Our New Information Governance Blog

Tkm now has a new blog that specialises in information governance.

If you are looking for more information on data protection compliance or preparing for the General Data Protection Regulation, see www.managingyourinformation.com.

Know the Score on Allergen Rules

I was really pleased to see my latest piece on allergens published in the Scottish Licensed Trade News this week.  I have put the text of the article below together with some supplementary information and useful links.

The requirements of these regulations for caterers seem to be causing a lot of unnecessary confusion due to many people and organisations misinterpreting what needs to be done, in particular, muddling the requirements for prepacked and non-prepacked foods.

I have covered some of these topics previously although think they are worth repeating as there are still so much misinformation regarding the regulations.  In fact, I saw a piece only this week that was produced by an organisation claiming to support small businesses, which stated the regulations required every staff member to learn all ingredients of every dish, and that these ingredients must also be listed on menus.  This is absolutely not the case and the requirements for caterers providing non-prepacked food are explained further below.

The regulations have been in force since 13 December 2014 and while some businesses have implemented comprehensive measures to meet requirements, many have yet to get started.  If you haven’t yet taken steps to comply, you need to act now.

Myth – you need to list all the ingredients of each dish on the menu.

The requirement to list ingredients only applies to prepacked food and therefore is unlikely to apply to the majority of caterers serving meals, as they usually provide food to the consumer without packaging.  The information that must be provided for non-prepacked food is whether one or more of the 14 allergens listed at Annex II of the Regulations have been purposely added to the dish (don’t forget salads, side orders and garnishes).  Information can be provided on the menu although can also be provided in other ways, for example orally by staff.

Myth – I don’t need to do anything as I already highlight gluten free and dairy free items on my menu.

There can be little doubt that this type of information is meeting a growing consumer demand, however, be aware that gluten and dairy are NOT the allergens listed in the regulations.  Furthermore you are required to identify whether an allergen is present, not identify foods free from allergens.

In the case of gluten the regulations require you to identify the cereal containing gluten (you must specify which cereal), and in the case of dairy people will usually be referring to milk.  Highlighting gluten would fall under Voluntary Information and is not a legal requirement.

Pay careful attention to using “gluten free” as it is defined by law.  Even if you are purchasing ingredients that are free from gluten, it is highly unlikely they will technically be “gluten free” by the time they reach the consumer, if they are being processed in an environment where gluten-containing ingredients are also being processed.  A more accurate term may be “no gluten-containing ingredients”.

Myth – I am not sure what allergens are in some of my dishes and so I have used a “May Contain” statement to cover everything.

The regulations make an important distinction between allergens that have been purposely added to a dish, and allergens that may be in dish for example through cross contamination.  The regulations only require information to be provided about allergens that have been purposely added to the dish.  You need to be specific about which allergens are present and the information cannot be provided using the term “may contain”.

For some people only very small amounts of an allergen are required to trigger allergic reactions, levels which could be reached as a result of cross contamination.  You may choose to additionally inform people about possible cross contamination risks by providing a “may contains” statement.  However, this also constitutes Voluntary Information and is not mandatory.  Of course you must continue to ensure you take appropriate measures to control cross contamination, which is a fundamental requirement of producing safe food.

Pitfall – Drinks

Don’t forget your drinks!  However, unlike most dishes, there are likely to be at least some items that are intended to be sold on to the consumer in their packaging (prepacked) and therefore the labelling should already comply.  Examples may be bottled or canned products.  Note that the regulations have different requirements for prepacked food.  If in doubt, check the Regulations and contact your suppliers.

If you are selling non-prepacked drinks such as draught beers, wine by the glass or spirits, allergen information must be provided as outlined above.

What next?

Still not sure where to start?  Firstly check the Food Standards Agency (FSA) website and discuss the requirements with your Environmental Health Officer.  Make sure you understand how the regulations apply to your business before investing time and money in undertaking potentially costly activities such as producing new menus and staff training.

There are also some excellent sources of information and training available including Allergy Action who offers a joint award with REHIS.  Liz delivers this award in addition to offering training and consultancy services specialising in implementing practical measures to meet the requirements of legislation.  For further information see her website.

