Legal Compliance External Audit Troubleshooting

Part of the service you pay for with Activ’s Legal Compliance Manager is access to our legal team (legal@myactiv.co.uk; 0333 301 9003).  We are regularly contacted during or after an external audit with queries relating to both procedure and specific pieces of legislation.  You are encouraged to get in touch whenever you need to.

We have put together this list of the four most commonly raised queries so you have the answers at your fingertips.

1.  Do I need to show consideration of non-applicable legislation?
2.  The auditor says there is legislation missing from my Legal Register
3.  My Legal Register doesn’t contain the latest versions of legislation
4.  I have unexpected legislation on my Legal Register

 

 

1.  Do I need to show consideration of non-applicable legislation?

The Standard(s) require an organisation to identify all applicable legal requirements and to demonstrate that they comply with them.  There is no obligation to demonstrate that you have considered legislation that is not applicable to your organisation.

If an auditor says that non-applicable legislation must be considered, ask the auditor to point to the clause(s) in the Standard(s) that they believe demands this.

 

The relevant clauses in ISO 14001:2015 are:

6.1.3 Compliance Obligations

The organization shall:

1. a) determine and have access to the compliance obligations related to its environmental aspects;
2. b) determine how these compliance obligations apply to the organization;
3. c) take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system.

The organization shall maintain documented information of its compliance obligations.

9.1.2 Evaluation of Compliance

The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations.

The organization shall:

1. a) determine the frequency that compliance will be evaluated;
2. b) evaluate compliance and take action if needed;
3. c) maintain knowledge and understanding of its compliance status.

The organization shall retain documented information as evidence of the compliance evaluation result(s).

 

The relevant clauses in ISO 45001:2018 are:

6.1.3 Determination of legal requirements and other requirements

The organization shall establish, implement and maintain a process(es) to:

1. a) determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system;
2. b) determine how these legal requirements and other requirements apply to the organization and what needs to be communicated;
3. c) take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system.

The organization shall maintain and retain documented information of its legal requirements and other requirements and shall ensure that it is updated to reflect any changes.

9.1.2 Evaluation of Compliance

The organization shall establish, implement and maintain a process(es) for evaluating compliance with legal requirements and other requirements (see 6.1.3).

The organization shall:

1. a) determine the frequency and method(s) for the evaluation of compliance;
2. b) evaluate compliance and take action if needed;
3. c) maintain knowledge and understanding of its compliance status with legal requirements and other requirements;
4. d) retain documented information of the compliance evaluation result(s).

 

2.  The auditor says there is legislation missing from my Legal Register

If an external auditor says that there are applicable legal requirements missing from your list, then the auditor should be asked to specify exactly what those missing legal requirements are.  If they are applicable we’ll help you to establish why they are missing.  In the event that the legislation is not covered in Activ, we will make it a priority to get the legislation included.  Or, it could be that you haven’t answered the questionnaire fully accurately, in which case we’ll be able to highlight where in the questionnaire the topic is covered so that you can rectify this.

There are a number of items that auditors commonly incorrectly identify as being missing from Legal Registers:

