The 2013 National Social Security Fund Act was ruled illegal by the Employment and Labour Relations Court in 2022. The Court of Appeal overturned this ruling in 2023 after concluding that the Labour Court lacked authority to consider the initial case. The 2013 NSSF Act’s implementation got underway in February 2023 as a result of the 2023 ruling.
An appeal was filed against the 2023 ruling with the Kenyan Supreme Court. The Court of Appeal’s decision was overturned by the Supreme Court on February 21, 2024.
Conclusions of the Supreme Court:
Following its findings, the Supreme Court granted the appeal.
Because the main point of contention in the case concerned the legality of a pension statute that directly affected the employer-employee relationship, the Labour Court was qualified to consider the matter.
Any law that deals with or has an impact on labour relations or employment may be challenged constitutionally by the Labour Court.
The matter must be sent back to a court with jurisdiction after the Court of Appeal finds that a trial court lacks the authority to hear the case. The Court of Appeal has nothing further to examine if it is shown that a decision rendered by a court lacking authority is a nullity.
Consequences of the Supreme Court’s ruling
Due to the Supreme Court’s allowance of the appeal, the Labour Court’s 2022 ruling rejecting the 2013 NSSF Act is still in effect. Our analysis of the 2022 ruling is available for reading here.
Due to legal issues that influenced the 2023 ruling, the Supreme Court requested that the Court of Appeal expeditiously consider the appeal based on its true merits.
The 2013 NSSF Act is still unconstitutional as of right now. No contributions or deductions may be made under the Act since it is void. If the 2022 ruling is overturned, this might alter.
As a result, NSSF contributions and deductions have returned to their pre-2023 levels. Under the 1965 NSSF Act, contributions and deductions must be made.
NSSF Guidelines
Employers were instructed by NSSF to continue contributing in compliance with the 2013 NSSF Act by a notice dated February 22, 2024. In the opinion of NSSF, the Supreme Court upheld the orders issued by the Court of Appeal on February 3, 2023.
We disagree with this reading of the ruling by the Supreme Court. Any impacted employer may ask the courts for protection against arbitrary enforcement actions, clarification, and an assessment of the legitimacy and constitutionality of the NSSF directive.
In summary
Employers are required to deduct expenses and submit NSSF contributions at the prior rates outlined in the 1965 NSSF Act. Since NSSF believes the 2013 NSSF Act is still in effect, we anticipate that NSSF will make compliance with this challenging.
“It means you’re on your toes and you’re aware of the problem,” says Andrew Buck, business lawyer at Avvocato Law in Winnipeg.”
1. Inventory your data
2. Develop an incident response plan
It could be a hacker that shuts down your computers or a disgruntled employee selling information to your competitors (fun fact: 22 per cent of breaches come from within a company), but if it happens—you need to know what to do, and quickly.
Contain
“You need to shut off the tap,” says Andrew.
That might mean reaching out to forensic experts or a systemwide reset, but your first job is stopping the flow of any more classified information.
Mitigate
The mitigation phase is where you’ll look at how you can reduce the harm to those who have been affected by the breach. For instance, if the breach involved a leak of financial information, it might mean offering free credit monitoring for a year or two.
Notify
In Canada, you’re required to report privacy breaches or data security incidents that cross a certain threshold—what is known in the legal world as real risk of significant harm. IT professionals, lawyers, and privacy regulators (find details at the Office of the Privacy Commissioner of Canada) can help you determine what that threshold is.
Canada’s privacy law (the Personal Information Protection and Electronic Documents Act, or PIPEDA) specifies that a breach report should be made as soon as feasible, as in—as soon as you get a grip on what happened. You can and should update your reporting as more details come in.
Andrew points to the case of Ashley Madison, a Canadian dating site for those who are married or coupled. It faced a significant security breach in 2015, with user data released to the public by hackers causing significant harm to individuals families and reputation. The Office of the Privacy Commissioner of Canada did a thorough investigation and its report, Andrew says, serves as an example of what is expected in terms of protecting privacy and data security.
3. Practice your incident response plan
Your incident response plan should not be a document that sits in a drawer and collects dust. Practice it, update it, and know it well, so you’re ready to put it into action as soon as you need to.
4. Protect the data you’re entrusted with
If you’re a board member, you may be privy to confidential company information. Andrew suggests seeking resources that provide guidance for boards, such as Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Office of the Superintendent of Financial Institutions (OSFI).
5. Understand the threats
Ransomware is software that essentially holds your data hostage until you pay a sum to retrieve it. Still, there’s no guarantee paying that sum will get your data back.
The best thing you can do is to have a data backup and a disaster recovery system ready so you can bring your data back immediately. With ransomware attacks expected to increase by 100 per cent in 2022, it’s important to know how to react should one happen.
6. Train staff
Andrew tells of an email he received from a regular client that read, “Here’s the report you asked for.” He hadn’t requested a report, so he responded to see if the email was legit. The client assured him it was. Andrew then forwarded the email to his company’s IT department and confirmed it was spam. Threats are becoming increasingly sophisticated. Andrew recommends training staff on how to identify threats, using different passwords for different applications, and picking up the phone if there’s uncertainty over an email. Two-factor authentication can weed out threats like the one Andrew experienced.
The best law firm in NYC! They explain everything to you and they are very generous and helpful. The lawyers are excellent and very respectful. I highly recommend the Avvocato law firm.