Myth Buster 1: New Allergen Regulations – Requirements for Caterers Offering Non-Prepacked Food

The new regulations requiring food business operators to provide allergen information (the EU Provision of Food Information to Consumers Regulations (the Regulations)) have now been in force for a month.  While some businesses have implemented comprehensive measures to comply, many have yet to get started.  There has been some negative press particularly in relation to caterers and at least some of the issues seem to stem from a lack of understanding of the Regulations and how the requirements should be implemented.

There can be little doubt that compliance with these Regulations will require investment of time and money from some businesses, however, we should already know what is in food products we offer as it is a fundamental requirement of the Food Safety Act (1990).  In essence, all these Regulations require is that some of that information is proactively passed to the consumer.  It should be simple, shouldn’t it?

Of course, in practice, it is not that simple.  One of the key reasons is that the majority of catering businesses have never had to manage detailed information about products in this way before.  What is not helping are a number of misinterpretations of the Regulations that I am coming across on a regular basis.  My first myth buster blog briefly explores 4 of them.

  1. Caterers need to list all ingredients on menus.

There is no requirement to list ingredients of a particular product if you offer non-prepacked food.  Listing ingredients is a requirement for prepacked food only.  This essentially means that if food is prepared for sale on the premises it is sold from, you are not required to provide an ingredients list.  This will include most restaurants, hotels, and canteens.  If you provide non-prepacked food, the information you are required to provide to consumers is whether the product contains one or more of the 14 allergens listed at Annex II of the Regulations.

  1. All allergen information must be on the menu.

This is not a legal requirement.  The Regulations require the information to be “available and easily accessible” and you may choose to provide it on menus.  However, you could also provide it on a separate sheet or you could choose to provide the information orally.  You will need to give some thought to making the process of providing information as simple as possible.  Consider issues such as how often you change the menu and how will you ensure allergen information remains accurate, the implications for staff training and whether all of the products you offer is on the menu.  Don’t forget about being able to demonstrate due diligence and also, if you choose to provide the information orally, you must still clearly inform your customers how they can access the information.  You also need to remember the information must be verifiable on challenge.

  1. You must identify foods containing gluten.

The Regulations require you to identify whether a product contains any of the cereals containing gluten listed at Annex II.  You may choose to also highlight gluten although gluten is not listed at Annex II as a separate allergen.  Identifying gluten would fall under Voluntary Information and is not a requirement of the Regulations.  Identifying gluten-containing dishes without highlighting which cereal at Annex II is in the dish will NOT comply with the Regulations. 

If you do choose to identify gluten, make sure you pay careful attention to using the term “gluten free” as this is a term defined by law.  Even if you are purchasing ingredients that are free from gluten, it is highly unlikely they will technically be “gluten free” by the time they reach the consumer, if they are being processed in any environment where gluten-containing ingredients are also being processed.  Therefore, for most organisations, it may be more accurate to use the term “no gluten-containing ingredients” rather than “gluten free”.

  1. You must declare whether there is any trace of allergens in your dish.

There is a very important distinction in the Regulations between allergens that have been purposely added to a dish, for example, they are an ingredient in the recipe, and allergens that may be in the dish, for example, through cross contamination.  The Regulations require identification of allergens that have been purposely added to the dish.  You may choose to additionally provide a “may contains” statement which would cover possible cross contamination.  However, as discussed above in relation to gluten, this constitutes Voluntary Information as is not required although could be considered best practice.

Further information on all of these points is available in the Food Standard Agency’s guidance.  For more detailed advice, you can contact me and you should contact your local environmental health officer to ask how they expect to see the Regulations implemented in practice.  Remember, it is really important to seek advice regarding your business’s particular circumstances.

Posting CCTV Images on Social Media. Good Idea?

There was an interesting story that was reported in the press on 31 December about a restaurant who posted an image from their CCTV on Facebook of a group of 4 people that had allegedly left the restaurant without paying their bill.  I am sure there will have been a significant number of people who read the reports and thought this was a highly effective way of addressing this particular issue.

Much of the discussion that followed centred on whether or not this was an appropriate course of action for the restaurant to take from a customer service perspective.  The comments that were reported suggested the majority of people felt it was a social media blunder although there was also some support for the action taken by the restaurant.

