The NEC4 suite of contracts was published on 22 June 2017. In the third of a series of briefing notes on the NEC4 Professional Service Contract we consider the relationship between the detailed requirements of the Defined Cost regime and obligations under GDPR, in light of concerns raised by a number of consultants and the NEC Practice Note 3 on GDPR. In Will Buckby and Andrew Croft's view, Practice Note 3 fails to address a key risk in respect of how the GDPR and the Defined Cost mechanism apply. Consultants need to take real care to ensure the provision of information required to evidence payment does not put them in breach of the GDPR.
In our first Briefing Note on the NEC4 Professional Service Contract we commented on the detailed employee information required to evidence Defined Cost if Options C or E apply. Amongst other things, we highlighted that the Defined Cost regime could conflict with the duty of confidentiality the Consultant owes to its employees. Following the implementation of the General Data Protection Regulation on 31 May 2018 under the Data Protection Act 2018, the Defined Cost regime could also cause the Consultant to breach its obligations under the GDPR.
The GDPR prohibits a “Data Controller” from “processing” personal data unless one of the specified exceptions applies and a data processing agreement is entered into. Processing is defined as any “operation” being performed on personal data, such as collection recording, disclosure by transmission and use.
The NEC Practice Note 3 states that meeting the requirements of the standard NEC contracts will not involve the processing of personal data. The NEC’s view is that only if a contract includes requirements to process personal data of third parties, e.g. recording details of objections to a planning application, will additional provisions be required to comply with GDPR. Practice Note 3 also states that assessing Defined Cost will not involve processing personal data, on the basis that inspecting records of personal data does not itself amount to “processing”. In our view, this is a very narrow interpretation as to how GDPR applies to the NEC4 PSC.
In particular, if Options C and E apply, given the detailed employee information set out in the Schedule of Cost Components, the Consultant will very likely be required to provide personal data to justify Defined Cost under the NEC4 PSC. If the Consultant’s costs are not justified by accounts or records they will be Disallowed Cost and so will not be paid to the Consultant; this suggests that the Consultant may be required to either provide personal data or not receive payment. The provision of this personal data in this way is very likely to constitute “processing” of personal data given the definition of processing above.
Practice Note 3 only includes a suggested approach for when the Contractor (under the Engineering and Construction Contract) processes personal data in respect of which the Client is the data controller, with a proposed Scope entry imposing data processing obligations on the Contractor. This approach does not address how the Consultant should comply with the GDPR when the Client will be processing personal data in respect of which the Consultant is the data controller.
We suggest that if Options C or E apply consultants should seek to include a Z clause which imposes similar obligations on the Client as are set out in the proposed Scope entry in Practice Note 3 or amend the Defined Cost regime such that the Consultant does not have to provide personal data to evidence Defined Cost. If this is not possible, the Consultant should require the Client to enter into a stand-alone data processing agreement before any personal data is provided.
Care should also be taken if any additional “open book” payment regime and/or any rights to audit the consultants’ records are included in any appointment and any third party auditor should also be required enter into a data processing agreement with the Consultant before being given access to or being provided with personal data.