Hello and welcome back after our brief break to the Pinsent Masons podcast, where we try and bring you the best, the most important, the most interesting business law news and analysis from all over the world every fortnight. My name is Matthew Magee and I'm a journalist here at Pinsent Masons and this week, we're going to look at the profound changes proposed in the UK to building regulations coming out of the Grenfell Inquiry, and we find out why for the first time a data protection regulator has fined an IT outsourcing company acting as a data processor, rather than their client, the data controller, after a massive data breach.
But first, some business law news from around the world: Australia opens consultation on mandatory merger notification thresholds And Saudi Arabia issues implementing rules on exporting personal data
The Australian government is consulting on proposals to require certain companies to tell the competition regulator if they are planning a merger or acquisition. The requirement will apply to companies which meet thresholds based on their turnover or market concentration. The consultation, which closes on 20 September, follows the government’s announcement of wide-ranging reforms to Australia’s merger control laws which were released earlier this year. The purpose of the thresholds is to ensure Australia’s competition regulator, the Australian Competition and Consumer Commission (ACCC), receives notification of mergers that are most likely to impact Australian consumers if they are anti-competitive.
Businesses exporting data from Saudi Arabia will need to review their transfer arrangements, as the Kingdom has issued new regulations on cross-border personal data transfers. The new rules outline how personal data can be exported from the Kingdom under the amended Personal Data Protection Law. The updated law, which has lifted some of the previous restrictions on exporting personal data, came into force on 14 September 2023, but businesses were given a year to comply with the grace period for compliance ending on the 14th of September this year. Data privacy law expert Zil Rehman of Pinsent Masons said, as a first step, businesses will need to select one of the ‘prescribed purposes’ for transferring data to a party outside the Kingdom under the law and the regulations.
In June 2017 a fire tore through a high rise tower block in London when the cladding on the outside of the building caught light and spread the fire. Seventy two people died. A public inquiry published its findings earlier this month, finding extensive failings of government, regulation and industry, leading to the continued use of cladding that, the inquiry said, had been known as far back as 2001 to have ‘burned violently’.
The inquiry report recommends an overhaul of how building activity in the UK is regulated that Glasgow-based building safety expert Katherine Metcalfe describes as ‘monumental.’ An earlier review by Dame Judith Hackitt made some recommendations but this statutory inquiry has gone much further, she said.
Katherine Metcalfe: Dame Judith Hackett's review was commissioned fairly shortly after the Grenfell Tower fire by government with a specific remit to look at the building regulations and the fire safety aspect of that. She did look more broadly at issues like Construction and Product Safety, but the building regulations were her focus and she reported quite quickly. The Grenfell Tower inquiry is much wider in it's remit. It's a public inquiry set up under the legislation for that purpose, to look at yes the regulatory system, but to look at what went wrong, why it went wrong and to make recommendations for the future. It's also hoped that the report can take the place of the coronial process for the people who actually died in the fire. It's a very sobering read and one that I would recommend to anybody involved in any aspect of the construction industry that the residents of Grenfell Tower we're comprehensively let down by the regulatory system that is building control, the way we regulate construction products, the way we regulate fire safety in our buildings and by a wide range of different organisations involved in the tower. And really the report makes a wide range of recommendations to try and make sure that that doesn't happen again in future. It's hugely ambitious in it's recommendations for the future. The central recommendation that they have made is for a single construction regulator. If I rewind a little bit, when Dame Judith Hackett reviewed the system of regulation in the UK, she mapped out all the different regulators involved in different aspects of building safety, and it was a very complex picture which she criticised. The outcome of her review though was really to impose two new regulators, the National Construction Product Regulator and the Building Safety Regulator, on top of those existing levels of regulation. So we didn't simplify the process we just added even more regulators and the inquiries final report is very critical of that fragmented system with lots of different regulators focused on different aspects of building safety and really recommends that all of those are pulled together. So the construction regulator that has been recommended would become responsible for building control. It would become responsible for the content of the building regulations. It would be responsible for the regulation of construction products, including setting test standards and actually issuing certification about the safety of products. It would also be responsible for fire safety in occupied buildings and for the licencing of contractors to work on higher risk buildings. So a massive remit for one regulator which is currently split by many different regulators. To sit alongside that, the inquiry report also recommends that all of the different parts of government that deal with these areas of regulation are brought together. So at the moment the Home Office is responsible for fire safety, the Ministry of Housing Communities and Local Government is responsible for building control and the Department of Trade and Industry is responsible for construction products and the report recommends that all of those are bought together into a single Government Department with one Secretary of State with that overview of all of those different aspects that play into the safety of our buildings.
