Employment investigations: key data protection issues – part one

Insight

03.04.2024

Employee-related investigations almost invariably raise complex issues from an information handling / sharing perspective. In part one of a two part series on data protection in an investigations context, we consider key principles as to how data protection law is applicable. And in part two, the issue of subject access requests, which can create considerable burden and complexity for those managing internal investigations.

Why and how data protection law applies

It may sound obvious, but it is worth stating at the outset that data protection law (ie the UK GDPR and Data Protection Act (DPA) 2018) will inevitably apply to some extent in the context of an employment investigation because it will involve the processing of information about individuals. It may also involve particular categories of more sensitive (or "special category") personal data, eg data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life / sexual orientation – in which case additional obligations and requirements apply. (Of course, there may also be information which although not personal data is still confidential or proprietary to the organisation in some way and in respect of which some of the issues discussed here eg data security and confidentiality will also apply).

Key compliance principles and obligations will therefore apply for the employer in managing the investigation, including:

identifying the relevant lawful ground/s for processing personal data in this context (under Article 6 of the UK GDPR) – which may include the performance of the employment contract, compliance with a legal obligation and / or the processing being necessary for the purposes of the legitimate interests pursued by the data controller or a third party. It is also important to remember that where special category data is involved, an additional lawful ground under Article 9 of the UK GDPR / Schedule 1 DPA 2018 will be required. There is a specific provision relating to the performance of obligations and rights under employment law, which may be relevant in this context. Some of these grounds require an “appropriate policy document” to be in place (outlining your data protection compliance measures and retention policies for special category data);
providing transparency to the individuals concerned as to how and why their personal data is being processed. Ideally this will be done in a privacy notice (there may be, for example, wording that refers to investigations in the organisation’s pre-existing staff privacy notice) but thought should be given to (a) drawing that to the attention of the particular individuals involved; and (b) whether any additional / supplementary information relevant to the specifics of the particular investigation may be appropriate (for example, via the terms of reference or equivalent document outlining the scope and process of the investigation); and
ensuring that you only collect, share and more generally process the personal data that is necessary for the specific purpose (data minimisation); that you adopt appropriate technical and organisational measures to protect the information (data security); and that you can demonstrate your compliance with data protection law through your measures, policies etc (accountability).

Some of the above can be achieved through appropriate thought and explanation at the outset – eg putting in place clear terms of reference, systems for secure sharing of data and laying down or reiterating clear expectations / obligations of confidentiality for those involved.

Part of this planning ought also to consider what the arrangements will be at the conclusion of the process: ie what and with whom will information such as an investigation report be shared (and in what format, eg will any redactions or ciphering be necessary?), and how long will information generated during the investigation be retained? Consideration should also be given to setting expectations with regards to potential legal obligations to disclose personal data in the future (such as disclosure obligations in the context of litigation). Ideally these issues will be considered and addressed at the outset to ensure there is clarity on all sides and less likelihood of complaints, requests etc further down the line. Even if not formally required by the threshold in the UK GDPR it is worth considering whether a Data Protection Impact Assessment might be a helpful tool to document these considerations and outcomes (consistent with the "accountability" principle referred to above).

Role of the investigator

Particular issues arise when an external investigator is engaged in the process, because they are likely to be an independent data controller. So while they will have their own data protection compliance obligations (and part of any due diligence exercise in choosing an external investigator should involve scrutiny of their compliance in this area), as a starting point they will not be subject (in the way an employee or other representative will be) to the employer’s policies and procedures and confidentiality obligations within a pre-existing employment or other contract.

As a result, the letter / terms of engagement of the investigator should address data protection issues, and ensure there are clear expectations / requirements around confidentiality, data security and retention / deletion of data at the end of the process. The terms of engagement should record the basis on which personal data will lawfully be shared with the investigator.

More broadly, and looking ahead to our next article, particular complexities can arise in this context when individuals seek to exercise their data protection rights during or in parallel with the investigation process – perhaps most significantly, the right of subject access.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.