The Prohibition on a Company Financing the Purchase of its own Shares

The prohibition on a company offering financial assistance for the acquisition of its own shares represents one of the easiest ways in which a company can inadvertently breach the rules and regulations provided for in the Companies Act 2014. Careful consideration of this rule is required as a company acting in breach of the rule exposes itself to a range of both criminal and civil consequences.

The Rule

The rule is provided for in section 82 of the Companies Act 2014 and prohibits a company from directly or indirectly giving any financial assistance for the purpose of acquiring any shares in the company. Where a company is a subsidiary company this rule applies equally to parent companies. In practice this rule operates so as to cover almost any form of loan, guarantee or the provision of security.

An example of this rule in operation can be seen in the prosecution of two former Directors of Anglo Irish Bank where the directors approached ten of the bank’s top customers and offered them loans to purchase shares in the bank so as to stabilise the bank’s share price.

The Summary Approval Procedure

A transaction which would otherwise fall foul of the rule can be validated by the Summary Approval Procedure (SAP) which replaces the older validation process sometimes referred to as a ‘whitewash’. The SAP process requires a meeting of the board of directors, resulting in the directors making a declaration as to the nature, circumstances and purpose of the transaction as well as the solvency of the company. This declaration is then attached to a notice for a shareholder meeting at which the transaction is approved of by the passing of a special resolution (75% or more in favor) of the members which is then delivered to the Registrar of Companies.

Distributable Profits

In addition to the SAP the Companies Act provides for a number of exceptions to the rule. Section 105 allows a company to acquire its own shares by purchasing them out of the distributable profits of the company. This action must be authorised by either the constitution of the company, the rights attaching to the shares in question or by a special resolution of the company. Once the company has acquired it’s own shares it may cancel them or hold them as treasury shares. An important distinction must be drawn between a company acquiring it’s own shares, which is an important aspect of capital maintenance and is regulated by the Companies act, and a company offering financial assistance to another for the acquisition of it’s own shares as prohibited by the rule in section 82.

Other Exceptions

The Act provides for certain exceptions in the cases of:

  • Discharging lawfully incurred debts or refinancing.
  • Lending money as part of the ordinary business of the company (not applicable in the prosecution of the Anglo Irish Bank Directors as the primary purpose of the transaction was to stabalise the share price).
  • Representations, warranties or indemnities.
  • The payment of fees, commissions or expenses.
  • Where the primary purpose of the transaction is not the purchase of shares, for example where it is incidental to some larger purpose of the company and is done in good faith.

Criminal and Civil Consequences

Where a company contravenes this rule the company and every officer of the company who acted in contravention will be guilty of a category 2 offence which can result in up to five years imprisonment. For example, the Directors of Anglo Irish Bank were sentenced to 240 hours of community service. This light sentence was justified on the basis that the financial regulator had essentially given the “green light” to the transaction.

A Director who makes a declaration as to the solvency of the company for the purposes of engaging the in SAP process without having reasonable grounds for the making of the declaration exposes himself to personal liability for any and all of the debts of the company under section 210 (1) of the Act in addition to the usual rules for reckless trading.

Where a transaction is entered into by a person who has notice of the fact that they have received the financial assistance for the purpose of acquiring shares in the company the company can seek to void the transaction. This may be of particular relevance if a company goes into liquidation, the liquidator (on behalf of the company) could seek to set aside the transaction so as to maximise the assets of the company.

For further information concerning Company Financing please contact:

John C. O’Connor
Partner
O’Connor Solicitors
8 Clare Street
Dublin 2
Tel: 6764488
E: john.oconnor@oclegal.ie

 

 

Guide to GDPR

Guide to the GDPR – Outline of Stringent New Data Protection Obligations

The EU General Data Protection Regulation (GDPR) comes into force across the EU on 25th May 2018. The Regulation dramatically increases the obligations and responsibilities of businesses and organisations which control or process data. As these new obligations and responsibilities are paired with severe new sanctions, businesses should take the time to ensure their compliance in advance of the Regulation coming into force.

Who is Affected

The Regulation is binding on businesses and organisations that are involved in controlling or processing the personal data of individuals in the EU regardless of the location of the company or the location of the data processing. Although the situation is somewhat complicated by Brexit, the UK government has indicated that it will implement equivalent or alternative regulations that will largely follow the GDPR.