However, leaving that particular argument to one side, what was not mentioned in any of the reports I read is the fact that posting CCTV images of people on-line is likely to be unlawful in the vast majority of situations.  The consequences and potential penalties of unlawful processing could be far greater than the cost of a meal for 4 that was quoted in the press.  In fact, there have already been investigations into exactly this type of information disclosure where an organisation streamed CCTV footage to the YouTube website and was required to enter into an Undertaking with the regulatory body, the Information Commissioner’s Office (ICO), to address breaches of the Data Protection Act 1998 (the Act).

CCTV images will usually be considered personal data, and in this particular case will definitely fall within data protection legislation as the people were clearly identifiable.  Assuming the restaurant is using CCTV lawfully in the first instance (they have notified the ICO and have the relevant and appropriate data processing notices), it is still difficult to imagine any circumstances in which most businesses can lawfully publish CCTV images.

All personal data, including images, must be obtained for a legitimate business purpose, which must be a legitimate business activity of the organisation collecting the data.   Once obtained, the data can only be used for that purpose and should also be processed in a way in that ensures compliance will all 8 Principles of the Act.

Most businesses will report the use of CCTV as being used legitimately for crime prevention and detection although the need for CCTV should be demonstrated through the necessary risk assessments and privacy impact assessments.

When it comes to investigating crime rather than preventing or detecting crime, there are very few organisations that will be able to report this as a legitimate business activity, with the obvious exception being law enforcement agencies.  Therefore any processing by organisations for the purposes of investigating or solving “crime” that are not law enforcement agencies is likely to be unlawful.  I have used “” for the word crime as I am not sure from a legal perspective whether there is technically any evidence to suggest a crime had actually been committed by one or more of the party of 4 in this case.  Media coverage suggests the incident had not been reported to the police at that time the image was published.

Furthermore, the ICO makes it quite clear in their CCTV Code of Practice that the identification of individuals from CCTV should only be carried out by law enforcement agencies and goes on to state:

 “…it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet …”

Therefore, in answer to the question in the title, my view is that it is quite clear CCTV images should not be published anywhere, including on the internet, and it may even be unlawful.

From the information reported in the media, there is potentially a whole catalogue of breaches of the law.  The case also calls into question whether the necessary risk and impact assessments had been carried out.  The penalties could be significant if any follow-up action is taken by the ICO.  Furthermore, action could be taken by any of people identified in the CCTV who may have grounds to make a legitimate complaint due to the unlawful disclosure of their personal data and, in some circumstances, seek compensation for damages.  It should be noted the restaurant subsequently removed the post.

If you have CCTV you need to ensure its use is justified and the data being collected is being processed in accordance with the relevant legislation.  Comprehensive guidance is available from the ICO and, as always, please contact me to discuss training requirements or for help with impact or risk assessments.

Helpful Resources for Implementing FIC Regulations

We had a great Business Gateway session on the provision of food information at Aros, Portree this week.  With the deadline fast approaching and more sessions scheduled, I thought it would be useful to provide links to some of the materials used in the session.  There is lots of material available online and direct links to those referred to in the session with a brief description of each is provided below.  How you choose to use these resources is likely to depend upon the nature of your business and therefore you may wish to use some of them in a different ways.

One of the key sources of information is the Foods Standards Agency (FSA).  Information available from their website includes:

A Matrix for Dishes and their Allergen Content will be helpful to many businesses.  This summarises the 14 allergens and provides a chart for indicating which allergen is in which dish on your menu.  Don’t forget to include garnishes, dressings and accompaniments in your assessment, and also that you need to indicate which specific nut or cereal containing gluten that your dish contains.  You also need to make sure you remember to include drinks where appropriate, for example, wine served by the glass or in a carafe, beer on draft, cocktails and any other drinks where customers will not otherwise have access to allergen information.

For the kitchen, a Recipe Sheet may be helpful.  This provides a summary of which allergen is in which recipe.  This may accompany detailed recipes to ensure everybody makes the dish in exactly the same way using the same ingredients.

The Think Allergy Cards were produced as an aid for consumers, however, could be useful to your business as a means of communicating information about customers that have an allergy.

Information about allergens can be provided orally and if you choose to do that, you need to have a sign that clearly informs customers how they can access information about allergens in dishes.  The Allergen Signage gives an example of how this can be provided.

A summary sheet detailing Changes to the Allergen Rules could be a useful staff training aid, or for passing to food suppliers so that they are fully aware of the new obligations you are subject to.