Matthew Magee: The report said that the Conservative led government of David Cameron treated regulation as ‘red tape’ holding back business. This and the privatisation of some regulatory functions contributed to the risks to life represented by the Grenfell tragedy, it said. Katherine thinks that one of the elements that construction companies will focus on the most is the move to make senior executives personally responsible for decisions.
Katherine: The inquiry report is really looking for senior people within organisations such as architects who are principal designers or within principal contractors working on higher risk buildings to take personal responsibility for making sure that their organisations are designing and building buildings which are safe from a fire perspective.
Matthew: And that's not new is it. I mean, we’ve seen this in the past 15 years in the financial services industry, for example, where there are named people, so it shouldn't be new to the world of business, but it might still have quite a big impact on how companies operate.
Katherine: That's exactly right. The similar provisions have been in the Health and Safety at Work Act, for example, since 1974 and we see a lot of emphasis on that these days in the world of health and safety, but it's new to the built environment and in a situation where competence is an issue within the built environment and there is a lot to do, then organisations have to think very carefully about how they create the management systems which give their managers confidence to sign those compliance declarations.
Matthew: Another area of change that companies will have to focus on is to do with fire engineering and strategies, which the report suggests have been surprisingly lax.
Katherine: The report reaches the conclusion that there is no standard definition of what a fire engineer is, or a recognised professional qualification and the report wants to see government act urgently on that to create a professional body for fire engineers and almost a job description of what that fire engineer ought to do. That sits alongside a couple of other recommendations that the report makes. One is that it should be mandatory to have a fire strategy for a building, which is drafted by a fire engineer if we're talking about a higher risk building. And the central focus of that should be looking at escape times, particularly for vulnerable people within buildings. The report really calls into question the whole stay put strategy for higher risk buildings. The idea that you can contain a fire within a compartment and allow people to stay within the building. The report feels that the current system of regulation is not adequate to allow vulnerable people to get out of a building or to be safe in a compartment in a situation where there is cladding on a building.
Matthew: So what should companies do to prepare for the implementation of these recommendations? Katherine thinks that industries already moving in the direction of compliance with those parts likely to be implemented.
Katherine: Well, the good news is to my mind, lots of companies in this sector are already doing an awful lot, which takes them in the right direction. The real focus that we've seen on competence over the last six or seven years and upskilling people, raising awareness of what fire safety is all about and really stands people in good stead. The compliance management systems that people have been developing in order to comply with the Building Safety Act again reflect lots of the themes that we're seeing coming out of the Grenfell inquiry report. So it's keeping on with the focus on all of those things until we understand what the direction is going to be of any future regulation.
Matthew: It won't be known for months how many of the recommendations the UK Government will act on, but Katherine says that there's no doubt that major change is coming.
Katherine: It's monumental. I've been saying for years now that the Building Safety Act was the biggest change that we have ever seen to the way that building safety is regulated in the UK. This is an entirely different level of change and one that's going to be a real test for government and industry. A lot of these recommendations are not quick fixes, particularly around testing and certification of construction products. It will take many years to resolve some of these problems and are real focus and determination to do so.
In August 2022 the UK’s National Health Service, or NHS, was subject to a cyber attack which disrupted the operation of its 111 non emergency phone line and stopped healthcare staff from being able to access some records. The sensitive personal data of 83,000 people was affected. People’s medical records and phone numbers were exposed, as were details of how to access the homes of 890 home care recipients.
As far as data breaches go it’s hard to imagine many more serious or with bigger potential consequences for those affected. And it all happened via the systems of Advanced Computer Software Group, a company which processed data on behalf of the NHS. UK data protection regulator the Information Commissioner’s Office (ICO) has now said it could fine Advanced up to six million pounds for its failings. You’d hope a regulator would take action here but what’s unusual here is who they have acted against. All other ICO fines – and almost all across Europe – have been levied on the organisations that own and control the data, known as data controllers. This is the first time that an outsourcer working on the data – a data processor – has been fined in the UK. London-based cyber security expert Stuart Davey told me how unusual that is.
