Regulatory round-up – November/December 2017


Consumer and Retail Finance – November/December 2017
Latest from the FCA including recent consultations, other sector news and looking ahead to 2018. […]
Latest from the FCA including recent consultations, other sector news and looking ahead to 2018.
Financial Conduct Authority (FCA)
The FCA is now consulting on how firms and individuals will transition to the Senior Managers & Certification Regime (SM&CR) and on how it will apply the ‘Duty of Responsibility’ to FCA solo-regulated firms. Comments are requested by 21 February 2018 and a policy statement is expected in summer 2018.
This follows the FCA’s recent consultation on extending the SM&CR to all firms authorised under the Financial Services and Markets Act 2000 (FSMA) (see our earlier briefing for details). In its response to the consultation, the Law Society says that it remains strongly of the view that the legal function should be excluded from the scope of the SM&CR.
The FCA is also consulting on its approach to supervising and enforcing the SM&CR rules for authorised firms’ unregulated activities, including those covered by industry-written codes of conduct. At the same time, it is starting a discussion and seeking views on extending the application of FCA Principle for Businesses 5 (“A firm must observe proper standards of market conduct”) to unregulated activities. Comments are requested by 5 February 2018.
On 14 December 2017, the FCA published feedback on its earlier credit card market study consultation on persistent debt and earlier intervention remedies, and opened a further consultation. This new consultation includes a revised analysis of the costs to businesses of the proposed remedies and sets out how the FCA has changed its thinking on aspects of its persistent debt proposals in light of the feedback received. Comments are requested by 25 January 2018 and a policy statement is expected in Q1 2018.
As part of its high-cost credit review, the FCA published a paper summarising the feedback from various stakeholder roundtables held in September and October 2017.
Following the launch of the FCA’s Mission earlier this year, it recently published a Future Approach to Consumers paper exploring the approach to regulating for consumers. This is the first in a series of documents explaining the FCA’s approach to regulation in more depth. The executive summary is found on pages 7 to 10. The paper is intended to broaden the debate started in the Mission document and to set out the FCA’s views so far. It explains how the FCA currently intends to prioritise the needs of all types of retail consumers in its decision-making and interventions. Questions are set out on page 47 of the paper to support the FCA in formulating its Approach to Consumers. Feedback is sought by 5 February 2018 and a final paper is expected to be published in summer 2018.
There is a reference in the Approach to Consumers paper to the potential need identified by some stakeholders for the FCA to introduce a new ‘Duty of Care’ for firms. The FCA says that it will publish a discussion paper to explore this issue as part of the broader exercise of reviewing the FCA Handbook, best done following the UK’s withdrawal from the EU. It is also referred to in the government’s recent response to a House of Lords Select Committee report on financial exclusion. The government’s responses to the Committee’s recommendations are set out in chapter 5.
On 11 December 2017, the FCA published the next two documents in the series – the Approach to Competition paper and the Approach to Authorisation paper. Feedback is sought by 12 March 2018, with final versions expected in summer 2018.
The FCA is consulting on “Regulatory fees and levies: policy proposals for 2018/19”. The consultation closes on 15 January 2018 and a policy statement is expected in March 2018. Among other things, the FCA invites views on whether and how it might refine the definition of credit-related income to take account of the specific circumstances of consumer hire agreements, and is consulting on a revised methodology for calculating the levy which funds the debt advice work of the Money Advice Service (the proposal being to align the levy more closely with firms’ lending activities).
The FCA published a webpage explaining what consumer credit firms need to report in terms of income on their annual consumer credit returns, used to calculate regulatory fees and levies charged for the following year. It also published a webpage explaining that, together with the Bank of England, it is exploring how technology can provide solutions to the challenges firms face in implementing their regulatory reporting obligations.
The FCA published a policy statement and final rules which require providers of personal current accounts (and business current accounts) to make information about current account services available to customers. It has also published a policy statement and final rules implementing various recommendations from the Financial Advice Market Review.