Personal data is defined so broadly as to cover any information that can be used to directly or indirectly identify a person. This can be anything from genetic or economic data to social media posts, computer IP address or cookie identifiers. The definition even includes data that is protected by a pseudonym, where identifying data is held separately, for example, in a hospital where samples are labelled with numbers rather than patient names before being sent for testing. Notable exceptions apply to national security activities and law enforcement.

The Regulation is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer, a bank or a medical practice. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company, accountant or “cloud” provider. A business or company may be both a data controller (in relation to its own employees’ personal data) and a data processor.

Personal data held in both electronic format and in hard copy is covered by the Regulation.

 

Increased Administrative Responsibilities

The GDPR builds on obligations under existing data protection legislation and will increase the administrative responsibilities owed by data controllers and processors. Given the scope and size of the Regulation it is not possible to give an exhaustive list, but below are some of the most important requirements:

  • Data controllers are obliged to implement “appropriate technical and organisational measures” to both ensure and demonstrate that processing is performed in accordance with the Regulation.
  • Records of processing activities and to demonstrating how the data protection principles have been complied with, (for example by demonstrating consent as the basis of legal consent) will need to be kept. This is one of a significant number of new requirements to keep detailed records. Records will also need to be kept of all technical and organisational measures taken to show what has been done by controllers to safeguard the privacy of data subjects at all stages.
  • Additional resources will also be required to facilitate the new and expanded rights granted to individuals such as the right to be forgotten, the right to have incorrect data rectified and the right to more extensive information about how an individual’s own personal data is processed.
  • Where there has been a personal data breach there is a requirement to report it to the Data Protection Commissioner (“DPC”) not later than 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Ideally, data controllers and processors should have policies in place for dealing with breaches to ensure that they can take efficient and appropriate action where necessary. A lack of such a policy would in all likelihood be viewed unfavourably by the Office of the Data Protection Commissioner in the event that Office was called upon to investigate a breach or in the course of an audit of data protection compliance within the controller/processor organisation at large.
  • A Privacy Impact Assessment is required where a business carries out data processing, in particular using new technologies, which is likely to result in a high risk to the data subject’s rights. Examples of those covered by this requirement could include online marketing companies or insurance companies who use automated processing or profiling, or any business extensively using CCTV, such as retailers or licensed premises.

 

Consent and Terms and Conditions

A business or organisation must have a legal basis for controlling or processing personal data. The Regulation makes important changes in the way in which this legal basis is obtained/determined. Companies that justify data processing by virtue of an individual’s consent will face more demanding requirements. Consent must be “freely given, specific, informed and unambiguous” and must be expressed “by a statement or by a clear affirmative action”. This means that consent cannot be given by pre-ticked boxes, silence or inactivity, nor can it be inferred from certain actions such as visiting a website. It must also be as easy to withdraw consent as it is to give it.

When processing data (by consent or for any other legitimate reason) an individual must be provided with certain information such as:

  • how long the data will be kept;
  • who will be receiving the data;
  • the purpose of the data processing;
  • the right to withdraw consent; and
  • the right to lodge a complaint with the Data Protection Commissioner.

Importantly, this must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. This aims to bring an end to long incomprehensible terms and conditions full of legalese.

Businesses that process or control data with the consent of the data subject should review the way in which this consent is obtained and also review the standard and form of the information they provide to data subjects.

New Obligations for Data Processors

Under the current system, data processors’ obligations are based on their contract with the data controller and the controller is the party responsible for any data breaches. For example, if a bank stores customers data with a cloud service provider and there is a data breach for which the cloud service provider is responsible, it is the bank that bears legal responsibility. Under the new Regulation controllers and processors are jointly and severally liable for data breaches.

The GDPR places increased responsibilities on data processors by imposing direct obligations such as prohibiting sub-contracting without the consent of the controller, prohibiting the processing of data other than in accordance with the instructions of the controller and requiring that processors assist the controller in ensuring compliance with the Regulation. Additionally, the new Regulation introduces mandatory terms that must be included in the contract between the data controller and data processor such as an obligation on the processor to delete or return data at the request of the controller once the service is complete.

