We have clients ask us – why should I have employee Privacy Notices in place? Since 25 May 2018 the Data Protection legislation has changed in the UK. The changes expand current legislation governing how you as the employer collect, hold and process employee’s personal data.
The EAT recently published it’s findings on a claim by an employee of HMRC for breach of the Data Protection Act 2018, which the EAT dismissed and did not up hold for several reasons.
Background
The claim stemmed from the claimant’s arrest by Merseyside Police in August 2018. In compliance with her contract of employment, the employee disclosed the arrest to HMRC. The employee was suspended pending a disciplinary process for gross misconduct. The employee’s contract of employment included terms involving appropriate behaviour outside of work and conduct which could give rise to queries about honesty and trust.
The employee went off on long term sick leave and refused to open or read correspondence from the employer. She said the internal investigation into the alleged offences was in breach of data protection laws and should stop. The process was briefly halted but continued after the employer sought legal advice saying it could press on. The employee complained to the Information Commissioner’s Office and then brought claims in the High Court for, among other things, data protection breaches by the employer for ‘processing’ the information about her arrest both internally and externally.
Some of the High Court Findings
The employee claimed Merseyside Police was the controller of the information and HMRC was a processor. The Court found that it was plain that HMRC had determined the purposes and means of processing the claimant’s personal data and was therefore the controller.
She claimed HMRC had no lawful basis for processing the personal data for the purposes of instituting disciplinary proceedings or suspending the claimant. However, it was found that HMRC lawfully investigated the conduct that was alleged to have happened outside the workplace and the processing met the requirements GDPR legislation as it was necessary for the performance of the employment contract, to which the employee was a party and HMRC had the required appropriate policy document in place.
The Court found that it was necessary for the purposes of the disciplinary investigation that the employee’s personal data was shared between HR, the investigator of the disciplinary and the employee’s line manager.
There was a clear business reason to brief HMRC’s press office in order to ensure that if the allegations against the employee entered the public domain, the press office would be ready to respond. Furthermore, the need for the press office to be briefed was heightened by the press interest in a separate claim brought by the employee against a different government department.
Conclusion
This case shows how data protection laws can be relevant in disciplinary proceedings and the sharing of information internally to facilitate that process. It is also a case which exemplifies the lengths to which an employee will go to avoid a disciplinary process. Employers must ensure they follow the rules: an effective compliant data protection policy is vital here. Employers must also ensure they identify a lawful basis for processing (in this case it was necessary for the performance of the employment contract) and maintain appropriate records. But employers should not be cowed by an employee who adopts a scattergun approach to imagined legal breaches in a bid to avoid facing the music.
By having detailed privacy notices and 2020 compliant contracts of employment in place – which identify your legal basis for processing employee personal data and keeping maintained records of processing activity will greatly assist you in the event of such a breach of Processing Personal Data claim is made by employees.
We have developed a Privacy Notice which sets out your employee’s rights and your obligations to ensure that you comply with data protection legislation when processing their personal data. It specifies how you share data and with whom, and how you protect employee’s data from being inappropriately disclosed. You can call us on 01706 565 332 or email info@metishr.co.uk.