The latest edition of the FCA’s Data Bulletin focuses on trends in regulated mortgage lending over the last ten years. The recently released mortgage lending statistics for Q3 2017 show a continued increase in mortgage lending activity. On 6 December 2017, the government launched its Rent Recognition Challenge – “a £2 million competition to develop applications that help renters boost their credit scores, access credit and get on the housing ladder”. It says that winning bids will be selected by a panel of leading figures from the FinTech sector.
The FCA announced details of those firms which were successful in their applications to begin testing in the third phase of the regulatory sandbox, part of the FCA’s “Project Innovate”. It is now accepting applications in relation to the fourth phase.
The draft texts of various FCA speeches were recently made available. On 4 October 2017, the FCA’s Director of Retail Banking Supervision gave a speech on retail banking and payments. Topics covered were the increasing rate of innovation, “game-changing” regulation and legislation, the benefits and regulatory requirements of the revised EU Payment Services Directive (PSD2), Open Banking, and the evolving nature of the risk landscape. On 15 November 2017, the FCA’s Chief Operating Officer gave a speech on “Cyber resilience and supplier risk: moving beyond compliance” which highlighted, among other things, that cyber resilience is not a tick box and should be driven from the top down, with Boards asking probing questions. On 28 November 2017, the FCA’s Executive Director of Strategy and Competition gave a speech on the future of competition and regulation in retail banking, looking in particular at PSD2 and Open Banking. He concluded: “This is a challenging time for retail banks and regulators alike. But with challenge comes opportunity. We want the regulatory climate to be open to and foster those opportunities. Innovations that were once ground-breaking become rudimentary, with possibilities to make a genuine difference in the lives of ordinary people and transform businesses. Our focus, as regulator, will be on harnessing the potential of this new age for the good of consumers”.
With the introduction of PSD2 just around the corner, the FCA recently published a webpage for consumers on account information and payment initiation services. On 27 November 2017, the European Commission adopted regulatory technical standards developed by the European Banking Authority (EBA) on strong customer authentication and secure communication in relation to PSD2. See the press release “Payment services: Consumers to benefit from safer and more innovative electronic payments” for details. The EBA recently published its final guidelines on security measures under PSD2.
Other sector news
The Treasury Committee launched an inquiry into household finances, which will scrutinise problematic indebtedness, inter-generational issues, lifetime financial planning, and the effectiveness of the market in financing solutions and products to low income households.
On 24 November 2017, the Law Commission published its report on the Goods Mortgages Bill, which sets out the final version of the Bill and the Law Commission’s recommendations. The Law Commission consulted on draft clauses earlier in the year and HM Treasury ran a separate consultation which closed in October 2017. The intention is that the proposed legislation will replace the existing Victorian legislation on bills of sale to govern the way that individuals can use their existing goods as security.
The Financial Guidance and Claims Bill, which was introduced in the Queen’s Speech and includes the establishment of a single financial guidance body, was recently passed in the House of Lords and has had its first reading in the House of Commons. A number of the amendments agreed in the House of Lords concern the establishment of a debt respite scheme (the government issued a call for evidence on this topic in October 2017).
The Money Advice Service launched a new five-year debt commissioning strategy aimed at ensuring that debt advice services target those most in need.
The Banking Standards Board is consulting on “What do good banking outcomes look like to consumers?”. Responses are requested by 26 January 2018.
The National risk assessment of money laundering and terrorist financing 2017 was published in October 2017. High-end money laundering and cash-based money laundering remain the greatest areas of money laundering risk to the UK. Chapter 4 looks specifically at the financial services sector. The FCA referred to the assessment in its November Regulation round-up. It contributed significantly to the assessment and agrees with the findings in relation to financial services. Firms are encouraged to review the assessment document, the FCA’s financial crime guidance and the guidance from the Joint Money Laundering Steering Group.
A Sanctions and Anti-Money Laundering Bill is currently making its way through the legislative process. It is intended to ensure that the UK can continue to meet its international obligations and to implement UK sanctions and anti-money laundering measures after the UK leaves the EU.
The Financial Action Task Force has updated its guidance on anti-money laundering and counter-terrorist financing measures and financial inclusion, with a supplement on customer due diligence. It also recently published updated guidance on private sector information sharing.
