Employer’s Processing of Employee’s Criminal Offence Data Deemed Lawful under GDPR *
https://www.arthurcox.com/wp-content/uploads/2020/11/Hopkins-v-HMRC-3-Nov-2020.pdfIn this briefing the Employment Group consider a recent decision of the English High Court in which the employee unsuccessfully challenged her employer’s processing of her criminal offence data.
Click here to view this briefing in PDF format
Background
The claimant is an employee of Her Majesty’s Revenue and Customs (“HMRC”). In 2018, she was arrested on suspicion of having carried out four serious offences including a sexual offence. The claimant disclosed her arrest to her line manager as required by her employment contract. Her line manager passed this information to internal governance, HR and the HMRC Press Office so they could advise on the issue and process. The claimant was suspended on full pay pending a disciplinary investigation. She was never charged with the offences and at the time of the hearing in 2020, had not been presented with any disciplinary charges but remained suspended on full pay.
The claimant brought numerous claims against HMRC. This briefing focuses on the Court’s decision in relation to breach of the GDPR and Data Protection Act 2018 (“DPA”), the equivalent to the Irish Data Protection Act 2018.
The claimant raised a grievance and submitted a complaint to the Information Commissioner’s Office (“ICO”) that the HMRC investigation was unfair, unlawful and in breach of the GDPR. Although the ICO rejected her complaint, she brought proceedings in the High Court alleging among other claims that HMRC was in breach of the GDPR and the DPA as she alleged it had unlawfully processed details of the criminal allegations against her when suspending her and subjecting her to disciplinary proceedings. HMRC asked the High Court to strike out the claim as having no reasonable prospect of success. The High Court looked at the test for the lawful processing of the data and the obligation to have an “appropriate policy document” in place.
Finding
The High Court found in favour of HMRC. In reaching this conclusion, the High Court examined the provisions regarding the lawful processing of criminal convictions data. It held that, in order to process such data lawfully, employers must fulfil the following conditions:
- Fall within one of the six lawful grounds for processing personal data in Article 6 of the GDPR. The Court described this as passing through one of the Article 6 gateways:
HMRC had a lawful ground for processing under Article 6; the processing was necessary for the performance of the claimant’s employment contract. Therefore, HMRC passed the “Article 6 Gateway”. - Meet one of the conditions in parts 1, 2 or 3 of Schedule 1 of the DPA:
HMRC met one of the conditions in Part 1 of Schedule 1 of the DPA, specifically that the processing is necessary for the purposes of exercising rights conferred by law in connection with employment. The Court held that the rights conferred by law were conferred by the claimant’s employment contract. - In certain cases, have in place an “appropriate policy document”:
When seeking to rely on this condition, the data controller must have an appropriate policy document in place which explains the controller’s:
– procedures for securing compliance with GDPR data protection principles (in relation to the processing of criminal convictions data in this case); and
– policy regarding retention and erasure of that personal data, giving an indication of how long it is likely to be retained.
HMRC had in place a staff privacy notice which was provided to all employees. This document stated that HMRC would use information about criminal allegations and set out the legal grounds on which it would process such personal data. In the examples provided, the notice stated that data would be used for grievances, disciplinary issues and for decision-making purposes regarding continued employment. The Court did not go into detail about the specific content required in an appropriate policy document, however, it accepted that the privacy notice was sufficient in this case.
Conclusion
More than two years after she was arrested, the claimant has not been charged with any offences (nor has she been notified that the police investigation is closed). It is important to note that under the DPA, “criminal convictions data” includes personal data relating to the alleged commission of offences, not just convictions, so employers should take particular care with any information about criminal matters involving their employees.
Although not mentioned in this case, the DPA requires that “additional safeguards” are also followed when relying on some conditions (in particular, where necessary for the purposes of exercising rights conferred by law in connection with employment). This means that employers must retain the appropriate policy document, review and update it from time to time. Also, the employer must maintain a record of processing which specifies:
- the legal ground for processing;
- the condition relied upon; and
- whether the personal data is retained and erased in accordance with the appropriate policy document.
Similar provisions also apply under the Irish Data Protection Act 2018.
Although a decision of the English High Court, this decision is nonetheless also of importance to Irish employers. It serves as an apt reminder that having in place good employee privacy notices, policies and processes are an important factor in defending GDPR and claims under the Irish Data Protection Act 2018. We advise all employers to consider carrying out an internal audit of their data protection compliance periodically to ensure it is fit for purpose.
* Kathryn Hopkins v The Commissioners for Her Majesty’s Revenue and Customs [2020] EWHC 2355 (QB)