In addition to agreeing all future contracts in accordance with the Regulation, businesses and organisations should assess existing agreements, and if necessary revise them, to ensure compliance.

Data Processing Officer

One of the more onerous and expensive requirements of the new Regulation is the requirement to appoint a Data Protection Officer (“DPO”). The appointment of a DPO is mandatory for (a) public authorities, (b) companies and organisations in the private sector that engage in large scale regular and systematic monitoring of data subjects, or (c) organisations that engage in large scale regular and processing of sensitive personal data. If a company is unsure whether it falls into any of the above categories it can consult the “Guidelines on Data Protection Officers” produced by the European Commission which provide a more detailed analysis of the requirement to appoint a DPO.

A DPO can be hired as a staff member or can be an external service provider and a single DPO can be appointed for several organisations. The Regulation requires that a DPO must have expert knowledge of data protection law. They must also have a good understanding of IT processes and cyber security.   The Office of the Data Protection Commissioner (“DPC”) has also published “Guidelines on appropriate qualifications for a DPO”.

It is also important to note that although a DPO may be an employee they are required to operate with a certain degree of independence and autonomy in ensuring compliance with the Regulation. The Regulation specifically prevents a DPO from undertaking tasks which constitute a conflict of interest.

Enforcement

As a Regulation, the GDPR is directly effective and does not require transposition into Irish law and as such will be enforceable from 25th May 2018. It increases the investigatory powers of the DPC and also provides for administrative fines of up to €20,000,000 or 4% of annual global turnover, whichever is greater. Fines of up to €10,000,000 or 2% of global turnover can be imposed for administrative oversights such as failing to appoint a DPO or failing to notify the DPC of a personal data breach. Fines will be issued not by a court but by the DPC directly.

The Regulation also introduces the idea of a ‘one stop shop’ which means that multinational companies engaged in data processing and controlling will be regulated by the supervisory authority (in Ireland the DPC) where the company has its main establishment, thus removing the need to engage with multiple national supervisory authorities.

The GDPR also has the effect of making it easier to bring cases for compensation against data controllers and processors in national courts as it allows compensation to be awarded in cases where there has been no material damage suffered, for example compensation can be awarded for distress or damage to reputation.

It is anticipated that these changes will lead to an increase in litigation in this area. Firstly, by increasing the number of claims for compensation against data controllers and processors and secondly through the DPC exercising her new and expanded powers potentially leading to an increase in the number of appeals and judicial reviews.

For further information concerning the GDPR contact:-

 

Feena Robinson
Associate
O’Connor Solicitors
8 Clare Street
Dublin 2
Tel: 6764488
E: Feena.robinson@oclegal.ie

Beneficial Ownership Register – A Guide for Companies

The EU Anti-Money Laundering Directive has created new rules that require companies to gather and store information about their beneficial owners. The regulations have introduced a two stage process:

  1. Companies are currently required (as of the 15th of November 2016) to maintain current accurate information on their beneficial owners on an internal register.
  2. The establishment in the near future of a central register, to be called the Registrar of Beneficial Ownership of Companies and Industrial and Provident Societies, which will be administered by the Companies Registration Office.

Failure to comply with the requirements is a criminal offence which can lead to a fine of up to €5,000 on summary conviction.

Who are Beneficial Owners?

A beneficial owner is the individual who ultimately owns or controls a company through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that company.

A shareholding of 25 % plus one share or an ownership interest of more than 25 % in a company held by an individual is an indication of direct ownership. A shareholding of 25 % plus one share or an ownership interest of more than 25 % held by a separate company, which is under the control of an individual is an indication of indirect ownership.

Requirement for Companies to Hold Information

Since the 15th of November 2016 Companies have been required to hold the following information:

  • The name, date of birth, nationality and residential address of each beneficial owner.
  • A Statement of the nature and extent of the interest held by each beneficial owner.
  • The date on which each person entered the register and the date on which any person ceased to be a beneficial owner.