On 15 December 2017, the European Parliament and Council reached a political agreement on the Commission’s proposal to further strengthen EU rules on anti-money laundering and counter-terrorist financing. See the Commission’s press release with a link through to a factsheet. The proposal is for a directive (which will become the Fifth Money Laundering Directive) to amend the Fourth Money Laundering Directive (MLD4). MLD4 was implemented in the UK by the introduction of the new money laundering regulations which came into force on 26 June 2017.
On 14 November 2017, the European Parliament adopted a resolution on the European Commission’s action plan on retail financial services (published in March 2017). This follows on from a report published by the Parliament’s Committee on Economic and Monetary Affairs in October 2017. The Parliament sets out a number of actions for the Commission in relation to (among other things) easier product switching, a deeper single market for consumer credit, fair consumer protection rules, better creditworthiness assessments, FinTech and online selling of financial services (including cybersecurity issues).
The Financial Services Trade and Investment Board published its 2016 to 2017 annual report, outlining the work of government and industry over the past year to drive the UK’s financial services trade and investment priorities, including in relation to FinTech.
Credit reference agencies Callcredit, Equifax and Experian are launching an industry-wide Credit Reference Agency Information Notice (CRAIN) in preparation for the implementation of the EU General Data Protection Regulation (GDPR) on 25 May 2018. See the Data Protection section of this Regulatory round-up for the latest on GDPR.
The Financial Stability Board has published a report that considers the financial stability implications of artificial intelligence and machine learning, which are being used increasingly by financial institutions, including to assess credit quality and to automate client interactions.
Looking ahead to 2018
- 13 January 2018: PSD2 applies
- Q1 2018: Staff incentives, remuneration and performance management in consumer credit – FCA policy statement and finalised guidance expected. Update on FCA’s work on motor finance also expected.
- Spring 2018: Further FCA consultation paper on high-cost credit expected. FCA interim report from its mortgages market study also expected.
- Q2 2018: FCA policy statement and final rules and guidance on assessing creditworthiness in consumer credit expected.
- Summer 2018: FCA policy statement and final rules on extension of SM&CR expected.
- Q4 2018: FCA final report from its mortgages market study expected.
- Late 2018: Extension of SM&CR to all FSMA-authorised firms expected.
- FCA review of the retained provisions of the Consumer Credit Act 1974 – interim report expected during 2018.

Data Protection – November/December 2017
Update on GDPR, e-Privacy Regulation, Data Protection Bill, Privacy Shield and more. Looking ahead to 2018. […]
Update on GDPR, e-Privacy Regulation, Data Protection Bill, Privacy Shield and more. Looking ahead to 2018.
Latest on the EU General Data Protection Regulation (GDPR) and e-Privacy Regulation
The UK’s Information Commissioner’s Office (ICO) has replaced its “Overview of the GDPR” with a “Guide to the GDPR”, which includes new expanded guidance on the lawful bases for processing (including consent and legitimate interests) as well as an expanded section on contracts and liabilities. The Guide links to ICO guidance and guidance from the EU’s Article 29 Working Party (WP29).
The WP29 consulted until 28 November 2017 on draft guidelines on personal data breach notification and on automated individual decision-making and profiling. The ICO is reviewing the consultation responses with the rest of the WP29 and finalised guidelines are expected in early 2018. The WP29 recently published draft guidelines on consent and transparency (accessed via the WP29 website). Comments are requested by 23 January 2018. The ICO says that it will publish a final updated version of its own consent guidance once the final content of the WP29 guidelines is clear.
The ICO has published a package of GDPR resources for small organisations.
A recent ICO survey revealed that only 20% of the UK public have trust and confidence in companies and organisations storing their personal information. The ICO’s Deputy Commissioner (Policy) said: “By now organisations should be aware of the changes to data protection law next May. It’s no longer acceptable to see the law as a box ticking exercise. Organisations will need to be accountable, to their customers and to the regulator”.
Meanwhile, the European Parliament confirmed in a press release that it is ready to start talks with member states on the new e-Privacy Regulation as soon as they have agreed on their own negotiation position. It is not yet clear whether the Regulation will meet the planned in-force date of 25 May 2018, to coincide with GDPR.
