We have prepared a briefing summarising some significant changes introduced under the following legislation:
The Tenant Fees Act 2019, which applies to student tenancies and potentially also to student licences. The Act prohibits landlords from requesting payments from tenants except for those expressly permitted under the Act. Breaches can lead to fines and criminal offences. The Act applies to new lettings from 1 June 2019 and to existing lettings from 1 June 2020.
The Homes (Fitness for Habitation) Act 2018, which applies to new leases of less than 7 years from 20 March 2019. Licences to occupy are outside the scope of this Act. Amongst other matters, the Act introduces an implied covenant by the landlord that the dwelling is fit for human habitation at the time of the grant of the lease (or at the beginning of the term) and will remain fit during the term. Tenants may bring court action for a breach of the covenant, which may result in the landlord being ordered to pay compensation or carry out the works necessary to improve the property. Landlords are not required to remedy unfitness in specified circumstances, including where the problem is caused by the tenant’s behaviour or their possessions.
The Deregulation Act 2015, which applies to Assured Shorthold Tenancies (ASTs) created on or after 1 October 2015, and in part to ASTs created before that date. Amongst other requirements, the Act requires landlords to supply copies of the energy performance certificate, a recent gas safety report and the DCLG “How to rent” checklist, as well as requiring deposits to be paid into a tenancy deposit scheme.
You can find the full briefing with further information on the changes implemented by the legislation here.
Last month the Government published a significant and ambitious White Paper to set out a proposed new regulatory framework for what are described as ‘on-line harms’. A long list is included of such harms which are considered to have a clear definition:
child sexual exploitation and abuse
terrorist content and activity
organised immigration crime
harassment and cyberstalking
encouraging or assisting suicide
incitement of violence
sale of illegal goods / services, such as drugs and weapons (on the open internet)
content illegally uploaded from prisons
sexting of indecent images by under 18s (creating, possessing, copying or distributing indecent or sexual images of children and young people under the age of 18).
There are a number of other harms identified which have a less clear definition:
cyberbullying and trolling
extremist content and activity
advocacy of self-harm
promotion of Female Genital Mutilation (FGM)
The White Paper also notes the harm caused to those who are underage of access to pornography and other inappropriate material. In this area, the Information Commissioner has now published a draft Code of Practice for consultation on “Age appropriate design” for online services.
The Government’s vision in the White Paper is for “the UK to be the safest place in the world to go online, and the best place to start and grow a digital business.” The core problem addressed by the White Paper is “the prevalence of illegal and harmful content online and the level of public concern about online harms”. The White Paper comes hot on the heels of the terrorist attack on a mosque in New Zealand on 15 March 2019 where footage of the attack was widely circulated on social media.
At the heart of the White Paper is a proposal for a new regulatory framework which would include the following key features:
a new statutory duty of care to make organisations “take more responsibility for the safety of their users and to tackle harm caused by content or activity on their services”;
compliance with the new duty of care to be overseen and enforced by an independent regulator;
Codes of Practice to be developed relating to specific harms;
a new culture of transparency, trust and accountability whereby the regulator is to have power to require annual ‘transparency reports’ outlining the measures taken by those covered by the regulatory framework to tackle the various harms;
a significant range of penalties and enforcement powers available to the new regulator;
encouragement to using technology as part of the solution.
Although the White Paper talks about ‘companies’ being within the scope of the new statutory duty of care and the new regulatory framework, the proposal appears to be very broad and, on the face of it, includes organisations “that allow users to share or discover user-generated content or interact with each other online.”
The White Paper rightly notes that:
“These services are offered by a very wide range of companies of all sizes, including social media platforms, file hosting sites, public discussion forums, messaging services and search engines.”
It goes on to state in the section on “Companies in scope of the regulatory framework”:
“The scope will include companies from a range of sectors, including social media companies, public discussion forums, retailers that allow users to review products online, along with non-profit organisations, file-sharing sites and cloud hosting providers.”
The focus appears to be on the services provided, rather than on the business model or sector. Charities are expressly stated to be included in the scope of the proposed new regulatory framework.
The White Paper explicitly recognises the importance of protecting freedom of speech in the online space and also proposes that there should be a legal obligation on the regulator to have due regard to innovation. The regulator will be required to take a proportionate, evidence-based and risk-based approach according to the severity of the harm in question.
The consultation is open until 1 July 2019 and is promoted by both the Department of Culture Media and Sport and the Home Office.
Fresh on the heels of the publication by the Government earlier in April of its “Online Harms White Paper” proposing a new regulatory framework for the digital economy to improve safety online, the Information Commissioner’s Office (“ICO”) has published a draft code of practice relating to online services likely to be accessed by children, tying in with two of the ICO’s own published key strategic objectives: “to be proactive in identifying and mitigating new or emerging risks arising from technological and societal change” and the use of children’s data.
