Category: Privacy

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Employment Law GDPR Privacy

Updating your GDPR Privacy Notice

Data use shown on mac screen

It’s hard to believe that it’s 7 years ago since the GDPR came into force on 1st May 2018. I’d hazard a guess that many of us haven’t given our privacy notices any thought since then and have just been wheeling them out.

Given that the world is moving at pace, you may need to update your recruitment candidate privacy notice to inform the candidate about any automated shortlisting software that you are using, or indeed that your recruitment agents are using on your behalf. The privacy notices would need to describe the software that you are using and what it does, and highlights to the candidate their right to have a human review the output.

You will recall that your privacy notice lists out the ways in which personal data of an employee might be used. There is also likely to be a section where you describe what third parties might have access to data and the purposes for which they do so. This probably covers things like accountants but you may not have covered off litigation. Clearly if somebody is suing the organisation then an individual’s personal data may be used, for example, in the disclosure documents for that case. This need not necessarily be the data subject themselves bringing the legal action because they could be being used as a comparator, for example, in an equal pay claim, or when showing consistency of treatment, for example in a disciplinary scenario.

Another legal use might be where a TUPE transfer is occurring or the organisation is, for example, undergoing a round of investment or a sale or merger process. Personal data might well be shared at some point with investors, potential buyers etc. At initial stages of such processes, employee spreadsheets for example are normally anonymised so there is nothing to worry about but further down the due diligence process, questions might be asked which would reveal personal data when answered.

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Anonymity Confidentiality Data Protection Act 2018 Data Use and Access Act 2025 Employment Law Employment Rights Act 1996 Freedom of Speech Investigations Privacy

Monitoring exchanges in WhatsApp

WhatsApp icon on a phone screen

Your average employee and their manager are merrily commenting to each other and their colleagues using apps such as WhatsApp, because such applications are an easy way to communicate, saving  time compared to picking up the phone to each other, interrupting each other or sending a more formal email. However, to your average employment lawyer and HR professional, it can feel like the lid coming off Pandora’s box.

You are probably all aware of recent examples of harassment where employers have got into trouble because of the content of messages on Apps (Met Police being an example that hit the news). Today I was reading about an example in ‘People Management’ where a misogynistic older male had sent a female colleague nearly 200 messages that were wholly inappropriate for the workplace including memes, jokes that the sender probably would put down as “banter” and so on. In that particular case, the employee was awarded £19,000. It is for good reason that we are all triggered with concerns as we are asked to delve into this area but that is not the focus of this thought piece. I wanted to focus on the extent to which the employer is able to access WhatsApp messages, for example, if they are stored on a company device.

This largely depends on what you have set down in writing to the employee. An employee will have a reasonable expectation of privacy in their working life, which will include their office space which also now includes their “device space”. So, if the employee is having a chat with their friend, for example, or their partner, they are likely to have a legitimate expectation that that conversation is private in just the same way as in the Halford case years ago, where the employer got into trouble for listening to a conversation with a trade union representative on the telephone. This is why we have to draw to an employee’s attention, what monitoring takes place and you will find statements in policies and in contracts managing that employee’s expectation, so setting out when, for example, a manager is likely to be reviewing the content of their laptop or their device, such as if they go on holiday or if they are off sick. Just because a non-work related matter is being stored on a work laptop or a work phone or iPad, doesn’t mean it loses the quality of privacy in the sense of management of expectations.

You could go further these days and spell out that if employees use things like Facebook or WhatsApp on work equipment, that they should not have any expectation of that communication remaining private. For example, if a manager does have to access the device or after the employee leaves, if they have left those applications open and we then discover something, we are able to use that evidence…

Having said all that, my experience of the Employment Tribunal system is that they do have discretion over admissibility of evidence. Whilst you may have technical legal arguments as to why something has been obtained in an inadmissible way, the Tribunals as opposed to the Courts in the UK, tend to be much more relaxed and are just interested to see the content of the messages and rule on how they affect the legal questions before it. From an employee perspective, it can be deeply frustrating to feel violated in terms of your privacy rights and then find that arguments along those lines don’t get you terribly far and the Tribunal’s focus remains on the substantive claims you are bringing.

I have also recently seen the first examples of emojis causing significant offence and a harassment and victimisation claim but in this particular instance it was the crying with laugher emoji that was the issue. This illustrated that the combination of the emoji with the words used alongside it turn what might be relatively innocuous into the recipient being able to argue that it was offensive. Make sure you have updated your policies to include offence being caused by emojis…

Anna Denton-Jones
Refreshing Law

 

Categories
Anna Denton-Jones Anonymity Communication Data Protection Act 2018 Data Subject Access Requests Data Use and Access Act 2025 Privacy Video

Video | Data Protection Processors

YouTube video playing on a phone

Our latest video is available to view on the Refreshing Law YouTube channel — please click here to watch Anna discussing the various issues around data protection in relation to other people who you might be engaging with but who are not your employees. 

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Disclosure Employment Law Investigations Privacy

Subject Access Request during an on-going process

Data use shown on mac screen

It is not uncommon for somebody who is part-way through a process, such as a performance management process, sickness absence management process, redundancy situation or disciplinary process, to put in a subject access request under the Data Protection Act.

If the employee is off sick or because they’re at a very early stage in the process, they may not even be aware that, for example, a disciplinary investigation has commenced. Or they might not yet be aware of a complaint that’s been received, that you’re looking into that relates to them. Alternatively, you might be towards the end of the process at the appeal stage and you might have a subject access request in an attempt to look for what I call “the smoking gun” they think you have hidden from them in terms of the process so far.

I’ve even heard today of Unions using the SAR as a form of industrial unrest – launching mass employee requests on organisations as part of industrial action.