The new Data Protection Bill, which will sit alongside GDPR, is working its way through the legislative process. The third day of the report stage in the House of Lords (continued line-by-line examination of the Bill) is scheduled to take place on 10 January 2018 and a number of amendments to the Bill have already been made, such as allowing public authorities to rely on legitimate interests as a legal basis for processing personal data when they are carrying out non-public tasks. The Information Commissioner has published two further briefings in relation to the Bill. In the latest briefing, she expresses her significant concern over a clause in the Bill which places a duty on the Commissioner to take the Secretary of State’s framework guidance on data processing by government departments and other public bodies into account when considering any question relevant to her functions. She says that whilst she “understands the relevance of considering any guidance about the legal basis of government functions the provision runs a real risk of creating the impression that the Commissioner will not enjoy the full independence of action and freedom from external influence when deciding how to exercise her full range of functions as required by Article 52 of the GDPR”.
Update on ICO fee changes
We reported in the October 2017 edition of the Regulatory round-up that the ICO had outlined the proposed fee and registration changes which will come into force next year. Under GDPR, there will no longer be a requirement to notify the ICO on an annual basis as under the current rules, but there will still be a legal requirement for data controllers to pay the ICO a ‘data protection fee’. The new system will start on 1 April 2018. The ICO has updated its original blog post to set out the fee ranges used by the Department for Digital, Culture, Media and Sport (DCMS) in its recent consultation about the future fees. A three tier system is proposed (see this link for details). The DCMS will now reflect on the consultation feedback before developing the fee regulations.
“Huge concerns” over Uber’s concealed data breach
The ICO’s Deputy Commissioner (Operations) said in his first statement on 22 November 2017 that “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics….. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies”. The statement followed the announcement the day before by Uber’s CEO that, in late 2016, two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service, including the names and driver’s licence numbers of around 600,000 drivers in the United States, and personal information of 57 million users around the world. This included names, email addresses and mobile phone numbers. It has been widely reported that Uber paid the hackers $100,000 to delete the data and keep the breach quiet. It failed to report the incident to regulators or those affected by the breach.
The WP29 has established a taskforce on the Uber data breach case which will coordinate the national investigations on this issue.
The UK’s Digital Minister, responding to an urgent parliamentary question on the incident, referred to the package of tougher measures to address data breaches which will be introduced by GDPR and the Data Protection Bill. Under GDPR, a personal data breach affecting people’s rights and freedoms must be reported to the ICO without undue delay and, where feasible, not later than 72 hours after the controller becomes aware of it. The Information Commissioner will have the power to issue fines of up to €10 million or 2% of annual global turnover, whichever is greater. The maximum fine is currently £500,000.
We reported previously that independent consumer body Which? is calling for the Data Protection Bill to be amended so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress. Following the news of the Uber data breach, Which? reported that it, together with Age UK, Privacy International and the Open Rights Group, had submitted a joint letter to the Digital Minister, calling on the government to make it easier to seek redress for data breaches. This is in the context of Article 80(2) of the GDPR, which allows bodies such as Which? to lodge complaints and exercise data subjects’ rights independently of the data subject, where they consider that a data subject’s rights under GDPR have been infringed. During the recent debates on the Bill in the House of Lords, the government rejected a proposed amendment to include this provision. This was referred to during the parliamentary exchange on the Uber incident. In response, the Digital Minister said that “the whole principle behind the Data Protection Bill is to increase the level of consent required and people’s control over their own data. The proposed amendment pushed in the opposite direction, which is why we rejected it yesterday, but we will have the debate in this House, too”.
WP29 publishes Privacy Shield report – will take action if concerns not addressed by 25 May 2018
The WP29 has now published its report on the functioning of the EU-US Privacy Shield after the first annual joint review of the transatlantic data transfer framework took place in Washington DC in September 2017. While the WP29 acknowledges the progress of the Privacy Shield, it has identified a number of “significant concerns” that it says need to be addressed by the European Commission and the US authorities. It is calling on them to restart discussions and says that an action plan must be set up immediately to demonstrate that all of the concerns will be addressed. The concerns are set out in the executive summary on pages 2 to 4 of the report (which can be accessed via the WP29 website under the “Plenary meetings” heading).