The draft code provides practical guidance on “…how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children”, focussing on the following 16 standards of age-appropriate design for information society services likely to be accessed by children:
The best interests of the child should be a primary consideration when you develop and design online services likely to be accessed by a child.
Age-appropriate application: consider the age ranges of your audience and the needs of children of different ages.
Transparency: privacy information must be clear and suited to the age of the child.
Detrimental use of data: do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing / go against industry codes of practice etc.
Uphold your own published terms, policies and community standards.
Settings must be “high privacy “ by default.
Data minimisation: collect and retain the minimum amount of personal data necessary to deliver the elements of your service in which a child is actively and knowingly engaged.
Data sharing: do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking into account the best interests of the child.
Switch geolocations off by default.
If you provide parental controls, give the child age appropriate information about this.
Switch options which use profiling off by default
Do not use “nudge techniques” (ie design features which lead or encourage users to follow a particular path, eg more prominent “accept” than “decline” buttons) ) to lead or encourage children to provide unnecessary personal data, turn off privacy protections of extend their use.
If you provide connected toys (ie toys / devices that are connected to the internet), ensure you include effective tools to enable compliance with the Code.
Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
Undertake a data protection impact assessment (“DPIA”) to assess and mitigate risks to children likely to access your service.
Governance and accountability: ensure you have policies and procedures in place to demonstrate how you comply with data protection obligations.
“Information society service” is defined in the Data Protection Act 2018 as being “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. In practice, most online services (eg apps, programs, many websites) will be ISS as remuneration needs not to come directly from the end user (so free services which involve advertising will still be ISS, as long as the services involve “economic activity” generally).
Importantly, the draft code works on the assumption that if you believe only adults are likely to use your service (ie the code does not apply) you still need to be able to demonstrate that is the case (eg market research etc). The scope of the code is therefore much wider than services marketed specifically for children specifically.
The consultation on the draft code, which as and when finalised, will have statutory legal status (ie failure to comply may result in regulatory action and the code can be used in evidence in court proceedings) remains open until 31 May 2019, with the finalised code expected to come into effect before the end of the year after being laid before Parliament.
Earlier this month on 8 March 2019, the Court of Appeal gave its judgment in the case of R (on the application of Salman Butt) -v- Secretary of State for the Home Department  EWCA Civ 256. The claimant, Dr Butt, had brought a claim for judicial review against the Home Office challenging (1) the lawfulness of the Higher Education Prevent Duty Guidance and also (2) the collection, recording and sharing of information relating to him by the Government's Extremism Analysis Unit.
The Court of Appeal dismissed Dr Butt's challenge under Article 8 of the European Convention of Human Rights (the right to a private and family life) in respect of the information gathering and sharing activities of the Government's Extremism Analysis Unit. However the Court of Appeal did determine that the Secretary of State did not promulgate sufficiently balanced and accurate guidance to higher education institutions on the statutory Prevent Duty setting out their competing obligations to assist institutions to reach proper conclusions. The Court of Appeal noted as follows:
"The [Higher Education Prevent Duty Guidance] in general, and paragraph 11 in particular, is expressed in trenchant terms. The HEPDG is not only intended to frame the decision of [Relevant Higher Education Bodies] on the topic in question, it is likely to do so....Even the well-educated reader called on to take a decision on behalf of a university is likely to assume that this particular focused guidance already represents a balance of the relevant statutory duties affecting the RHEB decision-maker."
The Court of Appeal declined to attempt a redraft of paragraph 11 of the HEPDG 'since that is a matter for the government'. We await a revised version of the HEPDG.
However, it is appropriate to note that the statutory obligations on relevant higher education bodies continue, notwithstanding the decision of the Court of Appeal relating to the guidance issued by the Home Office. The statutory duty in section 26 of the Counter-Terrorism and Security Act 2015 is for the specified authority "to have due regard to the need to prevent people from being drawn into terrorism." Section 31 CTSA provides that relevant higher education bodies must have "particular regard to the duty to secure freedom of speech" when complying with the statutory Prevent Duty.
"Terrorism" is defined in the Terrorism Act 2000 (as amended) and that legislation sets out a number of specific terrorist offences in addition to other offences prohibited by the criminal law. See our recent blog on the Counter-Terrorism and Border Security Act 2019 which aims to update the existing terrorism offences for the digital age and to strengthen the enforcement authorities' ability to intervene to stop terrorist activities.