Stuart Davey: What the ICO has decided is that they are going to, they’ve indicated they will take some action against this company Advanced that caused this problem for the NHS and it's notable because this is the very first potential fine in the UK against a data processor. And so what we have here is a scenario, and I don't know exactly what Advanced Services were but they are effectively an IT provider, so we're providing some outsourced IT services and as part of those services will involve processing personal data of the NHS on the NHS's behalf. There is throughout the regulation obligations on data processors, including importantly here, the obligation under Article 32 of the GDPR for a data processor as well as data controller to have in place those appropriate technical and organisational measures to ensure the right level of security. And the Data Protection Authorities across Europe, including the UK's Information Commission's Office, has the power to fine either data controllers or data processors. But the primary type of organisation that is in the sites of the GDPR is the data controller, because ultimately that is the organisation that decides how to use personal data, and that's where the primary obligations sit. And that's why we've seen up until now the focus point of enforcement activity on data controllers.
Matthew: The UK’s data protection regime is more or less the same as Europe’s as they’re both based on the EU’s general data protection regulation, though of course the UK may diverge from that in the future. Any change in the relationship between data controllers and processors or the regulation of that relationship is only going to get more important because widespread digitisation of business processes means those two groups are going to get more and more interdependent. Regulators may be acting now on processors because they see more and more activity being outsourced in the future.
Stuart: But I think there's a much more significant context here, which is broader than just this particular enforcement action, which is a concern voiced in many quarters about the risk of outsourced providers, IT providers, technology providers suffering a cyber attack and there being a knock on impact on multiple organisations and there's been many, many examples of that occurring. And so the wider context beyond this particular enforcement action can be seen in regulation and legislation. And so we saw The King's Speech a couple of months ago, proposals by the government to bring in a new Cyber Security Resilience Act and the background, the documents there reference the risk of attacks on the NHS and reference the risk of attacks on local government and so are very much concerned with strengthening the digital backbone that those types of organisations depend upon. So I think it's likely we will see legislation in the very near future that puts more obligations on technology providers and other types of data processors. And a very similar approach taken across the EU, the EU’s NIS 2 Directive, the Digital Operational Resilience Act, two bits of important cyber security legislation that are almost in force. Both have a very strong focus on supply chains and technology providers to ensure that potential knock on effect of a cyber attack are mitigated or limited.
Matthew: Data controllers now know that the processors they choose might be targeted for regulatory action as well as them. And they have obligations to make sure they choose the right companies, ones which are capable of protecting the data that controllers are responsible for. But how easy is it for controllers to make those decisions?
Stuart: What data controllers need to do and are expected to do is ensure they've done the right due diligence at the contracting stage. They've asked the right questions. They have not just considered cyber security as a complete afterthought, but are ensuring that throughout the process they are ensuring the suppliers have in place the right measures and not just doing that at contract stage, but they are using the right to audit and they are keeping a close eye throughout the project, throughout the delivery of services that there's consistently a safeguarding of personal data. But if you are an organisation providing those sort of services, this might for the first time identify some of those potential risks that you as an organisation face in a way that some of the first fines that we saw after the GDPR coming in the British Airways that Marriott fines. Sometimes it's having a fine in the news and this particular decision has been in the news and mainstream press, shining a light on those risks, even if those risks have always been there.
Matthew: The fine could have practical consequences for data processing companies said Stuart, such as an increase in insurance premiums to reflect the higher risk, and the charging of higher prices to organisations whose data is by its nature higher risk.
Stuart: Insurance may be harder to achieve because there may be the risk not only of fines by the Data Protection Authority, fines by Industry Regulator, but also from those customers may seem to bring some legal action if they have suffered losses as a result of the cyber attack. They might choose to reflect the risk of process and that type of data in the pricing or in the contractual terms that they're willing to sign up to and again that isn't something new that that is again something that data process and data controls have been grappling with since data protection legislation came in, but this decision might shine and increased light on the risks to the data process.
Matthew: That's all from us this week. Thanks for listening. Do tune in in two weeks time. And if you've enjoyed this or found it useful please do share with colleagues or friends, leave a review or a rating, that really helps us reach audiences that might be interested. And remember, for a constant stream of daily business, law news and analysis, you can read the work of our journalists at pinsentmasons.com. So thanks for listening and being with us and until next time goodbye.
The Pinsent Masons Podcast was produced and presented by Matthew Magee for International professional services firm Pinsent Masons.