In particular: the appointment of an independent Ombudsperson should be prioritised; the rules of procedure governing access to relevant information by the Ombudsperson and governing the interactions of the Ombudsperson with other members of the intelligence community should be further explained and declassified (so that the WP29 can assess whether the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance); and members of the Privacy and Civil Liberties Oversight Board should be appointed. The WP29 says that if these concerns are not resolved by 25 May 2018 (when GDPR comes into force), its members will take appropriate action, including bringing the Privacy Shield adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling. It expects the remaining concerns to be addressed at the latest at the second joint review.
The European Commission published its own, separate, report in October 2017 (see the October 2017 edition of the Regulatory round-up for further details).
In a separate development, one of two legal challenges to the Privacy Shield has been ruled inadmissible by the EU General Court, one of the three courts of the CJEU. The Irish privacy campaign group Digital Rights Ireland was seeking to have the Privacy Shield annulled, but the Court found that the group did not have an interest under the law in bringing proceedings, nor did it have the standing to act in the name of its members and supporters or on behalf of the general public. It is not yet clear whether the second challenge, by a French advocacy group, will face a similar fate.
The WP29 is consulting until 17 January 2018 on proposed updates to its working document on transfers of personal data to third countries in the context of GDPR and recent European case law. The focus of the consultation is the central question of adequacy.
A single regulator in the future?
In a recent interview, the European Data Protection Supervisor talked about a long-term move towards a single European data protection regulator: “It doesn’t appear sustainable in the long-term that competent authorities in different areas continue to act as regulators by fragmenting their actions at EU and national level and within different sectors. The answer will be increasingly global”.
Update on challenge to model contract clauses
We reported previously that the Irish High Court is referring questions over the validity of the Commission’s adequacy decisions on model contract clauses to the CJEU, following the complaint by Austrian privacy campaigner Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US. The exact questions to be referred to the CJEU are yet to be formulated. The first of a number of hearings on the wording of the referral took place at the beginning of December 2017. Further hearings will follow.
Max Schrems recently launched a non-governmental organisation (NOYB or “None of Your Business”) with the aim of ensuring “that the tech industry is following fully the existing privacy and data protection laws in the European Union, through strategic litigation in the public interest”.
Changes to Binding Corporate Rules applications
As the countdown to GDPR continues, the ICO has published a blog post setting out some key facts for companies planning to apply to the ICO for Binding Corporate Rules authorisation, and for those who have already received their authorisations. Binding Corporate Rules are a way in which companies can comply with the required data protection rules surrounding protection of personal data transferred outside the European Economic Area, within their group of entities or subsidiaries.
The WP29 is consulting until 17 January 2018 on proposed updates to its working documents on Binding Corporate Rules and Processor Binding Corporate Rules, to bring them in line with GDPR requirements.
Recent enforcement action
A firm behind over 156,000 spam texts was fined £45,000 by the ICO, bringing the total nuisance marketing fines issued to date during this financial year to £2 million. The director of a personal injury claims management company that made millions of automated marketing calls in breach of regulations and failed to pay a £250,000 ICO fine has been disqualified as a director for seven years. See the Insolvency Service press release. The ICO recently executed search warrants as part of an investigation into a network believed to be responsible for making hundreds of millions of automated nuisance calls.
An unlawful data supplier was fined £80,000 – the first fine to be issued following a wider investigation by the ICO into the data broking industry. The investigation includes looking at a wide range of organisations and the roles they play, including credit reference agencies.
A firm of loss adjusters, one of its directors and a senior employee, and rogue private investigators have been found guilty after personal data was unlawfully obtained and disclosed. The ICO is investigating alleged data protection offences involving corporate clients suspected of using the services of rogue private investigators.
The ICO has issued a warning to people who work with personal information after a charity employee was prosecuted for making his own copies of sensitive data. It has also published a blog post on the same topic, following eight convictions against NHS employees so far this year.
