Feeds:
Posts
Comments

Whilst making the dinner last night, and thinking about how my day had gone and planning the next day, I listened to an interesting radio show about “time” and how we think about and react to it. It made me think about the fact that I often feel that I never have enough time in the day to do all the “stuff” I want to do; but then why do I restrict myself and measure myself in units of 24? If I happen to achieve goal number 5 on my “to do list” in the 48th hour is this any less of an achievement than it might have been if I had achieved it in the 24th hour? But because of how I measure I have created a sense of disappointment, detracting from the fact that I achieved a goal? Our use of time creates tension, so then I turned to “time-management” and what does this actually mean. We cannot manage “time”, one minute is always going to be one minute – it can’t be managed upwards or downwards! So what is it that we are measuring? We manage ourselves and measure ourselves against time? “Time” for some thought and perspective …..
PS my thanks to a client who today reminded me that my blog was overdue some “time”.

Advertisements

How often do employer’s permit (or even encourage) their employees to use their own iPad/tablet, smart phone or their own personal lap top for purposes related to work (quite often in relation to remote working). In a report highlighted on the YouGov website ttp://yougov.co.uk/news/2013/02/21/security-challenges-byod/ it notes that “65% of IT managers say their companies currently allow BYOD”.

Any active BOYD strategy in any organisation poses potential risks, without a policy (implemented, read and understood!) in relation to BOYD for company employees this presents an even greater risk.
  The ICO has now published a 14 page guidance which helps to explain how organisations can adopt the approach of bring your own device or BYOD in a safe manner whilst complying with the Data Protection Act 1998. It is of course important to remember that where organisations do adopt a BYOD approach to working, concerns should not stop at data protection, and any guidance given to employees on work related data should be equally applicable to an organisations commercially sensitive information.

A copy of the ICO guidance can be found here http://www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Practical_application/ico_bring_your_own_device_byod_guidance.ashx

Yesterday’s (9th October 2012) revisal to existing SFO guidance in relation to self-reporting has removed any comfort for those commercial organisations who may have sought to “confess to their” sins (relating to a suspicion or knowledge of bribery) thinking they stood a much better chance of the SFO not pursuing a prosecution. Although it was never entirely clear in what circumstances the SFO would be minded to not pursue a prosecution in a self report situation, the new guidance puts it firmly beyond doubt that it cannot guarantee that there will be no prosecution following a self report (albeit it still encourages self reporting). The SFO in its statement yesterday has stated that all new guidance “supersedes any statement of policy or practice” previously issued “by or on behalf of the SFO”. Continue Reading »

A report published by the anti-corruption watchdog ‘Transparency International’ reveals that while several companies perform well on transparency measures of anti-corruption reporting, there is still a great deal of scope for improvement.

The report “Transparency in Corporate Reporting” scored 105 of the top publicly-traded companies across the world based on their public commitment to transparency of anti-corruption measures.  Company scores were based on public availability of information about the anti-corruption programmes the companies have in place, their transparency in reporting on how they structure themselves, and the amount of financial information they provide for each country they operate in.

The findings of the 2012 report are an improvement from its predecessor in 2009. Particularly, companies have improved in their reporting of anti-corruption programmes from an average of 47% to 68%. This could arguably be the result of companies re-evaluating their approach to anti-bribery compliance in response to the Bribery Act 2010 (the Act). The Act created a new corporate offence whereby a commercial organisation can be strictly liable for any failure to prevent persons associated with them from committing acts of bribery. Although the figures suggest that there has been progress, the fact remains that there is still a lot more that can be done to improve transparency and, as a consequence, decrease the risk for a company to fall foul of the Act. Further action is particularly advisable of those who operate in high risk industries, such as the health care, extraction and construction sectors.

Healthcare Sector

The report ranked companies with a number between 0 and 10 (where 0 is regarded as the least transparent and 10 the most transparent). The healthcare industry (which is considered to be a particularly high risk industry in terms of bribery and corruption) averaged an overall score of 5.04. This included an average score of 81% (where 100% means full transparency) for the industry’s performance in relation to its transparency on the anti-corruption programmes it has in place. Transparency within the organisation itself was also assessed. This was determined by assessing the amount of information which companies disclose to their related parties. In this regard the healthcare sector was awarded an average score of 70%. Overall the healthcare sector’s score of 5.04 placed them firmly in the middle position in terms of their transparency of anti-corruption measures amongst the nine sectors analysed.

In conclusion to their report, Transparency International made a number of recommendations of measures for improvement including open publication of the company’s anti-corruption programmes, publication of a list of their related entities, publication of financial accounts for each country the company operates within and the maintenance of a transparent and informative website.

Clearly the statistics show that healthcare companies are taking some measures towards transparency. However a distinctly average score for the health care sector indicates that there remains a great deal of scope for improvement. The Bribery Act 2010 presents real risks for companies which may be exposed to bribery, the risk being particularly increased where they are operating in high risk sectors such as healthcare. Consequences of non-compliance with the Act include unlimited fines and prosecution. Ensuring that “adequate procedures” are in place to prevent bribery within the organisation and the organisations related entities is the only defence available to a company. Transparency in the implementation of these procedures is key. Companies should evaluate the measures they have in place to ensure that they are meeting the requirements of the Act and that the measures taken to meet the requirements are being effectively communicated to those within the organisation, related entities and the public generally.