Supplies of education to students in the UK are exempt from VAT if they are made by certain bodies, including by a “college of a university”. This phrase has no statutory definition and there had been a body of case law laying down a number of different tests over the years. However, the Court of Appeal decision in this case appeared to restrict the meaning of this phrase to bodies which formed a constituent part of a university in a constitutional or structural sense. This effectively excluded third party commercial providers such as SAE, who enter into collaboration or similar agreements with universities in order to extend the range of degree courses on offer, from the VAT exemption.
The Supreme Court based its ruling on a review of the relevant provisions of the European Directive, from which the UK VAT legislation derives. These make clear that member states must exempt transactions:
involving the provision of university education by bodies governed by public law having such education as their aim; and
by other organisations recognised as having similar objects to those governed by public law and which also have education as their aim.
The Supreme Court noted that the general objective of the exemptions is to ensure that access to higher educational services is not hindered by the increased costs that would result if those services were subject to VAT.
The Court ruled that in assessing whether a body is a college of a university, five questions are likely to be highly relevant:
(i) whether the body and the university have a common understanding that the body is a college of the university;
(ii) whether the body can enrol or matriculate students as students of the university;
(iii) whether those students are generally treated as students of the university during the course of their period of study;
(iv) whether the body provides courses of study which are approved by the university; and
(v) whether the body can in due course present its students for examination for a degree from the university.
It ruled that if a body can establish the presence of each of these five features, then it is highly likely to be a “college of the university” within the meaning of the relevant VAT legislation. The Court went on to say that there may also be other cases where the degree of integration of the activities of the body and the university is such that it may properly be described as a college of the university and that all will depend on the particular circumstances of the case.
This decision provides some welcome clarity for universities and other providers of education who work with universities to provide additional courses. Collaborations or partnerships between them had been at risk of increased VAT costs, making such arrangements much less attractive. VAT exemption should now be available for education provided through these arrangements if the five features set out by the Supreme Court are present.
This is welcome news for the sector which will also be boosted by a change to the VAT rules from 1 August. The effect of such change is that if a body has Approved (fee cap) status on the register maintained by the OfS it will be able to make VAT exempt supplies of education from that date, whether or not it is a UK University, a college of a university, and even if it is a profit making body.
At a Westminster Higher Education Forum in February this year, the Head of Student Migration Policy confirmed that the Home Office has no intention of placing any cap on international student numbers, and that international students are welcome in the UK. However, it remains government policy that student immigration numbers are included in the net migration figure, which it has committed to reduce. The latter position can give rise to the perception that the UK government wishes to reduce international student numbers, and this perception does not make the job of UK higher education institutions easy when persuading international students to study in the UK. Add in the uncertainty of Brexit, and the complexities of the Tier 4 visa system, and it is no wonder that many international students who might otherwise have applied to UK universities are attracted instead by the increasing number of mainland European universities delivering their courses in English.
There is also ongoing concern across the higher education sector about the lack of post-study work visas. The immigration White Paper proposes a six month post-study leave period for bachelors and masters graduates, with 12 months for PhDs, but this is for most effectively only a 2 month extension to the current 4 month ‘wrap up period’. With Canada and Australia, amongst others, offering post-study work visas of up to 3 and 4 years respectively, the UK may struggle to compete. In the White Paper, the Home Office proposes offering ‘lower skilled’ migrants from ‘low risk countries’ 12 months temporary unrestricted leave, but there is some uncertainty around the operation of this, for example how easy it will be to switch in-country to that route. Although the White Paper is generally seen as a step in the right direction, for all of the above reasons higher education institutions are encouraged to provide the Home Office with their views on the White Paper, which the Home Office has promised is a starting point for discussions.
Time and tide wait for no-one with an interest in information law; as the legislative reform of data protection now beds down, a reminder that the Information Commissioner's Office’s consultation “Openness by design”, which sets out the ICO’s strategic priorities for the next three years in relation to its duties under what could be regarded as the GDPR/ Data Protection Act’s siblings - Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Re-use of Public Sector Information Regulations 2015 - closes this Friday (8 March 2019).
The draft strategy confirms the ICO’s ambition “…to be more proactive and increase the impact of our regulation of access to information rights law” and to “…allow people to have more trust and confidence on the openness and accountability of public authorities and have more opportunities to participate in civic life” by focussing on the following five priorities:
“Work in partnership to improve standards of openness, transparency and participation among public authorities in a digital age.
Provide excellent customer service to members of the public and public authorities and lead by example in fulfilling our statutory functions.
Raise awareness of access to information rights and make it even easier for the public to exercise their rights.
Promote the reform of access to information legislation so it remains fit for purpose.
Develop and sustain our international collaboration.”