The information must be up to date, clear and accurate. Companies are obliged to serve notices requesting information on persons they suspect to be beneficial owners and persons who receive these notices have one month in which to reply. There is an independent duty on beneficial owners to notify the company if there is a change of their status. If a company cannot locate its beneficial owners then it must instead enter the details of its senior managing officials.

Companies should be proactive in maintaining their own registers in the lead up to the creation of the central register.

Central Registrar of Beneficial Ownership

The Department of Finance is expected to introduce the Register of Beneficial Ownership of Companies in the fourth quarter of 2017. This will require Companies to file their internal registers of beneficial owners, as well as the details of the person who makes the submission on behalf of the company, with the Companies Registration Office.

Although the exact rules have not been finalised the Companies Registration Office has indicated that there will likely be a three month grace period before companies will be found to be in breach of the statutory duty to file. The filing is to be done through an online portal without the need for filing fees. Under the current directive the public would not have access to the information but the issue of public access is being debated and may form part of future regulations.

 

John C. O’Connor
Partner
O’Connor Solicitors
8 Clare Street
Dublin 2
Tel: 6764488
E: john.oconnor@oclegal.ie

General Data Protection Regulation

Guide to the GDPR – Outline of Stringent New Data Protection Obligations

The EU General Data Protection Regulation (GDPR) comes into force across the EU on 25th May 2018. The Regulation dramatically increases the obligations and responsibilities of businesses and organisations which control or process data. As these new obligations and responsibilities are paired with severe new sanctions, businesses should take the time to ensure their compliance in advance of the Regulation coming into force.

Who is Affected

The Regulation is binding on businesses and organisations that are involved in controlling or processing the personal data of individuals in the EU regardless of the location of the company or the location of the data processing. Although the situation is somewhat complicated by Brexit, the UK government has indicated that it will implement equivalent or alternative regulations that will largely follow the GDPR.

Personal data is defined so broadly as to cover any information that can be used to directly or indirectly identify a person. This can be anything from genetic or economic data to social media posts, computer IP address or cookie identifiers. The definition even includes data that is protected by a pseudonym, where identifying data is held separately, for example, in a hospital where samples are labelled with numbers rather than patient names before being sent for testing. Notable exceptions apply to national security activities and law enforcement.

The Regulation is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer, a bank or a medical practice. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company, accountant or “cloud” provider. A business or company may be both a data controller (in relation to its own employees’ personal data) and a data processor.

Personal data held in both electronic format and in hard copy is covered by the Regulation.

Increased Administrative Responsibilities

The GDPR builds on obligations under existing data protection legislation and will increase the administrative responsibilities owed by data controllers and processors. Given the scope and size of the Regulation it is not possible to give an exhaustive list, but below are some of the most important requirements:

  1. Data controllers are obliged to implement “appropriate technical and organisational measures” to both ensure and demonstrate that processing is performed in accordance with the Regulation.
  2. Records of processing activities and to demonstrating how the data protection principles have been complied with, (for example by demonstrating consent as the basis of legal consent) will need to be kept. This is one of a significant number of new requirements to keep detailed records. Records will also need to be kept of all technical and organisational measures taken to show what has been done by controllers to safeguard the privacy of data subjects at all stages.
  3. Additional resources will also be required to facilitate the new and expanded rights granted to individuals such as the right to be forgotten, the right to have incorrect data rectified and the right to more extensive information about how an individual’s own personal data is processed.
  4. Where there has been a personal data breach there is a requirement to report it to the Data Protection Commissioner (“DPC”) not later than 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Ideally, data controllers and processors should have policies in place for dealing with breaches to ensure that they can take efficient and appropriate action where necessary. A lack of such a policy would in all likelihood be viewed unfavourably by the Office of the Data Protection Commissioner in the event that Office was called upon to investigate a breach or in the course of an audit of data protection compliance within the controller/processor organisation at large.
  5. A Privacy Impact Assessment is required where a business carries out data processing, in particular using new technologies, which is likely to result in a high risk to the data subject’s rights. Examples of those covered by this requirement could include online marketing companies or insurance companies who use automated processing or profiling, or any business if extensively using CCTV, such as retailers or licensed premises.

