Legal Practice Notes

ARCHIVED : This Practice Note has been archived and is no longer kept up to date; please see Practice Note: Money Laundering Regulations 2017 ( MLRs)— FCA supervision of cryptoasset firms, Annex 1 financial institutions, MSB/ TCSP activities. It explores the risks posed by cryptoassets from the angles of financial crime, money laundering and terrorist financing. It assesses how and why cryptoassets can be vulnerable to, and enable, criminality, and how regulators have addressed these perceived risks. It also reviews criminal matters involving cryptoassets, notably Bitcoin. What are cryptoassets? A key obstacle to grasping non‑traditional currencies and assets is the inconsistent terminology. Regulators, tax authorities and commentators variously speak of digital currencies, virtual currencies, cryptocurrencies, cryptoassets and crypto tokens; and it is often uncertain whether these labels are being used as synonyms or with distinct meanings in mind. For definitions, see Practice Note Web 3.0, digital assets and...

ARCHIVED: This Practice Note is archived and no longer maintained or updated. After the government published its COVID-19 Response: Living with COVID-19, which ultimately removed the remaining domestic coronavirus ( COVID-19) legal restrictions in England from 24 February 2022, the ICO released a brief form of guidance on data protection and COVID-19, replacing the earlier, more specific guidance. See: LNB News 28/03/2022 91. This Practice Note reviews the position under the ICO’s former, more detailed guidance on testing and vaccination, which was withdrawn in full from 28 March 2022. It addresses the issues that emerged in the employment setting and workplace concerning Coronavirus ( COVID-19) testing and vaccination, and verification of COVID status, namely the NHS COVID Pass displaying a person’s relevant vaccination information or test outcomes. For sample policies relating to the...

FORTHCOMING CHANGE: This Practice Note sets out the law as it currently stands, though elements could be affected by the Digital Omnibus proposals released on 19 November 2025 under the European Commission’s ‘simplification’ agenda. For details, see Practice Note: EU Digital Omnibus—tracker. It introduces the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). The UK data protection law collection and the EU data protection law collection compile further core guidance on these regimes and are recommended starting points for research. In brief, data protection law across the EEA (the EU together with Iceland, Norway and Liechtenstein) and the UK aims to ensure that information about living individuals (‘personal data’) is treated fairly and responsibly. To that end, both EEA and UK data protection laws impose...

Practice Note This Practice Note sets out, in pragmatic terms, how to identify and assess sources of funds and wealth under the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended. It offers particulars and suggestions on the kinds of documents and information you may wish to obtain from clients, warning signs to watch for, and the actions to take if you have concerns. The guidance is of general application, with specific direction for firms supervised for anti-money laundering ( AML) purposes by the SRA. If you are not a law firm and/or the SRA is not your AML supervisor, you should verify whether additional or varied requirements apply to your sector and whether your regulatory body imposes any extra, sector-specific obligations regarding sources of funds and wealth. There is no...

What is the Environment Agency? The Environment Agency ( EA) is an executive non-departmental public body, created in 1996 and sponsored by the UK government’s Department for Environment, Food and Rural Affairs ( Defra). It is tasked with protecting and enhancing the environment in England, and held comparable responsibilities in Wales prior to 2013. Alongside the EA, other regulators, such as local authorities, also have powers to enforce environmental legislation. Summary of objectives The EA presents itself as the leading public body for protecting and improving England’s environment, aiming to create better places for people and wildlife while enabling sustainable development. Its corporate report identifies three long-term goals: a nation resilient to climate change healthy air, land and water green growth and a sustainable future These priorities align with central government’s 25 Year Environment Plan 2018, as updated by later Environmental Improvement Plans, and the Environment Act 2021. The EA’s remit...

This Practice Note outlines the principal aspects of Assimilated Regulation ( EU) 2016/679, the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018 ( DPA 2018), drawing out issues of particular interest to employment lawyers and directing readers to more in‑depth guidance and other supporting materials. It reflects the provisions of the Data ( Use and Access) Act 2025 ( DUAA 2025) that are in force as at 5 February 2026 (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Revised guidance from the Information Commissioner’s Office ( ICO) is still awaited. Assimilated law refers to EU‑derived legislation that continues to apply after the end of 2023. For further detail, see Practice Note: Assimilated law. This Practice Note also cites case law from the Court of Justice of the European Union ( CJEU). For guidance on...