A fuller range of proposed actions are set out under each of the five priorities, including steps such as (1) continuing to build and promote the case for change to the scope of FOIA and EIR, building on the report submitted to Parliament in January 2019 recommending urgent change in relation to outsourced public services and other categories of public service provision not currently within the scope of the current legislation; and (2) undertaking targeted information rights campaigns to raise public awareness of their rights under the FOIA/EIR
Responses are invited on the range of objectives set out in the document; a survey link is included at page 14 of the consultation document.
The Charity Commission’s work to protect charities and deal with any wrongdoing or abuse was highlighted in a report it published last month. The report highlights that safeguarding continues to be a key issue. We consider how charity trustees can try to meet their safeguarding duties.
A safeguarding incident involves harm to people, assets and/or reputation. Safeguarding risks are primarily associated with children and vulnerable adults. However, every charity owes safeguarding duties to all those with whom the charity interacts. This includes beneficiaries, volunteers and employees.
A failure to meet safeguarding expectations can cause significant harm to individuals and to a charity itself. Types of harm to a charity may include loss of supporters, a reduction in funds and reputational damage.
To meet their safeguarding duties, charity trustees must ensure that:
New trustees are allowed to act as charity trustees;
Trustee induction and training programmes cover how to protect the charity, its people, assets and reputation;
They are aware of their duties, challenge assumptions and manage resources and risk appropriately;
The charity has, and follows, appropriate safeguarding, bullying and harassment and whistleblowing policies;
Disclosure & Barring Service (DBS) checks are carried out on staff and volunteers if appropriate during the recruitment process;
Where necessary, designated staff report concerns about staff and volunteers to the DBS in line with the Safeguarding Vulnerable Groups Act 2006;
All staff and volunteers receive training on how to recognise and respond to safeguarding incidents and concerns; and
They understand what a ‘serious incident’ is and report any serious incidents to the appropriate regulator. For many higher education institutions, the Office for Students is the relevant regulator.
The above steps provide only a flavour of how trustees can meet their safeguarding responsibilities. Factors such as the size and nature of the charity in question will influence what other steps trustees should take.
Trustees must take immediate action if they discover an incident has occurred. The Charity Commission, which regulates numerous charities, recommends that trustees take steps to:
prevent or minimise further harm, loss or damage;
report the incident to the appropriate regulator as a serious incident if appropriate;
report to the police if the trustees consider a crime has been or may have been committed;
plan what to say to staff, volunteers, members, the public, the media and other stakeholders such as funders; and
review what happened and prevent it from happening again.
Trustees may need advice on how to handle a specific incident and/or on whether an incident is reportable. They may also benefit from guidance on their communications with their regulator.
Trustees may delegate aspects of their safeguarding responsibilities to staff to carry out on a day to day basis. However, safeguarding remains the responsibility of the charity’s trustees. Trustees should therefore remain vigilant in order to protect the charity and those who come into contact with it.
The Counter-Terrorism and Border Security Act 2019 came into force on 12 February 2019.
The aim of the 2019 Act is to update existing terrorism offences for the digital age and to strengthen the enforcement authorities' ability to intervene to stop terrorist activities.
The Terrorism Act 2000 already prohibits the collection of information likely to be useful to a terrorist. The 2019 Act extends this criminal offence to cover the viewing or streaming of such material online. There is an existing defence which applies where the individual has a reasonable excuse. This is clarified by the 2019 Act to include a situation where the individual did not know and had no reason to believe that the document or record contained, or was likely to contain, information of a kind likely to be useful to a person committing or preparing to commit an act of terrorism. The 2019 Act includes further specific situations where the defence may be relevant, namely where the individual's actions were for carrying out work as a journalist or for academic research.
The existing offence of inviting support for a proscribed organisation is extended to apply to situations where a view is expressed by someone, reckless as to whether this will encourage others to support the proscribed organisation.
It is also now an offence to publish an image online which displays a flag, emblem or other symbol of a proscribed organisation. An equivalent offence already exists for such publications off-line.
The Home Office fact sheets explaining the new legislation confirm that 74 organisations have been proscribed under the Terrorism Act 2000 and that to the year to 30 September 2018, 85 individuals were charged with terrorism-related offences.
The 2019 Act enables local authorities, as well as the police, to make referrals of individuals considered to be at risk of being drawn into terrorism to a Channel panel to discuss ways of accessing support.
A duty is placed on the Secretary of State by the new legislation to establish an independent review of the Government's strategy in this area which is aimed at preventing vulnerable individuals from becoming terrorists, or supporting terrorism.
Further reference should also be made to the Government's fact-sheets and the detailed provisions of the legislation.