Skip to content

Employment investigations: key data protection issues – part two


Data Protection

Subject access requests

Having considered the broad principles of data protection law as it applies to employee investigations in part one, this follow-up article focuses on a specific area – namely dealing with subject access (and other information rights) requests during the course of, or following, an investigation.

This reflects the fact that subject access requests (SARs) in particular are increasingly common in this context, perhaps indicative of the fact that individuals are more aware of their data protection rights generally and also that submitting a SAR is an ‘easy’ option: there is no fee to do so and the regime provides a broad right for individuals to obtain information about themselves from an organisation.

Perhaps most commonly we see SARs being submitted once an investigation is underway or complete, because individuals are unhappy with some element of the process or outcome and as part of this they want to obtain further or different information to what they may have received under the process itself.

Some of the key issues that arise, and some practical considerations for managing SARs are considered below.

Clarity over the different processes and managing expectations

As a starting point, it is important to remember (and potentially explain to the requester) that the subject access right is a standalone right that has its own rules, timeframe etc, separate from the investigation itself. In particular:

• on timing, the data controller ordinarily has one month to respond to a SAR but that can be extended by two further months in the case of complex or multiple requests (eg if the SAR comes alongside another data protection rights request or if it involves sensitive issues of third-party data). Note that this timeframe may be different to that of the investigation; and

• on entitlement, the right under subject access is to the requester’s personal data only (along with supplementary information about how the organisation processes personal data which should be contained in the relevant privacy notice). It is not a right to copies of documents (noting that some, but not all, information within a document or email may be a requester’s personal data) nor does it create an obligation on the data controller to create new information to respond to a SAR. It is also the case that the subject access right is subject to certain provisions and exemptions under data protection law, including in respect of third-party data, which may mean information can or should be withheld or redacted under a SAR. The point remains, however, and indeed is reinforced in specific guidance for employers from the ICO, that a SAR cannot be refused simply on the basis of there being a parallel process (eg a grievance, tribunal claim or indeed an investigation) under which an employee may receive certain information. What may be the case is that clarification of the scope of the request is worth seeking (perhaps with reference to the fact that some of the relevant material may already have been provided in fuller form under the investigation) – and the ICO is also clear that this is an appropriate thing to do if you process a large amount of information about an individual.

Navigating third-party data issues

Space does not permit consideration of all the exemptions to disclosure that apply under a SAR (see the relevant ICO guidance here for more information) but one of the key issues that arises in an employment context is what to do where documents contain the data of other individuals as well as the requester. As a straightforward point, it is always worth remembering that where the data relates entirely to another person, that is not the requester’s personal data and is therefore outside the scope of subject access.

The trickier issue arises where the data relates both to the requester and to someone else. This constitutes ‘mixed data’ and under the Data Protection Act 2018 you do not have to disclose the information unless the third party consents to the disclosure or it is reasonable to disclose without that person’s consent. In assessing this the data controller must consider all the relevant circumstances, including:

• the type of information that would be disclosed;

• any duty of confidentiality owed to the other individual (see below for further consideration of this in the context of witness statements);

• any steps taken to seek the other person’s consent, and whether they are capable of giving consent; and

• any express refusal of consent by the other person.

To take a specific example, a witness statement is inherently mixed data because although it is primarily about the witness, it also identifies and relates to the other people mentioned within it (which may include the requester). It is also often not possible to provide the relevant extracts of the statement, even with redactions or ciphers, in a way that does not identify the witness themselves and/or others. The data controller will therefore need to apply the above considerations to the specific context in deciding whether to disclose or withhold the witness statement in its entirety. A key consideration will be any expectations of confidentiality of the third party (linked to any express refusal of consent and/or a decision about whether it is appropriate to seek consent in the circumstances). The ICO’s guidance also states that in a work context, factors such as a person’s seniority and role are relevant. So as a general position it will more likely be reasonable to disclose the data of a more senior employee / decision maker than it would be of a more junior employee.

Other requests

Finally, it is worth noting that data subjects have other rights apart from SARs. Perhaps the most relevant of these are the right of erasure (sometimes known as the ‘right to be forgotten’) and the right of rectification.

The ICO has published detailed guidance on both types of requests, but for the purposes of this article we would note that these rights are not absolute – they are subject to exemptions (or conditions which the requester must satisfy) which may mean there is a lawful basis to reject the request, particularly where there remains a legitimate need to continue to process the data. Where the information constitutes a disputed opinion it may be a case of recording the requester’s own version of events / contrary opinion on the file, rather than erasing or amending the original material in question.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, May 2024

Want to know more?

Contact us

About the authors

Sam Talbot Rice lawyer photo

Sam Talbot Rice

Senior Associate

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Email Sam +44 (0)20 3375 7222
Back to top