To read the report in more detail:-

http://goo.gl/w53ZJ

I had the privilege of attending the International Medical Device Compliance Conference in Stockholm last week and despite the “dreach” Swedish weather (a real shame – it is a beautiful city when the sunshine is out), spirits were not dampened and much discussion flowed with regards the current compliance issues for those in the Medical Device sector. This was my first attendance of the #IMDC conference and hopefully I will have the opportunity to attend next year.

Top of the agenda were the UK Bribery Act and the US Foreign Corrupt Practices Act, followed by various ethical codes of practice (which in some cases place stricter compliance codes than the legislation) within this most energetic and growing sector ( a point not at all lost on keynote speaker Assistant Secretary Michael Camunez of the US Department of Commerce, International Trade Administration over a working lunch).

The Conference kicked off with an interesting panel of speakers which included Vivian Robinson, (former General Counsel to the UK’s Serious Fraud Office) skilfully moderated by Kathleen McDermott, Partner at Morgan, Lewis & Bockius LLP. The panel topic was ‘Global Anti-Corruption Trends: The Value of Ethics and Compliance’. Vivian Robinson commented that whilst issues around hospitality, gifts and small facilitation payments can evoke the UK Act, he considered that perhaps these were what he termed “sideshows” and he commented that he felt the focus of the Act would be directed on those major acts of bribery carried out by corporations and those corporations who had a flagrant disregard to adequate procedures (I should add, it was made clear at the outset, panellist were not providing legal advice).

The panellists moved swiftly on to discuss the FCPA and issues around self reporting and the possibility of FCPA amendments vs guidance from the Department of Justice. A topic that developed in the panel of “heavy fines for corporations but you did the right thing for self reporting” was one which was much debated in other panels and amongst attendees outwith during breaks over the rest of the conference.

This is just a ‘snippet’ of the discussions; more will follow …..

Yes is the simple answer if you are an authority for the purposes of the Act.  It is however to the definition of Public Records to which we must turn to get the full impact and depth as to which organisations will be affected by the Public Records (Scotland) Act 2011.

Are your records ‘public records’?

Following the Shaw Report in 2007, the Keeper of the Records of Scotland (“the Keeper”) was asked to review the public records legislation in Scotland. The Keeper’s review found that poor record keeping practices existed throughout the public sector and made several recommendations to the Scottish government. As a result, the Public Records (Scotland) Act 2011 (“the Act”) was created and is set to come into force in January 2013.

What does the Act do?

The Act is aimed at providing a better record keeping framework and procedure for public authorities to use acrossScotland.

The Act defines what a public record is, and introduces Record Management Plans (“RMPs”) which public authorities will be expected to produce, setting out the procedure for the review, storage and disposal of public records in their area.

How does this effect private and voluntary sector organisations?

Although the Act only directly applies to authorities named within the Act, the Scottish Government has clearly stated that private and voluntary organisations which provide public services on behalf of public authorities will be affected and thus in reality the Act has a much wider reach. These organisations are brought into the Act’s scope through the broad definition given to “public record” which includes records created or held by both authorities and their contractors whilst carrying out the authority’s functions.   

The work carried out by private and voluntary sector organisations which is delivered through contracts with public authorities, in terms of the documents they create or hold relating to jobs undertaken for that listed authority, will be subject to that authority’s RMP.

What should organisations do?

A forum has been running with stakeholders, the Keeper and the National Records for Scotland (NRS), discussing the timetable for enforcement, the form of the RMPs and developing guidance. Whilst the NRS initially aimed to produce a draft model RMP and guidance for consultation at the end of 2011, this was delayed and was only published in February of this year (February 2012).

The Keeper’s model plan has 14 elements to it, including key factors such as Information Security; Data Protection and Shared Information; Retention Schedules and Audit Trails.

To view the Keeper’s model plan click here http://www.nas.gov.uk/recordKeeping/PRSA/consultation.asp. Responses to the consultation are due by Friday 18th May 2012  and can be emailed at publicrecords@nas.gov.uk .

What is your organisations approach to security? Remote working and security risks go hand in hand whether it involves manual data or electronic data – how does an organisation limit its exposure to the risk of lost data (both commercially sensitive and personal data)? If employees are permitted to work remotely or out of necessity have to do so; just how should an organisation approach risk? It’s important to realise there are risks in the first instance. Actions such as putting a policy in place but then doing nothing further are not likely to assist to any great extent, nor impress the Information Commissioner’s Office when they investigate how a set of case files managed to be left on the bus or train. Actions do speak louder than words!

Perhaps investing a little time and effort in investigating just what is going out the office door of an evening would throw up a few surprises. The “just in case” approach to document management creates a situation whereby people are apt to take from the office, files, papers, USB’s etc all filled with information about business, customers, clients and so on – just in case it is required for that important client presentation or for that case management meeting the next day. If we were to ask how much of that information was actually required, probably less than half would be the answer.   Putting to one side that there are in most cases genuine and good reasons for carrying some data (but often inadequate protections to protect it put in place) – why do we feel the necessity to take so much information with us? Comfort blanket? Inadequate forward planning? There are a variety of reasons. Each requires a different approach as to how we manage this…… not just a policy nor the implementation of extra security measures (although these are clearly very good starting points!).