The Think Allergy Posters could be a useful staff training aid and show all 14 allergens.

The CookSafe Allergen Management record sheets have been available for some time, however, this offers a great opportunity to review your controls and house rules, and make sure your sheets are up to date.

The FSA also have Online Allergy Training which is a useful source of basic information for staff.

Other resources are available from lots of websites.  Allergy Action provides training accredited by REHIS which can be provided by Tkm, and other resources including some really useful translations of key terms in a number of languages.  Remember – the Regulations only require you to provide the information on your menus in English, however, it may be helpful to have information in other languages when dealing with customers that have a first language other than English.

There are also a number of commercial solutions on the market.  If you are interested in this type of solution for your business, some information is available from http://www.cateringatyourconvenience.eu/home.htm who is working with EGS to produce systems to support food businesses.

New Allergen Regulations for Caterers: Are you Ready?

Just under 2 weeks to go until the new regulations relating to allergens (the EU Food Information for Consumers Regulations) come into force, which is on 13 December 2014. 

In the UK, there are typically between 7 – 10 deaths each year and thousands of hospitalisations that are directly related to food allergies, and there can be no doubt that these Regulations should help inform and protect the consumer.

If you are a food business operator* that provides food to the final consumer, you need to act now.  The Regulations cover very small businesses, such as one bedroom bed and breakfasts, through to mass caterers and large corporate chains.  Getting it wrong can result in a fine of up to £5k, although this maximum is going to be removed, and don’t forget you may also face prosecution under the Food Safety Act 1990.

This blog predominantly focusses on new obligations for caterers offering non pre-packed food.  For other types of food business and food types, see the links below.

The key requirements are:

  •  Food information must be available and easily accessible for all foods;
  • You need to clearly identify each of the 14 allergens listed at Annex II if they are in your food products. This is for ingredients purposely added to food. Allergens that have not been purposely added but may be present are dealt with below;
  • You must use the word “contains” and the term in Annex II and although you can use pictograms or symbols, these must be in addition to the words;
  • The information can be provided verbally, however, we must provide a sign to tell customers how to obtain information and the information must be accurate, consistent and verifiable.

So what actions do you need to take?   These will depend upon the nature of your business and the type of food offered although most businesses will need to think about the following:

  1.  Exactly what ingredients are in your non pre-packed food products. (Don’t forget drinks.) Contact suppliers to confirm ingredients and ask chefs to write down ingredients in recipes, including brand information. If you have specials boards or changing menus, you need to think about a workable procedure for recording and communicating which allergens are in each menu item.
  2. Identify which of the allergens listed in the Regulations are in the products you are offering. Don’t forget about derivatives which may not be as obvious.
  3. Compliance is going to rely on good communication from the point of purchase to consumption. To achieve this you will need to consider:
    • Whether all your procedures are accurately documented. Are your HACCP plans (CookSafe or Safer Food Better Business) up to date?
    • How are you going to record what goes into dishes?
    • How are you going to communicate ingredients to staff?
    • How are you going to communicate allergen information to customers?
    • What allergen information are staff going to be expected to communicate to customers and how are they going to do this? It may be worthwhile to think about the possible queries staff may get to ensure they are included in their training
    • Staff training at all stages of food production is going to be absolutely fundamental to getting compliance right. The Food Standards Agency has some free packages available, and training is also available from Allergy Action together with other useful information to help with compliance.
  4. Think about changes to the food products you offer, which happen all the time. How are you going to make sure your allergen information stays up to date and is accurately communicated to the consumer? You are likely to require regular reviews, particularly of bought in products.
  5. Finally remember that people can be allergic to any food product. You need procedures to ensure the necessary information is passed from the customer to those preparing the food.

Food stuffs that may be contained in dishes but are not purposely added are not subject to the same requirements but are mentioned by the Regulations under Voluntary Information.  Many of the allergens in the Regulations may potentially be in the working environment and therefore in dishes .  Nuts and gluten are often present in dust, and crustacean, fish and other proteins can be in steam.  We also need to take care with more direct cross contamination such as using deep fat fryers for both preparing products that do not contain gluten, and gluten-containing dishes such as breaded fish.

It is early days for these Regulations so make sure you keep an eye on developments.  If you are interested in customised training for your business please contact me.  For more details and requirements for other types of food and food businesses, see the Food Standard Agency’s technical guidance.

