Amazon Delivery Driver sacked for being robbed

A delivery driver who worked for an approved Amazon delivery provider, Fast Despatch Transport Ltd, has lost his job having been the victim of a robbery which saw the robber drive off in his delivery van containing more than 60 Amazon parcels.

The amount of parcels out for delivery post-Boxing Day sales may have been the premeditated target by the assailant, when he forced the delivery driver, Martyn Gilham, to the ground as he delivered the parcels to the website's customers in Coventry, West Midlands on 28 December.

But if going through the ordeal of a robbery wasn’t enough, following the incident Martyn received a text from his boss stating that they did not want to use his services anymore and, in essence, he was fired, there and then.

Initially his employer ludicrously stated that his wages would be deducted to the amount of damage that occurred to the van and for the value of the parcels inside! A spokesperson for Fast Despatch Transport Ltd has since come out and said that “that the driver will not be charged the cost of the stolen parcels” – sanity restored.

However, as per company policy, and as is “clearly explained to drivers when they start work”, “when drivers leave Fast Despatch Transport they are paid all money owed to them after a short time period which allows us to calculate outstanding amounts due, such as repair of any damage to the vehicle”.

The employer may need a sharp reminder that the delivery driver was the victim of the robbery, not the perpetrator. Any damage caused to the vehicle was caused following and as a result of its illegal possession by the robber. Victim surcharge and costs in relation to the van is surely a matter for the criminal proceedings that will inevitably go ahead when/if the assailant is caught.

One would assume that it is not the responsibility of the driver, who lost possession of the van once the robbery took place, to subsidise the actions of another which were totally out of his control whilst he was lay (potentially for dead) on the pavement.

I guess we’ll have to hold our breath and hope common sense takes over on this one…

Businesses face bigger penalties on data

Businesses face bigger penalties on data leaks 

Businesses are on final countdown to the introduction of the General Data Protection Regulation in May 2018, bringing with it tighter rules and greater penalties for data processing, and the outcome of a landmark High Court case has made the preparation even more pressing.

The case involved an online leak of payroll data by Andrew Skelton, a disgruntled ex-employee of supermarket chain Morrisons.  Skelton received an eight year conviction for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).  However, over 5,000 current and ex-employees later joined together to bring a claim against the company itself, with the court finding Morrisons liable for the actions of its former member of staff. 

 

The data included salary and bank details of some 100,000 staff and the ruling, which is the first data leak class action in the UK, allows those affected to claim compensation for the "upset and distress" caused.

Although Morrisons has said it will appeal, experts are predicting that the judgement of vicarious liability will make General Data Protection Regulation (GDPR) compliance even more pressing for both employers and suppliers of contract labour where data processing is involved.  

 “This judgement is of huge importance, because Morrisons was held liable for the criminal misuse of third party data by an employee.  The impact extends beyond the claims for compensation from employees, it’s also the impact on reputation and the financial and physical resources involved in dealing with the data breach.  Reportedly, Morrisons spent more than £2m in responding to the misuse,” explained Elissa Thursfield of Gamlins Law (Rhyl).  “Data breach is a growing worry for a business, whether relating to employees or customers, and it is set to be even higher on the agenda in the new environment of GDPR post-May 2018.” 

Bringing in a tough new era in EU-wide data protection law, the GDPR will replace the UK’s 1998 Data Protection Act, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.

The aim is to harmonise data protection across all EU member states by making it simpler for everyone, including non-European companies, to comply, but it brings greater responsibilities for data processors and big penalties of up to 4% of worldwide turnover for non-compliance.

The biggest change is that the Directive applies to any business processing personally identifiable information about EU citizens.  This means that any UK business that is trading with EU citizens before or after Brexit will be affected, as will anyone who transfers personal data from the EU to the UK for processing or storage. 

“The Government has said that GDPR compliance will be the minimum standard in UK law post-Brexit, to enable UK companies to do business across Europe,” added Elissa.  “And anyone who hasn’t already started on the journey towards GDPR needs to do so as a matter of urgency, as every business and organisation is affected, however small, and must be able to demonstrate they are complying, not just dealing with problems after they occur.  While it’s likely that most will need some specialist expertise on the legal technicalities  and IT processes, as a starting point there is some excellent preparatory guidance on the Information Commissioner’s website.” 

GDPR provides stronger protection for individuals in terms of consent.  In place of the previous ‘opt out’ approach, organisations will have to secure positive consent from individuals for their data to be collected.   The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose.  Where data is to be processed for a purpose beyond that for which it was originally collected, there will need to be fresh consent.  There are strict rules around data relating to children under 16 and requirements for parental consent.  

The organisation will also have to provide more information about how data will be used and how long it will be kept for, as data must not be held for any longer than necessary.  If data will be stored outside the EEA, details must be provided, including what safeguards will be in place. 

There is a distinction between controllers and processors of data.  The controller determines the process and means of processing personal data, where a processor acts on behalf of the controller.  However, each has obligations in the event of a breach or lack of compliance.  For an organisation that sub contracts its processing, there is a high duty of care imposed in selecting their data processing provider with procurement processes to be followed and regular ongoing reviews once appointed. 

Under GDPR there will be a statutory obligation to notify the regulator – the ICO in the UK – of any breach, if an individual’s personally identifiable information is at risk as a result.  Fines can range up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions. 

 

Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC3113 (QB)

 

Web site content note: 

This is not legal advice; it is intended to provide information of general interest about current legal issues.

Is this the end of forgetting your fob for work?

Is this the end of forgetting your fob for work?

 

A Wisconsin-based tech company, Three Square Market (TSM), has recently become one of the first in the world to microchip its staff. The idea behind the scheme is to remove the need for company security and identity cards. But is this a cost saving exercise that has gone too far?

 

All of the staff who have had the microchip inserted between their thumb and forefinger have agreed to such level of intrusiveness, with 50 out of 80 members of staff who work for TSM saying yes. The microchips allow employees to check into work, log onto computers, open secure doors and buy company food and drink.

 

The only saving grace is that the chips do not have GPS capabilities and therefore the company cannot monitor the locations of their employees. But surely this is a legal minefield, and for what, convenience purposes? – what happens if the employee withdraws consent? The employee leaves the company? If the chip is implanted negligently? Causes infection? Alternatively this could be the kind of treatment millennials can expect in the 21^st century workplace. What is wrong with the normal facial/eye/fingerprint recognition system some companies have (only just) become use to.  

 

However, there is always fear when new technology comes to fruition and microchipping is no different. But rather than scaremongering, do we have a responsibility, as an employer, to be as efficient as possible? We should balance these technological openings while mitigating their risks. If Regulators make sure the software the chips are loaded up with have strong privacy protections that can be controlled by the employees being able to log into their microchip and control whether the data it holds is public or private, then this could even be a new monitored and regulated industry, creating new jobs in this field. Nowadays everybody carries a phone around in their pocket 24/7 which tracks more data then we are aware of, so is this just employers jumping on the bandwagon?

 

Although I can’t see it taking off, it is definitely something to look out for employers considering in the near future on our side of the pond.