Consent and Terms and Conditions

A business or organisation must have a legal basis for controlling or processing personal data. The Regulation makes important changes in the way in which this legal basis is obtained/determined. Companies that justify data processing by virtue of an individual’s consent will face more demanding requirements. Consent must be “freely given, specific, informed and unambiguous” and must be expressed “by a statement or by a clear affirmative action”. This means that consent cannot be given by pre-ticked boxes, silence or inactivity, nor can it be inferred from certain actions such as visiting a website. It must also be as easy to withdraw consent as it is to give it.

When processing data (by consent or for any other legitimate reason) an individual must be provided with certain information such as:

  1. how long the data will be kept;
  2. who will be receiving the data;
  3. the purpose of the data processing;
  4. the right to withdraw consent; and
  5. the right to lodge a complaint with the Data Protection Commissioner.

 

Importantly, this must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. This aims to bring an end to long incomprehensible terms and conditions full of legalese.

 

Businesses that process or control data with the consent of the data subject should review the way in which this consent is obtained and also review the standard and form of the information they provide to data subjects.

New Obligations for Data Processors

Under the current system, data processors’ obligations are based on their contract with the data controller and the controller is the party responsible for any data breaches. For example, if a bank stores customers data with a cloud service provider and there is a data breach for which the cloud service provider is responsible, it is the bank that bears legal responsibility. Under the new Regulation controllers and processors are jointly and severally liable for data breaches.

The GDPR places increased responsibilities on data processors by imposing direct obligations such as prohibiting sub-contracting without the consent of the controller, prohibiting the processing of data other than in accordance with the instructions of the controller and requiring that processors assist the controller in ensuring compliance with the Regulation. Additionally, the new Regulation introduces mandatory terms that must be included in the contract between the data controller and data processor such as an obligation on the processor to delete or return data at the request of the controller once the service is complete.

In addition to agreeing all future contracts in accordance with the Regulation, businesses and organisations should assess existing agreements, and if necessary revise them, to ensure compliance.

Data Processing Officer

One of the more onerous and expensive requirements of the new Regulation is the requirement to appoint a Data Protection Officer (“DPO”). The appointment of a DPO is mandatory for (a) public authorities, (b) companies and organisations in the private sector that engage in large scale regular and systematic monitoring of data subjects, or (c) organisations that engage in large scale regular and processing of sensitive personal data. If a company is unsure whether it falls into any of the above categories it can consult the “Guidelines on Data Protection Officers” produced by the European Commission which provide a more detailed analysis of the requirement to appoint a DPO.

A DPO can be hired as a staff member or can be an external service provider and a single DPO can be appointed for several organisations. The Regulation requires that a DPO must have expert knowledge of data protection law. They must also have a good understanding of IT processes and cyber security.   The Office of the Data Protection Commissioner (“DPC”) has also published “Guidelines on appropriate qualifications for a DPO”.

It is also important to note that although a DPO may be an employee they are required to operate with a certain degree of independence and autonomy in ensuring compliance with the Regulation. The Regulation specifically prevents a DPO from undertaking tasks which constitute a conflict of interest.

Enforcement

As a Regulation, the GDPR is directly effective and does not require transposition into Irish law and as such will be enforceable from 25th May 2018. It increases the investigatory powers of the DPC and also provides for administrative fines of up to €20,000,000 or 4% of annual global turnover, whichever is greater. Fines of up to €10,000,000 or 2% of global turnover can be imposed for administrative oversights such as failing to appoint a DPO or failing to notify the DPC of a personal data breach. Fines will be issued not by a court but by the DPC directly.

 

The Regulation also introduces the idea of a ‘one stop shop’ which means that multinational companies engaged in data processing and controlling will be regulated by the supervisory authority (in Ireland the DPC) where the company has its main establishment, thus removing the need to engage with multiple national supervisory authorities.

The GDPR also has the effect of making it easier to bring cases for compensation against data controllers and processors in national courts as it allows compensation to be awarded in cases where there has been no material damage suffered, for example compensation can be awarded for distress or damage to reputation.

It is anticipated that these changes will lead to an increase in litigation in this area. Firstly, by increasing the number of claims for compensation against data controllers and processors and secondly through the DPC exercising her new and expanded powers potentially leading to an increase in the number of appeals and judicial reviews.