Morrisons found liable for ex-employee’s actions in data breach group action case
Supermarket chain Morrisons has been found liable for the actions of one of its ex-employees who, while employed as a senior internal auditor at the company, deliberately leaked payroll data of thousands of staff online following disciplinary action. Morrisons was not found directly liable, but there was a sufficient connection between the individual’s position of employment and his actions to establish secondary (vicarious) liability. This was despite the disclosure of the data being made outside working hours using the individual’s personal equipment. The judge was troubled that his decision might seem to make the court an accessory in furthering the ex-employee’s criminal aims, after it was submitted that the actions were deliberately aimed at Morrisons itself. The company was granted leave to appeal the decision, which has significant implications for employers. Walker Morris will continue to monitor and report on developments.
Google faces UK consumer legal action over mass data collection
Consumer campaign “Google You Owe Us” is launching legal action against tech giant Google on behalf of millions of UK consumers whose personal information Google is alleged to have unlawfully harvested by bypassing the default privacy settings on the Apple iPhone.
Government consulting on response to European data retention judgment
In a key judgment in December 2016, the CJEU ruled that national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights. This was a referral by the English Court of Appeal following a 2015 High Court ruling that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law. The controversial Investigatory Powers Act 2016 (IPA) replaced DRIPA at the end of 2016, and goes even further. Like DRIPA, the IPA has been dubbed the ‘Snooper’s Charter’.
On 30 November 2017, the government launched a public consultation on its response to the CJEU’s judgment. It considers that some aspects of the current regime for the retention of and access to communications data do not satisfy the requirements of the CJEU’s judgment and it therefore proposes to amend the IPA. It says that “it is important that any changes support the important right to individual privacy and the collective right of citizens to be protected from crime and terrorism”. The government is consulting on a draft statutory code of practice on communications data at the same time. The CJEU’s ruling raised the possibility of an obstacle to the UK obtaining an adequacy decision to enable the continued free flow of personal data between the EU and UK in a post-Brexit world.
On 6 December 2017, the Home Affairs Committee issued a call for written evidence on Brexit and EU policing and security cooperation. This includes data protection issues (including implications of the government’s security aims for its future data protection regime) and the bulk retention of communications data (the compliance of the government’s latest proposals with the EU Charter of Fundamental Rights and what this means for the UK’s future surveillance powers).
Finally, a word on cyber security…
On 1 December 2017, the National Cyber Security Centre published guidance for organisations on managing the risks of cloud-enabled products.
Looking ahead to 2018
- 25 May 2018 is the key date!
- In other news, 9 May 2018 is the date by which the Security of Network and Information Systems Directive (or NIS Directive) must be transposed into UK law. The government consulted on its implementation plans earlier in the year and is currently considering the responses.

Health and Safety – November/December 2017
Sentencing update, interim report on building regulations and fire safety and looking ahead to 2018. […]
Sentencing update, interim report on building regulations and fire safety and looking ahead to 2018.
2017 draws to a close with no let-up in £1 million-plus fines
In a prosecution brought by the UK’s rail regulator, the Office of Rail and Road (ORR), London & Southeastern Railway Limited and cleaning company Wetton Cleaning Services Limited were fined a total of £3.6 million following the death of a train cleaner who fell on the live rail. ORR inspectors “found a culture of cutting corners, which exposed workers to serious risks”. See the ORR press release here.
A principal contractor was fined £3 million and ordered to pay full costs after a worker died while carrying out demolition activities at a recycling site in Wales. The Health and Safety Executive (HSE) principal inspector said that it was “clear there was a wholesale failure to manage health and safety” and that the company “put cost-cutting ahead of health and safety”. The site owner was fined £75,000 for failing to adequately supervise and monitor the demolition activities and was also fined £150,000 after a separate HSE investigation found that it had failed to report a number of incidents, including that two workers had been diagnosed with Hand Arm Vibration Syndrome. The company was ordered to pay full costs.
National kitchen manufacturer and supplier Howdens was fined £1.2 million after an agency driver was fatally crushed when a forklift truck overturned at the company’s Workington site. The HSE inspector said: “This tragic incident could have been avoided if Howden Joinery Ltd had implemented a safe procedure to ensure that pedestrians were kept at a safe distance during loading and unloading work. Duty holders should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards”.