This Practice Note considers the various lawful and specific conditions for processing personal data and special category data in the employment context, under Assimilated Regulation ( EU) 2016/679, UK General Data Protection Regulation ( UK GDPR) and Data Protection Act 2018 ( DPA 2018). It also reflects provisions in the Data ( Use and Access) Act 2025 ( DUAA 2025), effective as at 5 February 2026 (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Updated guidance from the Information Commissioner’s Office ( ICO) is still awaited currently in this area. For broader guidance on workplace data protection matters, see Practice Note: The UK GDPR and DPA 2018: key data protection issues for employment lawyers. Taken together, Assimilated Regulation ( EU) 2016/679, UK GDPR and the DPA 2018 constitute the UK GDPR regime. ‘ Assimilated law’ describes EU-derived...

This material examines the UK GDPR framework, with legislative references to Assimilated Regulation ( EU) 2016/679 and the UK General Data Protection Regulation ( UK GDPR), unless expressly indicated otherwise. It also reflects the Data ( Use and Access) Act 2025 ( DUAA 2025) (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Employers will typically need to process—collect, use and record—information about an individual’s health (health information) in various contexts. Before processing health information relating to a current or prospective employee or worker, the employer must assess whether the processing is lawful under Assimilated Regulation ( EU) 2016/679, UK GDPR and the Data Protection Act 2018 ( DPA 2018). In addition to the issues explored in this Practice Note, the employer should also consider: if the employer intends to obtain a medical report from an...

The Ministry of Justice ( Mo J) guidance for commercial organisations on preventing bribery is centred on six principles. These are not prescriptive; they are intended to be flexible and focused on outcomes. Bribery prevention procedures should be proportionate to the level of risk the organisation faces. Accordingly, the measures adopted to deliver an organisation’s anti-bribery policies ought to be designed to: mitigate identified risks, and prevent deliberate unethical conduct by associated persons Communicating policies and procedures to staff at every level, and providing training on their practical use, is a vital element. This is reinforced by Mo J principle 5 on Communication (including training). This Practice Note outlines ways to train staff and raise awareness of anti-bribery and corruption issues. Top-level commitment A consistent theme in the Mo J guidance is the importance of commitment from the top. Effective leadership in...

In recent years, there has been mounting pressure on the government to introduce further legislation on economic crime to deter criminals from laundering money in the UK. The conflict in Ukraine triggered the Economic Crime ( Transparency and Enforcement) Act 2022 ( EC( TE) A 2022), forming part of the UK government’s response. The government expedited the Bill’s passage through Parliament, with all stages completed in five Parliamentary sitting days. EC( TE) A 2022 is intended to stop the UK property market being used to store, hide or launder criminal proceeds and wealth, to improve transparency over the ultimate owners of properties and assets in the UK, and to make it simpler for enforcement bodies to dispossess owners of unlawfully obtained assets. This is supported by separate provisions that make it easier to designate persons and organisations under sanctions pursuant to the Sanctions and Anti- Money...

This Practice Note is aimed at solicitors, including those working in‑house, and law firms regulated by the SRA. It sets out the information‑sharing provisions (statutory protection for breach of confidentiality) introduced by sections 188 and 189 of the Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023). The measures enable relevant businesses to share information with each other for the purposes of preventing, investigating and detecting economic crime, and also allow sharing through a third‑party intermediary. For the statutory protection to apply, a number of conditions must be satisfied. Under ECCTA 2023, Schedule 11 defines economic crime and includes: money laundering terrorist financing bribery sanctions evasion tax evasion market abuse fraud Background to the ECCTA 2023 information sharing measures The government recognised that businesses regulated for anti‑money laundering ( AML) purposes wishing to share client...

FORTHCOMING CHANGE: The Crime and Policing Act 2026, which obtained Royal Assent on 29 April 2026, supplants the ‘senior manager’ attribution regime for specified economic crimes set out in the Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023), disapplying sections 196 to 198 and Schedule 12. Section 250 of the Crime and Policing Act 2026 broadens criminal responsibility to bodies corporate and partnerships where a senior manager, operating within the actual or ostensible scope of their authority, is involved, taking the regime beyond the catalogue of offences in ECCTA 2023 to cover the commission of any offence. It commences on 29 June 2026. This material will be checked and revised as necessary when that provision takes effect. The Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023) received Royal Assent on 26 October 2023. It is designed to bolster the UK’s...

The Data ( Use and Access) Act 2025 ( DUAA 2025) obtained Royal Assent on 19 June 2025. It revises elements of the UK General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 ( DPA 2018), and the Privacy and Electronic Communications ( EC Directive) Regulations 2003 ( PECR 2003), SI 2003/2426. This Practice Note sets out the compliance consequences for private sector commercial organisations in the UK. DUAA 2025 both clarifies the domestic data protection regime and introduces added flexibility in several areas. If your organisation already follows UK data protection and e Privacy requirements, only limited updates to your compliance procedures should be needed. Which amendments are in force? The table below sets out the implementation timetable: Data subject requests — Yes: clarification of the searches needed for DSAR responses took effect on 19 June 2025 (and is...