For further information concerning the GDPR contact:-

 

Feena Robinson

Associate

O’Connor Solicitors

8 Clare Street

Dublin 2

Tel: 6764488

High Court rejects appointment of Barrister as “Direct Access Counsel”

High Court rejects appointment of barrister as ‘Direct Access Counsel’

In a recent decision the High Court refused an application for the appointment of a barrister as a direct access counsel, (meaning a barrister acting without the instructions of a solicitor). In doing so Mr. Justice Gilligan addressed important issues about the interaction between professional codes of conduct and regulatory legislation.

All barristers in Ireland are trained by the Honorable Society of Kings Inns and once trained they become members of the Society. Although not mandatory, the vast majority of barristers in Ireland are also members of the Bar of Ireland (known as the Law Library) which is governed by a professional code of conduct. It is this code of conduct and not any express rule of law that prevents a barrister from acting without the instructions of a solicitor.

Although a qualified barrister, the applicant in this case was not a member of the Bar of Ireland but rather is the president of a new organisation called the Association of Barristers in Ireland which does not have a similar prohibition. She argued that as she was not a member of the Bar of Ireland she should not be governed by its code of conduct and as such she could act without the instructions of a solicitor.

In refusing the application, Mr. Justice Gilligan referenced the fact that the Rules of the Superior Courts, a form of secondary legislation, specifically define the role and function of solicitors as clients’ representatives and therefore implicitly exclude a barrister from performing those same roles and functions in contentious litigation. He then went on to make important observations about the way in which barristers are regulated.

First, Section 101 of the Legal Services Regulation Act (which has yet to be commenced) prohibits any professional code from preventing a barrister from providing legal services as a practising barrister in relation to a matter other than a contentious matter without the instructions of a solicitor. Mr. Justice Gilligan said that it was clear that the directions intended that the professional codes applicable to barristers should continue to apply unless and until replaced by or revised regulatory action by the authority. This has the effect of recognizing and providing tacit endorsement of the status of the professional code of the Bar of Ireland.

Second, when the applicant qualified as a barrister, she made a declaration to the Honorable Society of Kings Inns stating that she would observe the code of conduct of the Bar of Ireland. This had the interesting effect of binding her to the professional code of conduct of the Bar of Ireland even though she is not a member of it.

This decision clarifies important issues concerning the interaction between professional codes and government regulations. From the drafting of the Legal Services Regulation Act 2015 we can see that the regulators provide for professional codes of conduct to govern areas which the Act has not seen fit to govern. The drafters of the Act did not envisage a situation where a professional could opt out of these codes and essentially be regulated by the Act alone. This decision highlights the extent to which the regulators rely on these codes to be a binding and effective form of regulation.

Killian Keogh joins Conveyancing Team

O’Connor Solicitors Ranked as Leading Firm in Chambers Europe 2017

O’Connor Solicitors has been ranked as a leading firm in Chambers Europe 2017 where the firm is recognised for its strength on a wide range of issues that include commercial litigation, commercial leases and property transactions, employment and trade union law, regulatory advice and hearing, mediation, insurance and commercial agreement, charity and trust law and advice on shareholders agreements and company restructuring.

https://www.chambersandpartners.com/Europe/firm/311267/o-connor-s

 

 

 

 

George O’Connor and Ruth O’Connor Ranked Lawyers in Chambers Europe 2017

We are delighted that both Ruth O’Connor and George O’Connor have been ranked by the prestigious Chambers Europe 2017 as leading practitioners in their particular fields.

Ruth has been ranked her work in regulatory compliance and statutory frameworks in the medical arena, as well as handling contentious employment law matters.

George has also been ranked for his work on regulatory and dispute resolution in healthcare. George also deals with matters before the Medical Council regarding fitness to practise questions.

undefined

Charities Regulator launches new guide for Charity Trustees

The Charities Regulator has this month launched a very useful guide in relation to Charity Trustees which can be viewed by clicking on the link below.

http://bit.ly/CharRegTrusteesGuide

National Vetting Bureau (Children and Vulnerable Persons) Act 2012

The National Vetting Bureau (Children and Vulnerable Persons) Act 2012 came into force on 29th April 2016. All individuals and organisations working with children and vulnerable persons, or with regular access to or contact with them, should be aware of their obligations under this new legislation.

