What is the current guidance relating to Private Finance Initiatives and PF2 Projects in light of coronavirus?

The courts are seeking to adapt to our new circumstances and have urgently been looking to introduce new ways of working. The courts have been testing out different ways of holding court hearings. The advice is changing almost daily and some courts have been developing local practices. Going forward the court, the parties and their representatives will need to be more proactive about all forthcoming hearings.

Everyone involved in the case is to consider as far ahead as possible how future hearings should best be undertaken and work collaboratively. It will normally be possible for all short, interlocutory, or non-witness, applications to be heard remotely. Some witness cases will also be suitable for remote hearings. The parties just need to ensure that everyone involved can use the technology suggested.

The courts have been looking at and held remote hearings using, non-exhaustively, BT conference call, Skype for Business, court video link, BT MeetMe, Zoom and ordinary telephone call. Bundles for the hearing will be prepared and circulated electronically.

If the hearing cannot be held remotely because the parties do not have the requisite technology or the length of the hearing combined with the number of parties or overseas parties, representatives and/or witnesses make it undesirable to go ahead with a hearing in court at the current time, then it may be that the case will need to be adjourned. We are hearing of trials being adjourned and that they will not be re-listed before at least September.

HMCTS has advised that several priority courts will remain open during the coronavirus pandemic to make sure the justice system continues to operate effectively. It publishes a daily operational update from the courts and they aim to update it by 9am. The link is https://www.gov.uk/guidance/hmcts-daily-operational-summary-on-courts-and-tribunals-during-coronavirus-covid-19-outbreak.

Also, the courts have circulated a civil listing priority list with Priority 1 listing work which must be done and which includes injunctions, any applications in cases listed for trial in the next three months, any applications where there is a substantial hearing listed in the next month and all Multi Track hearings where parties agree that it is urgent.

In the Priority 2 list, which consists of hearings which could be done, are enforcement of trading contracts, trial involving the survival of a business or the insolvency of an individual, small and fast track trials where the parties say they are urgent, and appeal in these kinds of cases.

Similarly, in arbitration proceedings, the parties and arbitrators are being encouraged to utilise technology to make sure that hearings take place. We have heard of Zoom being used very successfully for multi-party proceedings.

Individual contractors who are not operating via an intermediary (eg sole traders) do not need to be assessed under IR35. However, you will always have the risk with those individuals that there is no intermediary – therefore if their tax status is wrong, HMRC are very likely to consider that responsibility for this would fall on the hiring company in any event.

IR35 is an anti-tax avoidance regime which is intended to tackle (in HMRC’s view) the long standing issue of individual contractors providing their services or labour via an intermediary – which is usually a personal service company (referred to as a PSC). We’ll talk about PSCs here, but there are other types of intermediaries that are caught.

HMRC’s view is that this arrangement is often considered to be disguised employment and therefore a tax-avoidance arrangement.

So IR35 is essentially a test of employment status – and if, once you apply the test, the contractor should be an employee, they should then be taxed as an employee.

With the loss of face-to-face meetings in the current situation, video conferencing has taken centre stage. But how do you do that in a compliant way? Here are some of the main high-level data protection issues to consider when selecting and implementing a new third party provider’s video conferencing system.

1. Make sure you do your due diligence on the security measures offered by the provider. Clearly you can’t visit them, so look at the information offered publicly by the provider and read good quality, reliable, third party sources and ask the provider questions directly. Also ask any other organisations you know that use the provider. Document all this.
2. If personal information is being sent outside of the UK/European Economic Area, make sure that transfer complies with GDPR. If it’s a US provider, is it registered in the EU-US Privacy Shield list or does it offer a model clause contract (you’re likely to need the 2010 version)? Or is the service provided from a country whose data protection laws offer equivalent protection to those in Europe? Look at the support service as well as the hosting. Document this.
3. Make sure you put a compliant processor agreement in place. The provider should offer one as part of the contract terms. Check it meets GDPR requirements.
4. You’re likely to need to update your privacy notice, particularly if you’re going to record calls. Provide participants with a short message and link to the privacy notice in the meeting invite and on any registration page.
5. Create or update other GDPR-mandated documentation – for example, depending on your use, you may need a legitimate interests assessment and to update your record of processing.
6. Finally, configure and use the system in a secure and compliant way. Look at the settings/options carefully and think through the security and compliance implications of each. That could include deciding who in the meeting can share their screen; whether or not you use passwords for participants; whether or not to record, and if you’re going to record, where to store the recording. Document your decisions and the reasons for them.

The ICO has said it understands that resources, whether they are finances or people, might be diverted away from usual compliance work during the pandemic. However the last thing you need at the moment is to create a bigger problem than the one you are trying to solve. So do the best you can, ask for help from one of our specialists if you need it, and keep the whole thing under review.

On 16 April 2020, Ian Hulme, the ICO’s Director of Assurance, posted a blog for business owners, employers and managers about how to safely roll out the latest video conferencing technology.

On 21 April 2020, the NCSC published security guidance for organisations on choosing, configuring and deploying video conferencing services.

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

• Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
• Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
• Only use the information for the purpose of managing the workforce during the pandemic.
• Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
• Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
• Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
• Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
• Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
• Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
• All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.