Presentation – this presentation uses resources and slides made available on-line by the Food Standards Agency (originals available from links above), and from Ray Lorimer, Chair of Institute of Hospitality Scotland and Chef Director of Catering at Your Convenience.

*You are a food business operator if you provide food as part of an undertaking publicly or privately and not necessarily for a profit.  This is not the same as being registered as a business for the purposes of business rates.

Using E-mail for Direct Marketing: Do You Know the Rules?

I was recently attending a training session and a discussion started late in the afternoon about e-mail marketing and making the most of customer lists. There wasn’t much of the day left and after a brief chat, we made a joint decision it would be an ideal first topic for my blog.  So a big thank you to everyone for the inspiration to get started!

Connecting with customers is hugely important for all kinds of organisations.  Most of us receive lots of e-mails every day for a wide range of purposes including marketing as e-mail is quick, easy to use and can be a highly effective promotional tool.

Using e-mail for direct marketing activities is governed in the UK by the Privacy and Electronic Communications Regulations (the Regulations), regulated by the Information Commissioner (ICO).  He is able to impose fines of up to £500,000 for breaching the rules, meaning that getting it wrong can be costly both in monetary terms and irritating your customers.

This blog has some hints and tips on staying compliant although exact practical requirements for your organisation will depend on your circumstances. Therefore it is essential that you read the ICO’s guidance and contact me for further help if required.

In terms of the legislation, marketing is not just the promotion of goods and services by commercial organisations. It also encompasses the communication of aims and ideals, and covers charities and not-for-profit organisations.

Most organisations are likely to undertake solicited and unsolicited marketing. Solicited marketing is where a customer has specifically requested information such as completing an on-line form to request further details about a particular product.  The Regulations generally don’t apply here although remember there will almost certainly be other data protection obligations that are relevant.

Unsolicited marketing is where you send marketing material to people, who are perhaps on a client list or in a customer database, when they haven’t specifically asked for it. This will be covered by the Regulations and requires those that you are targeting to have given their permission to use their contact details (in this case their e-mail address) for marketing purposes.

The way in which you obtain consent is likely to depend upon how you are interacting with a customer. Best practice is to have what is called an “opt in” box, where customers have to take positive action (in this case, tick the box) to indicate they are consenting to receiving information.  An example of text that could be used alongside an tick box would be:

“Tick this box if you would like to receive information about our goods and services by e-mail.”

The Regulations do not require explicit consent and therefore you can use “implied consent”, meaning it is reasonable from the context to assume people want to receive information.   However, bear in mind that there are new EU regulations on the horizon and implied consent is unlikely to be compliant if they come into force in their current form.  Note that implied consent is not considered to be the same as opting out, discussed below.

The next option is the “soft opt-in”. This is for existing customers in the following circumstances:

  •  Contact details have been obtained during the course of a sale;
  • You are only marketing your own similar products or services; and
  • People are given an opportunity to opt out of marketing both when details where first collected and in every message after that.

Again, it is questionable whether the soft opt in will comply with the proposed regulations once they come into force, therefore you may wish to consider changing your procedures to opt in if you are currently relying on the soft opt in.

The final option is an “opt out” box. An example of text alongside an opt out box would be:

“Tick this box if you do not wish to receive information about our products and services.”

It is generally recommended that this option is only used as part of a soft opt in. Relying solely on an opt out is unlikely to meet your legal obligations as not ticking a box does not necessarily indicate a person is consenting to receiving marketing information.

There are other requirements when using e-mails for marketing purposes. In every communication you must always tell people who you are, provide contact details, and a mechanism for people to unsubscribe from your marketing communications.

Also don’t forget about your other types of marketing, for example, by post, telephone (recorded or live), and fax, all of which are covered to some extent by the Regulations and may require consent.

Note that the Regulations only apply when sending marketing communication to personal e-mails although this includes sole traders and partnerships. To stay compliant, you may wish to consider having one policy for all e-mail marketing that follows best practice for personal e-mails.  This will be particularly important for business to business marketing where organisational structure may be unclear from an e-mail address.

Further Information
As always, you can contact me if you require further consultancy and advice on the practical implementation of data protection requirements.

There may be additional factors that you need to consider in your particular circumstances and a PDF guide is available from the ICO together with a checklist summary.