthony Layng
Email: alayng@kilroys.ie

© Kilroys Solicitors 2003
An overview of the Remedies available for breaches of the EU Public Procurement Directives.
Introduction

There are four EU Public Procurement Directives governing the award of public contracts above certain published thresholds, which require that such public contracts can only be awarded after an open and competitive tender process where the selection and award criteria are publicly advertised in advance.

Three Directives called the Public Sector Directives govern the award of contracts by state, local and other regional or municipal authorities and public bodies collectively called "contracting authorities".

The Directives are as follows: -
  • Council Directive 93/36/EEC of 14th June 1993 on the co-ordination of procedures for the award of public supply contracts (the Supplies Directive).
  • Council Directive 93/37/EEC of 14th June 1993 on the co-ordination of procedures for the award of public works contracts (the Works Directive).
  • Council Directive 92/50/EEC of 18th June 1992 on the co-ordination of procedures for the award of public service contracts (the Services Directive).
There are a parallel set of rules set out in Council Directive 93/38/EEC of 14th June 1993 on the co-ordination of the procurement of procedures of entities operating in the water, energy, transport and telecommunications sectors (the Utilities Directive).

What happens if the Directives are breached?
The procurement rules governing the award of public contracts by contracting authorities under the Public Sector Directives and the Utilities Directive listed above, are supported by two specific Directives which deal with remedies for breaches (collectively called "the Remedies Directive") which are as follows: -
  • Council Directive 89/665/EEC of the 21st December 1989 on the co-ordination on the laws regulations and administrative provisions relating to the application of review procedures to the award of public supply and public works contracts (the Supplies, Works and Services Directives).
  • Council Directive 92/13/EEC of the 25th February 1992 on the co-ordination of the laws regulations and administrative provisions relating to the application of Community Rules on the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors (the Utilities Directive).
The Remedies Directives oblige each member state to ensure that effective remedies and means of enforcement are made available to suppliers, contractors and service providers in the Courts of the member states where these suppliers, contractors and service providers believe that they have been harmed as a consequence of a breach of the public procurement rules.
Two Statutory Instruments; SI No. 309/1994 and SI No. 104/1993 have implemented the Remedies Directives into Irish law.

Proceedings alleging a breach of the EU Procurement Rules must be brought in the High Court. Available remedies include;
  • Interim Orders (Injunctions)
  • Set Aside Orders
  • Awards in damages
In addition to these remedies, aggrieved parties may also bring an application before the High Court, seeking judicial review of the decisions complained of, which must be brought within strict time limits.

Complaints to the EU Commission

Quite apart from any actions brought before national courts, aggrieved parties may also lodge complaints with the EU Commission. Once such a complaint is lodged the EU Commission may invoke what is known as "a corrective" procedure, if it is satisfied that a clear and manifest breach of the public procurement rules has been committed prior to the award of the contract concerned.

In such circumstances, the EU Commission will formally notify the contracting authority and the relevant member state of the complaint. The EU Commission will set a time limit of at least 21 days in the case of the public sector, or 30 days in the case of the utility sectors within which the parties to whom the complaint has been addressed, must respond.

In circumstances where the EU Commission is not satisfied with the explanations that it has received, it is entitled to commence formal proceedings under the provisions of the Treaty of Rome, which could ultimately result in a case being brought before the European Court of Justice.

Recent Irish Case Law

In a recent Irish case; Dekra v The Minister for the Environment, the plaintiff instituted High Court proceedings seeking Judicial Review of the decision of the Minister for the Environment ("The Minister") to award a public contract to establish and operate the National Car Testing Centres pursuant to the Services Directive. The case was appealed to the Supreme Court whose decision was handed down on the 4th April last.

Briefly the facts of the case were as follows. In March 1998 The Minster advertised in the Official Journal of the EU and in the national press for a private sector contractor to operate the National Car Testing Centres.

The plaintiff was one of four parties invited to submit tenders. The contract notice stipulated that the contract would "be awarded to the service provider offering the most economically advantageous bid."

On the 24th November 1998 the plaintiff was formally notified that it was unsuccessful and was advised that SGS Ireland Limited (SGS) was the preferred bidder with whom the Minister would negotiate the contract. Dekra were very disappointed with the outcome and sought to establish why they had not succeeded. A follow up meeting was held with Dekra shortly after the announcement. On the 14th December 1998 Dekra was informed that the contact would be awarded to SGS on the 15th December 1998.

On 25th March 1999, Dekra began High Court Judicial Review proceedings. Among the findings of the High Court was that although Dekra was 10 days outside the time period within which such proceedings had to be taken under the rules of the Superior Courts, sufficient justification existed to extend the period having regard to the facts of the case.

This decision was appealed to the Supreme Court, which held that sufficient justification did not exist to extend the time limit and that as Dekra was outside the time limit for the institution of such proceedings the relief was therefore denied to them.

The Supreme Court held that the remedy of Judicial Review derives from the Remedies Directive, which requires that "decisions of contracting authorities may be reviewed effectively and, in particular, as rapidly as possible" but that in the circumstances of the case the plaintiff did not move as rapidly as possible.

Conclusion

Public procurement - the award of public contracts is a huge area of significant economic activity that continues to grow. It is established Government Policy that the Irish public procurement market should be open to the greatest level of competition as possible. One only has to look at initiatives such as the establishment of a central PPP unit within the Department of Finance as well as the excellent central procurement portal www.etenders.gov.ie that contains details of all public sector contracts above the relevant thresholds to see how this policy is being implemented.

It is fair to say that the compliance record of Irish public bodies with the requirements of EU public procurement law is impressive. That said, in circumstances where tenderers genuinely believe that they have a justifiable complaint they must ensure - in the first instance that they promptly notify the complaint to the relevant contracting authority and - if circumstances exist to justify recourse to the Remedies Directives - that they act in time.

For further information contact:
Patrick Ryan at
Email : pryan@kilroys.ie or
Tom Simpson at tsimpson@kilroys.ie

© Kilroys Solicitors 2003
Forthcoming Seminars If you would like more information on
forthcoming seminars or would like to register click on the appropriate seminar below:
- Employment