Who is to be vetted

Under the new legislation, vetting is now mandatory in circumstances where “relevant work or activities” in relation to either children or vulnerable persons, as defined, is carried out by any individual, except in certain limited circumstances. Individuals covered by the legislation include employees, contractors and unpaid volunteers.

“Relevant work or activities” in relation to children includes:

  1. any work or activity which is carried out by a person, a necessary and regular part of which consists mainly of the person having access to, or contact with children under certain legislation including the Child Care Act 1991, Education Act 1998 and Health Act 2007 or in a hospital or health care centre setting;
  2. treatment, therapy or counselling provided to a child;
  3. care or supervision of children;
  4. the provision of education, training, cultural, recreational, leisure, social or physical activities to children (whether on a commercial basis or not); and
  5. the provision of advice, guidance or developmental services to children.

This is not an exhaustive list. Roughly equivalent provisions apply in relation to vulnerable persons, who are defined as people, other than children, who:

  1. are suffering from a disorder of the mind (including dementia);
  2. have a physical impairment (whether as a result of injury, illness or age); or
  3. intellectual or physical disabilities; and

which are of such a nature as to restrict the capacity of the person to guard themselves against harm, or that result in their requiring assistance with daily living activities including dressing, eating, walking, washing and bathing.

Database

The Act provides for the establishment of a database system, which is to be operated by the National Vetting Bureau, formerly the Garda Central Vetting Unit. This database will contain registers of:

  1. Relevant organisations;
  2. Specified information; and
  3. Vetted persons.

“Relevant organisation” means any person, including a company, who employs any individual to undertake relevant works or activities, or uses contractors or volunteers to do so (whether or not for commercial or any other consideration). Providers of education or training courses where a necessary part of the placement involves participation in relevant work activities or activities are also included, as are employment agencies, bodies responsible for the regulation of certain professions and representative bodies or those who represent, for the purposes of these vetting procedures, another person, trade, profession or body, organisation or group or other body of persons that undertakes relevant work or activities.

A relevant organisation may not employ or otherwise use individuals to undertake relevant work or activities unless the organisation has received a vetting disclosure from the Bureau in respect of that person. Any person who does so is guilty of an offence, which can lead to a fine of up to €10,000 or imprisonment for up to five years.   Arrangements entered into prior to 29th April are excluded from this, but relevant organisations will have to apply to have individuals retrospectively vetted if no vetting has previously taken place.

Employers and those now seeking to contract individuals to undertake work should be careful to ensure that Garda vetting is completed before committing to any employment or contractual arrangements.

Application process

An application for vetting disclosure in respect of an individual must be made by a liaison person, notified to the Vetting Bureau as such, for the relevant organisation in question.  Vetting will involve searching for convictions as well as for “specified information”.  This is information concerning a finding or allegation of harm to another person that is received by the Bureau from the Gardai or certain organisations and which is of such a nature as to reasonably give rise to a bona fide concern that the person may harm or attempt to harm a child or vulnerable person, incite another person to harm them, or cause them to be harmed or put at risk.

Individuals to be vetted must be notified by the Bureau of any intention to disclose specified information to the relevant organisation, and they can appeal the decision if they so wish.

Those vetted prior to 29th April will be entered into the register of vetted persons.

Compliance inspections

The Bureau will now have compliance officers, who will be permitted to:

  1. Enter and inspect premises occupied by relevant organisations;
  2. Inspect and take copies of any books, records, etc relating to vetting procedures;
  3. Remove them;
  4. Require any individuals, including the liaison person to give information or assistance or produce books or records;
  5. Examine any person and require them to answer questions as required and to make a declaration as to the truth of their answers.

In light of these new powers, relevant organisations should make sure that they are sufficiently organised to be able to appropriately deal with an inspection, should one occur, and that everyone who needs to be vetted is.

Our above memo is prepared for general information purposes; it does not purport to provide legal advice. O’Connor solicitors accept no responsibility for losses that may arise from reliance on information contained in this post. It is intended to identify general issues on which you may require legal advice. Full legal advice should be taken from a suitably qualified professional when dealing with particular circumstances.