The latest SCL Privacy & Data Protection Group meeting focused on the dilemma for businesses in trying to comply with the new Bribery Act whilst still meeting the requirements of the Data Protection Act and other privacy laws.
Tony Lewis of Field Fisher Waterhouse opened with useful background about the key provisions of the new Bribery Act, in particular the corporate offence of failing to prevent bribery. This is a strict liability offence, and the only defence is to show that ‘adequate procedures’ have been implemented in the organisation to prevent bribery on its behalf (including in some situations bribery by third parties). The government guidance on adequate procedures identifies six principles that should be addressed. Whilst Tony’s descriptions of different risk factors and the ‘corruption map’ were interesting, it is in complying with some of the other principles that data protection issues begin to emerge.
Next up was Phil Lee, also of FFW, who ably demonstrated how tricky this can be by comparing the compliance dilemmas facing organisations to that of a parent trying to juggle the often competing demands of twins. Bribery compliance involves the collection of information to mitigate risk, whereas data protection often seeks to minimise the holding of data that is required for your purposes. Phil identified three key flashpoints in the adequate procedures guidance from a data protection perspective: due diligence, whistle-blowing and investigations. He then went on to give some advice as to how to achieve an appropriate balance for each of these areas and a checklist of key issues to watch for.
With due diligence, the data collected should be proportionate to the risk. He warned that simply providing a defence to Bribery Act offences may not be a sufficient ground for lawful processing, as there is not a direct legal obligation to take adequate procedures. There could also be potential conflict of laws issues where the person being vetted as part of due diligence is based outside the UK.
As with all whistle-blowing, the design of the scope and administration of the scheme needs to be carefully thought through to ensure it is lawful. In much of Europe, anonymous reporting is frowned on and works councils may need to be involved. When considering investigations to check reports, Phil reminded the audience to ensure they had appropriate grounds for any monitoring, in particular covert monitoring. He also commented on appropriate data retention periods, which vary from country to country and may depend upon whether the report was substantiated.
Finally, Jonathan Beak of World-Check gave some views on dealing with these issues at the sharp end. World-Check are in the business of performing due diligence, vetting and selling business intelligence to clients who are subject to laws and regulations with similarities to the Bribery Act, such as banks’ ‘know your customer’ obligations.
He explained some of the typical due diligence products on the market: these included giving access to reports on a particular company or individuals from databases of information on heightened risk individuals for various reasons; and the commissioning of bespoke enhanced reports going into a greater level of detail where specific risks had been identified.
In order to comply with data protection laws, these reports should be considered as a step in the process, not as a blacklist, and the subject should be given the opportunity to respond to any queries raised, eg in case there was a mix-up of similar names or a case had moved on. He emphasised that they based their reports on data from the public domain and that their clients’ needs to comply with laws and prevent crimes provided lawful grounds for the data processing. In terms of fairness, it would be a disproportionate effort for such a provider to give notice at the point of collection of information for a database, however, the client can often do so or ask consent at the outset of their proposed transactions with the subject.
At the end of the session some interesting discussions arose during questions around employee vetting, how in practice entities may be found out(!) and some of the possible risks arising from potential changes to the new Data Protection Directive. All in all, food for thought and a very timely discussion with the Bribery Act in force from 1 July.
Nicola Fulford is an Associate at Bristows and a SCL Privacy & Data Protection Group Committee Member.