• Anti-terrorism, Crime and Security Act 2001 C.30 (for ISO 27001)  This Act enables the state to seize assets relating to terrorism, changes the basis on which public authorities can disclose information, creates new offences related to racial hatred offences, biological weapons, chemical weapons and nuclear weapons, and grants various powers to the security services. None of these is relevant to ISO 27001. Part 11 of the Act does refer to retention of communications data but only grants powers to the Secretary of State to issue a code of practice entitled the Voluntary Retention of Communications Data under Part 11: Anti-terrorism, Crime and Security Act 2001 — Voluntary Code of Practice.  As this is a voluntary code it would not appear on your Legal Register, although if you subscribe to the code it would have to appear on your register of “other” (non-legal) requirements that the organisation is committed to.
• Coronavirus Legislation Despite new coronavirus regulations of one kind or another being regularly released, you won’t find many of them on an Activ Comply health and safety legal register as, with very few exceptions, coronavirus legislation throughout the UK does not directly impose any occupational health and safety obligations on employers (the main exception to this is coronavirus legislation in Wales which directly requires employers to ensure that adequate social distancing is implemented). The actual occupational health and safety ‘obligations’ relating to businesses in the rest of the UK are published in the form of Government guidance, not legislation, which won’t form part of your legal register. This guidance cannot be directly enforced. However, should you fail to follow the guidance, you may be found to be in breach of the general obligation in sections 2, 3 and 4 of the Health and Safety at Work etc. Act 1974 to keep employees and other people affected by your activities safe so far as is reasonably practicable. Although the guidance mentioned above isn’t legislation and won’t form part of your legal register, we recognise its importance to our clients in completing their health and safety risk assessments, which is why we provide a monthly update of changes to the guidance in our Legislation Outlook service. All published Legislation Outlooks can be found on a tab in the Legal Compliance Manager.
• Corporate Manslaughter and Corporate Homicide Act 2007  This Act provides the courts with an extra sentencing option where there has been a breach of existing legal obligations that resulted in a death and that breach was particularly gross (i.e. was caused by conduct falling far below what could reasonably have been expected of the organisation in the circumstances).  It imposes no new legal obligations on an organisation; it merely gives the courts an extra sentencing option where an organisation is judged to have fallen short against existing legal obligations.
• Equality Act 2010 C.15  This Act applies to all organisations in order to prevent discrimination.  However, it does not contain requirements that are applicable to the health and safety requirements or environmental aspects of an organisation and will therefore not be present on a Legal Register for ISO 45001 or ISO 14001 purposes.  A little confusion can arise in relation to the duty under S.20 of the Act to make “reasonable adjustments” for disabled persons but these adjustments relate to general employment rather than health and safety or the environment, and are entirely separate to any adjustments or measures already required for disabled persons by other legislation, such as the Health and Safety at Work etc. Act 1974 C.37 (which places an obligation on an employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees), the Regulatory Reform (Fire Safety) Order 2005 SI 2005/1541 (which requires such general fire precautions to be taken to ensure, so far as is reasonably practicable, the safety of any employee), etc.  A simple way to think of it is that health and safety legislation protects disabled persons already in employment, the Equality Act 2010 ensures that they are not discriminated against in gaining employment in the first place.
• Fluorinated Greenhouse Gases Regulations 2015 SI 2015/310  These Regulations do not contain any legal requirements applicable to your organisation, unless you are a training body.  They do not contain any requirements relating to the use or maintenance of equipment containing F-gases such as air-conditioning or refrigeration units.  Those requirements are contained in Regulation (EU) No 517/2014 on fluorinated greenhouse gases, which is a directly applicable EU Regulation and which will be shown on your Legal Register where relevant.
• Health and Safety (Fees) Regulations 2012  These Regulations give powers to the Health and Safety Executive to impose fees for intervention (FFI) where an organisation is found to be in material breach of health and safety law.  In such circumstances, the organisation will have to pay for the time it takes the HSE to identify and remedy the breach.  The Regulations contain no new health and safety legal obligations for an organisation; they merely provide an enforcement option for the HSE.
• Human Rights Act 1998 C.42  This Act only applies to public authorities (e.g. courts, local authorities, government agencies, etc.) and therefore should not appear on the Legal Register where the organisation being audited is not a public authority.
• Industrial Emissions Directive (Directive 2010/75/EU on industrial emissions)  This will not appear on your Legal Register because it is an EU Directive.  This means that it has no legal effect on its own and must be implemented by a Member State in order to come into force.  The Directive required that Member States implemented measures to ensure that a permit was required for the undertaking of certain specified industrial activities.  The UK government implemented the Directive in England and Wales through the Environmental Permitting (England and Wales) (Amendment) Regulations 2013. These provisions are now found in the Environmental Permitting (England and Wales) Regulations 2016. In Scotland, the Directive was implemented by the Pollution Prevention Control (Scotland) Regulations 2012 and in Northern Ireland by the Pollution Prevention and Control (Industrial Emissions) Regulations (Northern Ireland) 2013.
• Modern Slavery Act 2015 C.30  This Act relates to general employment rights and does not contain any requirements that are relevant to the Standard(s) being audited.  Even though it would not appear on your Legal Register for ISO 14001, ISO 45001 etc, organisations with a turnover greater than £36m should note the obligation in the Act to prepare a slavery and human trafficking statement, which must be approved at the highest level of the organisation and either published on your website or, if you don’t have a website, made available to the public on request.
• Noise and Statutory Nuisance Act 1993 C.40  This will not appear on your Legal Register because it does not directly impose any obligations on organisations. The Act merely amends the Environmental Protection Act 1990 and the Control of Pollution Act 1974, which will appear on your Legal Register if they contain requirements that are relevant to you. The amendments add “noise that is prejudicial to health or a nuisance and is emitted from or caused by a vehicle, machinery or equipment in a street” to the list of statutory nuisances in relation to which local authorities have been granted enforcement powers.
• Waste Electrical and Electronic Equipment Regulations 2013 SI 2013/3113  These Regulations are only relevant to producers and distributors of NEW electrical and electronic equipment (EEE) – they do not place obligations on producers of waste EEE (WEEE), unless the WEEE arises from EEE that was placed on the market prior to 13 August 2005.  Producers of WEEE are subject to the normal controlled waste legislation (or, if applicable, hazardous waste legislation) for their region, which will appear on your Legal Register.
• Weeds Act 1959 C.54  This only relates to injurious weeds, which are plants that are dangerous to grazing cattle.  It does not impose any obligations relating to the control of invasive non-native species such as Japanese knotweed or Himalayan balsam; these are contained in the Wildlife and Countryside Act 1981 C.69. Other non-native species that must be controlled are found in Schedule 9 to the 1981 Act.
• Working Time Directive (Directive 2003/88/EC)  This will not appear on a Legal Register because it is an EU Directive.  This means that it has no legal effect on its own and must be implemented by a Member State in order to come into force.  The UK government implemented the directive through the Working Time Regulations 1998 SI 1998/1833 and the Working Time Regulations (Northern Ireland) 1998 SR 1998/386 and these should appear on your Legal Register if appropriate.

