This month the High Court has looked at the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and their relevance in internal disciplinary proceedings. In Kathryn Hopkins v HMRC, the employee was arrested in connection with various offences, including sexual offences and an offence which took place in a work vehicle. As required by her contract of employment, she told her manager about the arrest. The manager then shared that information with various internal departments, including HR (in relation to pursuing disciplinary proceedings) and the press office (to manage any negative publicity). The employee was suspended pending a disciplinary process for gross misconduct. The employee’s contract of employment included terms involving appropriate behaviour outside of work and conduct which could give rise to queries about honesty and trust.
The employee went off on long term sick leave and refused to open or read correspondence from the employer. She said the internal investigation into the alleged offences was in breach of data protection laws and should stop. The process was briefly halted but continued after the employer sought legal advice saying it could press on. The employee complained to the Information Commissioner’s Office and then brought claims in the High Court for, among other things, data protection breaches by the employer for ‘processing’ the information about her arrest both internally and externally.
The High Court said the employer had a lawful basis for processing the special category data about the employee’s arrest when it suspended her and started disciplinary proceedings. The processing in question was necessary for the performance of her contract of employment and the employer had, as it was required to, an appropriate data protection policy in place to which the employee had access.
This case shows how data protection laws can be relevant in disciplinary proceedings and the sharing of information internally to facilitate that process. It is also a case which exemplifies the lengths to which an employee will go to avoid a disciplinary process. Employers must ensure they follow the rules: an effective compliant data protection policy is vital here. Employers must also ensure they identify a lawful basis for processing (in this case it was necessary for the performance of the employment contract) and maintain appropriate records. But employers should not be cowed by an employee who adopts a scattergun approach to imagined legal breaches in a bid to avoid facing the music.