Focus on the waste and recycling industry
A waste management company in the North East was fined £900,000 after a sub-contractor suffered an electric shock when he cut through a live cable while removing an item of industrial equipment. He had been told it was safe to start the work. An HSE investigation found that the company had failed to adequately plan and manage the work.
A Kent-based recycling company was fined £666,700 after a worker suffered life threatening head injuries when he was struck by the boom of a telehandler. An HSE investigation found that the company failed to suitably plan the management and overseeing of workplace transport activities on site, and its employees had not received the appropriate level of training.
A clothing and textile recycling company was fined £650,000 after an 89-year old worker was fatally struck by a reversing delivery vehicle driven by a visiting driver to the site. An HSE investigation found that the company had failed to make a suitable and sufficient assessment of the risks arising from vehicle movement.
A company was fined £255,000 for corporate manslaughter and its director sentenced to 12 months’ imprisonment suspended for two years and 300 hours of community service after a factory worker was fatally crushed when he fell into a trommel – a piece of machinery used to sort waste material – at a recycling yard. An investigation found that there was no safe system of work for the trommel and it was in a dangerous state. The company director was disqualified for eight years.
The HSE has announced that it will be taking the lead on an investigation into the deaths of five workers who were killed when a wall collapsed on them at a metal recycling plant in Birmingham in July 2016.
Other sentencing news
Shrewsbury and Telford Hospital NHS Trust was fined £333,333 and ordered to repay £130,000 in costs after five elderly patients died as a result of falling while being cared for in hospitals run by the Trust. In his sentencing remarks, the judge noted that the Sentencing Guidelines provide that there should normally be a reduction in the level of fine to take account of the fact that a defendant is a public body. The level of reduction is at the discretion of the sentencing judge in the light of all the circumstances. The judge began by considering the level of fine which would have been appropriate if the Trust had been a private company. This was a medium culpability category 2 case (with a starting point of £600,000 and a range of £300,000 to £1,500,000). Taking into account all of the significant harm factors and aggravating and mitigating factors, he decided that the proper starting level of fine would have been £1 million. This figure was reduced by one third to £666,666 because of the Trust’s cooperation and early guilty plea. This figure was then reduced by 50% to reflect the Trust’s financial circumstances (a ‘large’ organisation under the Guidelines with a significant level of revenue but running at a deficit) and the fact that it was a public health care body.
Associated British Ports was fined £666,000 after an employee suffered multiple injuries when a 600 kilogram bag of fertiliser fell on him while he was removing pallets from the front of a stack. An HSE investigation found that the company had failed to follow its own risk assessments (bags were not stacked according to industry guidance) and failed to review its stacking practice after earlier incidents.
A healthcare provider was fined £550,000 after it failed to appoint sufficient professionals to run the internal occupational health service, compromising the health and safety of employees, patients and general members of the public, and failed to provide adequate health surveillance for its workers.
The HSE was issued with a Crown Censure (the maximum sanction a government body can receive) after one of its laboratory workers suffered serious burns when conducting an experiment.
Independent Review of Building Regulations and Fire Safety: interim report published
In July 2017, the government announced an independent review of building regulations and fire safety in the wake of the Grenfell Tower disaster. The terms of reference for the review were published on 30 August 2017. The interim report setting out the findings to date and the direction of travel for the final report was published on 18 December 2017. A summary can be found on pages 9 and 10. The review to date has found that “the current regulatory system for ensuring fire safety in high-rise and complex buildings is not fit for purpose”. The conclusion is that “this is a call to action for an entire industry and those parts of government that oversee it. True and lasting change will require a universal shift in culture. The industry has shown this is possible in the way the health and safety of construction workers has seen a positive transformation in culture and practice over the last decade. This change needs to start now”.
Looking ahead to 2018
- The final report of the Independent Review of Building Regulations and Fire Safety is expected in spring 2018. A summit with key stakeholders will be called in early 2018.
- We await the outcome of the Sentencing Council’s consultation on a draft sentencing guideline for gross negligence manslaughter (see the August 2017 edition of the Regulatory round-up).
- The government is due to respond to the report of the Working Group on Product Recalls and Safety (see the July 2017 edition of the Regulatory round-up).