This Practice Note outlines how ethics intersect with business and clarifies the aim and substance of a code of ethics. It is designed to assist you in deciding what to include in your own code of ethics, and to set the scene for our Precedents. Ethics and business ethics Ethics are the moral principles that steer our behaviour and judgements, enabling us to recognise what is right or wrong. Though connected, ethics and the law are not equivalent. The law defines the minimum mandatory standard of behaviour, whereas ethics reaches beyond this and expects a higher level of conduct. Business ethics concern the application of ethical values to business activities and functions. This applies both to individual conduct and to organisations as complete entities. Any organisation can choose to operate ethically, taking decisions because they are the right thing to do, rather than...

March 2026 Introduction Hong Kong stands as a leading international financial centre, regularly cited among the easiest places in the world for doing business. Its clear tax regime, established legal framework, solid financial markets, open flow of information, skilled workforce and the government’s enduring capitalist laissez-faire approach have encouraged thousands of multinational companies to set up a presence in the city. By the fourth quarter of 2025, Hong Kong demonstrated resilience, with real GDP for the quarter forecast to grow by 3.8% despite global economic headwinds. Today, the People’s Republic of China ( China) is the world’s second largest economy after the United States and remains one of the fastest-growing major economies. China is progressively shifting from “the world’s factory” towards a substantial consumer and financial market, supported by a more affluent population. Hong Kong’s geographic and cultural closeness to China, combined with its...

Released in June 2013, this guidance was issued by The Chartered Governance Institute ( CGI). It seeks to assist companies in comprehending and handling cyber risk effectively. It outlines the range of cyber risk categories that are relevant to companies and......

This Practice Note sets out the main digital advertising and marketing routes, such as website advertising (banners and tile ads), search engine optimisation ( SEO), social media advertising, email advertising, mobile advertising, streaming advertising, digital out-of-home ( DOOH) and virtual out-of-home ( VOOH), virtual and augmented reality advertising, affiliate marketing, and content and native advertising. It also flags the core regulatory and legislative frameworks, together with the outcomes of non-compliance. Digital, online and social media (together termed ‘digital’) cover a wide and continually expanding range of channels for delivering promotional materials. Each option carries particular benefits and drawbacks when it comes to managing legal risk. Digital technology can aid compliance by permitting closer control of campaigns than traditional media. However, this is a rapidly evolving field, with innovation frequently stretching the limits of current legislation. For fuller guidance on the topics...

Sanctions are designed to exert significant impact on the people, entities and regimes at which they are aimed. Consequently, there is an attendant danger that those designated will try to sidestep their effect. Grasping the risks of becoming entangled in sanctions evasion, and the warning signs and red flags to watch for, should be integral to your screening. You need not act as law enforcement, but, given the strict nature of your liability for any breach, you must stay vigilant. This Practice Note outlines risks and indicators of sanctions evasion, along with sound practices and steps to take if you are concerned. Risks of sanctions evasion Failing to notice an attempt to circumvent sanctions can put you yourself in breach, eg if you end up handling the funds of, or supplying services or other assistance to, an individual who is designated. It could also...

Practice Note This Practice Note acts as a concise signpost to the different authorities able to raid organisations, the legal footing that permits such action, and the breadth of their powers. It also summarises the consequences for not meeting their requirements. Practice Notes For fuller detail on each authority, consult these Practice Notes: Dealing with dawn raids by the police—key information Dealing with dawn raids by the Financial Conduct Authority—key information Dealing with dawn raids by the Serious Fraud Office—key information Dealing with dawn raids by HM Revenue & Customs—key information Dealing with dawn raids by the Competition and Markets Authority—key information Dealing with dawn raids by the Health and Safety Executive—key information Dealing with dawn raids by the Information Commissioner’s Office—key information Investigator Basis of authority, powers and penalties Enter Search Seize documents / materials Ask questions Use reasonable force to enter, where necessary Require the occupier to ensure the premises are left...

Under the UK GDPR, some organisations must designate a person to serve as their data protection officer ( DPO). This Practice Note explains when a DPO must be appointed to meet UK GDPR requirements and weighs the advantages and disadvantages of a voluntary appointment. It also examines who ought to be the organisation’s DPO, the DPO’s functions, and potential conflicts of interest. It should be read alongside: DPO appointment decision tree. For further detail on governance and accountability under the UK GDPR, see Practice Note: The UK General Data Protection Regulation ( UK GDPR)— Accountability and governance. It is grounded in the UK GDPR, guidance from the Information Commissioner’s Office ( ICO) and DPO guidelines released by the Article 29 Data Protection Working Party and later endorsed by the European Data Protection Board ( EDPB) ( EDPB guidance on DPOs). Although the EDPB...