The first thing to note is that the request under the Data Protection legislation is made in an entirely different relationship with you than the relationship of employee and employer. It is made as a data subject in relation to your position as data controller governed by the rules in the data protection legislation. So, for example, given that you have 30-days under the data protection legislation to access their request and provide them with the data they have asked for, it is entirely possible that your ongoing employment processes will be moving more speedily and for example, a disciplinary hearing or a meeting might be in the diary well before that 30-day period.  There’s nothing in the data protection legislation that requires you to halt your internal employment process or wait until the SAR has been dealt with.

If you have already disclosed the information to somebody for example, as part of an investigation report or in an email notifying them of a complaint against them or as part of a pack given to them for the purposes of an appeal meeting, you have already given them that information so you’re not going to be required to give it to them again as part of the subject access request disclosure – you would just have to cross refer to what you’ve already given them.

The next thing to say about data protection is there is absolutely no substitute in any given situation for tracking through the legislation itself when it comes to determining what you’re required to disclose to the data subject and what you’re allowed to withhold. Making this assessment on the basis of some kind of ‘feel’ is not enough.

There are things you do not have to disclose. This includes:

  • anything relating to negotiations if disclosure would prejudice the negotiations
  • confidential references given by you
  • criminal investigations
  • data processed for the purposes of management planning if disclosure would prejudice the planning (such as telling the subject about a redundancy exercise before the consultation had launched)
  • anything that is protected by confidentiality to a third party or legal professional privilege.

Thus, the list of exemptions is really narrow.  It means most things are disclosable, perhaps with some redaction of bits relating to other people. We all need to bear in mind when we prepare documents that the data subject may see them in future e.g.: – email accordingly.

In your letter to the data subject, which you will send with their response to the subject access request, you need to include a detailed explanation as to how you have gone about your response to the request and why you have excluded anything.

It is important that you consider the rights of other data subjects when processing requests.  If disclosure of the information would identify another individual, you’re not obliged to comply with the request unless the other individual has consented to the disclosure of the information and it is reasonable in all circumstances to comply with the request without the consent of the other person. It is relevant to complaints and investigations – have you informed the complainant that the matter will have to be taken up with the individual? Have you informed those witnesses that have given evidence as part of the process that their evidence is going to be showed to the person that is for example, accused of misconduct?

Where you haven’t got consent, you will have to think about redaction and omitting names and taking out as much as you can that would identify somebody. The legislation itself requires you to take steps with a view to seek consent from the other individual who asks us to look at whether there is any express refusal of that consent.

Of course it is entirely possible that the individual might try and make a second access request if the first request has not revealed what they thought they were expecting and s95(3) requires us to consider whether it is a reasonable interval between the requests having regard to the nature of the data, the purpose for which it is being processed and the frequency with which the data is altered. If you’ve complied with the subject access request and given the employee the data they requested, it is highly likely that you’re going to be able to refuse a second request on the basis that nothing has changed.

Anna Denton-Jones
Refreshing Law

Categories
Alternative Dispute Resolution Anna Denton-Jones Communication Confidentiality Conflict Disciplinary Disclosure Dispute Management Duty of Care Employment Law Employment Rights Act 1996 Grievance HR Investigations Privacy Procedural Fairness

Showing the complaint to the employee

View of the City of London at sunset

You will be familiar with the idea that in a disciplinary process the person who is accused of wrongdoing should hear the case against them or should hear or be told the important parts of the evidence in support of that case so that they are given the opportunity to criticise or dispute that evidence and put forward their own arguments. This comes from a case of Spink -v- Express Foods Limited 1990.  But what about the situation where there is a grievance investigation?

The Acas Code is silent on this issue but focuses instead on the person who has raised the complaint. However, as part of the investigation into the complaints that that person has raised, you will need to interview anyone that they have accused of wrongdoing.  For example, there may be an allegation of bullying and harassment.

One option would be to simply show the person, perhaps the line manager, the grievance letter. This is the most open and transparent position and one would hope that any line manager would behave professionally, see the grievance for what it is, and be prepared to answer those allegations in full. This position accords with the concept of ‘natural justice’ – nothing is being hidden and the accused has full opportunity to have their input to what is being said about them.

However, there may be cases where there is a concern that to take this open position would perhaps inflame or fundamentally damage the working relationship between the person who has raised the grievance and, for example, their line manager. The investigator may feel that a better approach would be to not show the full letter to the person who has been accused but rather to take them through the contents of the letter through a process of questioning so that they still have full opportunity to answer what is being said, but perhaps in doing this they can soften the language a little and take some of the ‘heat’ out of the matter.  If the investigator does go down this route they will need to be skilled in questioning and make sure that they do give the full picture to the person so that they are being fair to everybody.  For example, it wouldn’t be appropriate to just say ‘what happened on 5th August?’ You would need to go further and ask ‘Joe Bloggs has stated that there was an argument between the two of you on 5th August. He has said that your voice was raised and that other people noticed that you were shouting.  Is that true?’

If the complainant’s letter refers to complaints against a number of different people then, again, it may be sensible to separate out the allegations so that you are only interviewing an individual about those matters that are relevant to them.

In any event, if the individual (for example, the line manager) is named in a grievance letter, strictly speaking, under the Data Protection Act, they can make a Subject Access Request requesting to see the contents of the letter.  For that reason, again, the employer may want to choose the most open position.

It could also be damaging, as regards the relationship between the employer and the person who has been accused (such as the line manager), if the employer does not disclose the contents of a grievance letter. The line manager may feel that something is being hidden or that they are not being given a full opportunity to answer the case against them, even though at this stage there is no hint of a disciplinary.

The employer will need to carefully weigh all of these issues before deciding how to proceed.  If you have any questions please do not hesitate to contact us.

Anna Denton-Jones
Refreshing Law