A recent case hit the High Court involving an employee in relation to her conduct which may have involved a criminal offence.   She was arrested but was not charged.  The employer was HMRC but the principles will be of wider applicability.

The High Court was dealing purely with Data Protection implications following claims that HMRC had breached the GDPR and the Data Protection Act 2018 in how they dealt with her case.  

One of the first things the High Court did was acknowledge that HMRC had provided details to all staff about how their personal data was going to be processed in its staff privacy notice that was widely available on the staff intranet that had been provided to the employee along with copies of the relevant conduct and disciplinary procedures.   This shows that your privacy notice is always going to be the starting point. 

You may have drafted your privacy notice including that you would not be processing criminal records data because you don’t ask recruits questions about that.  However, there is always the possibility of somebody coming under investigation whilst working for you in relation to criminal offences committed both inside or outside of work where you will in effect then be processing such data.  You may need to consider amending the wording of your privacy notice to take this into account?  

The High Court agreed that HMRC had a lawful basis for the processing of the criminal offence data (special category data in GDPR jargon) to suspend the employee and commence a disciplinary investigation.  This processing was necessary for the performance of the employee’s employment contract under Article 6(1)(b) of the GDPR and the processing met the requirements of Article 10 as supplemented by Section 10 of the 2018 Data Protection Act because the processing was necessary for the purpose of HMRC exercising rights conferred on it by law (the Employment Contract) and crucially, HMRC had an appropriate policy document in place. 

It was this last ingredient that we suspect would be lacking in lots of organisations. Part 4 of Schedule 1 of the Data Protection Act 2018 contains the requirement to have an appropriate policy document in place, and states that the Data Controller has to produce a document which explains the Controller’s procedure for securing compliance with the principles in Article 5 of the GDPR (the general principles relating to the processing of personal data) and explains the Controller’s policies as regards the retention and erasure of personal data giving an indication of how long such personal data is likely to be retained.  Again, you need to check that your retention polices specifically deal with criminal records data relating to the commission of criminal offences and that your privacy notice or documents issued to staff cover all the principles in Article 5.  For example, security, accuracy, keeping up to date, data minimisation, processing data for specific purposes as well as lawfulness, fairness and transparency.  Some of the documents that we have seen employers giving to staff only cover some of this.

The High Court agreed it was necessary to share the employee’s personal data internally in connection with the investigation.  This will be a relief to anyone with disciplinary proceedings where colleagues may need to be involved discussing it.

They also found that it was lawful to share that data externally with the Police – the Police have a substantial public interest that was the pathway through the legislation and it was necessary for HMRC to be able to exercise functions that were conferred on them by law and to involve the Police.The employee had written a letter requesting information.  The letter was not formally headed “subject access request” and it hadn’t been treated as such but it was found that its substance had triggered the legislation and so the employer was criticised for not responding within the 30 day time limit.  Hence the importance of staff being trained to understand their obligations under data subject access requests was illustrated.

Refreshing Law Limited

10 September 2020