 

 

3.  My Legal Register doesn’t contain the latest versions of legislation

We maintain Activ’s Legal Register on an ‘as amended’ basis, which is the legally correct way of displaying legislation that affects you.  In layman’s terms, what this means is that your Activ Legal Register will contain the correct and most up-to-date relevant legislation.  There may be something that looks like a more recent version of some relevant legislation, but this is not shown on your Legal Register if it does not contain any legal obligations applicable to you but merely amends obligations already contained in earlier legislation.

An example is the Waste (England and Wales) (Amendment) Regulations 2014 SI 2014/656 (‘the 2014 Amendment Regulations’).  The 2014 Amendment Regulations do not impose obligations on you directly, they amend the obligations contained in other existing legislation, in this case the Waste (England and Wales) Regulations 2011 SI 2011/988 (‘the 2011 Regulations’).  This is why the 2014 Amendment Regulations will not appear on your Legal Register, but the 2011 Regulations may.

Rest assured that Activ is updated when amendments are made to legislation.  Where relevant amendments have been made to existing legislation (like the 2011 Regulations) we change the legal requirements contained in Activ to reflect the amendments, and then notify anyone who may be affected by the changes to ensure that they remain compliant with current legislation.  In the case of the 2014 Amendment Regulations, the only relevant change that was made to the 2011 Regulations was that, in relation to the transfer of controlled waste, “transfer notes” were renamed as “written information”.  This is reflected in updated requirement EW705, which states:

“When controlled waste is transferred, ensure that all reasonable measures are taken to provide written information (previously known as a ‘transfer note’) and that a copy of the written information is retained for a minimum of 2 years. The written information must…”

From the above it can be seen that the changes made to the 2011 Regulations by the 2014 Amending Regulations have been included and that the requirement shown in Activ reflects current legislation in force.

A similar example is the Hazardous Waste (England and Wales) Regulations 2005 SI 2005/894, which has been amended on numerous occasions since it came into force (including the Hazardous Waste (Miscellaneous Amendments) Regulations 2015 SI 2015/1360), but still remains the source of all obligations in relation to hazardous waste. The Hazardous Waste (Miscellaneous Amendments) Regulations 2015 SI 2015/1360 is an example of a case where the amendments contained nothing relevant to the Standards and therefore, in such cases, we cannot point to any specific changes made to the legal requirements in Activ to prove that they have been taken into account (as nothing has changed).  In such cases, the auditor can be shown the legal Update notifications that you receive from Activ, to provide evidence that you are informed of any changes made to legislation that are relevant to your business activities, and that Activ is kept up to date with current legislation.  For help on your Updates, see Changes to Legislation – Update Notices and Alert E-mails.

 

 

4.  I have unexpected legislation on my Legal Register

While this isn’t as much of a problem for external auditors as having a Legal Register with ‘missing’ legislation, it may be worth contacting us to see whether the legislation is applicable or whether the questionnaire has been completed inaccurately.  The most common questions relate to:

• Control of Asbestos Regulations 2006 SI 2006/2739 The Regulations will appear on any Legal Register where the organisation uses business premises, whether or not asbestos is actually present.  The Regulations require that anyone who has control of a non-domestic premises must carry out an assessment to determine whether asbestos may be present on the premises. The assessment need not include a full survey where it is obvious that there is no asbestos present.  Further guidance is available here from the HSE.