Complying with the GDPR when undertaking an internal investigation will need careful consideration and planning from the investigation team, in circumstances where getting it wrong could result in fines of up to €20m or 4% of worldwide annual turnover in the preceding financial year (whichever is higher).
The legal basis for processing an employee's personal data
Employment contracts pre-GDPR typically included a widely-drafted clause permitting the employer to access, monitor and review an employee's electronic correspondence (such as email, voice and text messages) that the employee sent and received on company systems. These clauses were intended to allow the employer to process the employee's personal data, on the basis that they had given their consent.
However, the GDPR imposes strict requirements upon data controllers who wish to rely on 'consent' as a legal basis for processing personal data. It must be 'freely given', clearly distinguishable from other matters and in an intelligible and easily accessible form. In short, it should not 'sit' within the employment contract and, to the extent, it does, this cannot be relied upon as the legal basis for the processing of personal data.
Three key questions arise in this context:
- Is seeking express consent outside the scope of the employment contract an option?
- If not, can a company rely upon ''legitimate interests'' as the legal basis to process that employee's personal data without consent?
- How does that sit with the individual's ''right to be informed''?
Consent outside the contract of employment
In theory, employees could give their consent freely, independent of their employment contract, but the guidance from the Information Commissioner's Office is that when there is a significant imbalance of power, such as between employer and employee, it is unlikely that consent will have truly been given freely.
In practical terms, seeking express consent is unlikely to be a viable option as informing the subjects of the investigation may prejudice that investigation and, in any event, is likely to be refused. So, what alternative lawful grounds can be relied upon instead?
Would the need to investigate an employee constitute a ''legitimate interest''?
Although the scope of this legal basis is not always entirely clear, the need to investigate an employee's conduct amid genuine concerns over that employee's performance or suspicions of misconduct or even illegality is likely to constitute a ''legitimate interest'' pursued by the controller. In order to justify this, the following guidance is likely to be of assistance:
- you should have a reasonable suspicion of misconduct which entitles you to identify a legitimate interest;
- that suspicion should be based on specific facts (which must be documented);
- the processing must be necessary to achieve the legitimate interest and there should be no less intrusive investigative measure possible that achieves the same aim (there is a “need to know”);. those legitimate interests can be those of your organisation or the interests of third parties, including commercial interests; and
- the measure that you intend to take must be reasonable based on a balance of the individual's interests, rights and freedoms against those of your organisation.
Where "legitimate interest" is the basis for processing data, the data subject will have a right to object to that processing of their data, but that right is not absolute. Where there are ''compelling reasons'' to override the individual's objection (which would be easier to satisfy in the case of more serious suspected offences), you can continue to process their data for those purposes.
You must in any event inform individuals of their right to object “at the point of first communication” in your privacy notice. For new employees, this will be when they join the company. For others, it may be when you put in place a new privacy notice or provide training. You must also explain at that stage how the individual can obtain further details about any legitimate interests balancing exercise that may be carried out.
What does this mean in practice?
The more rigorous regime introduced by the GDPR should not be a barrier to carrying out necessary internal investigations, but care must be taken. To address the GDPR issues, the company must carry out – and document – an exercise in balancing the legitimate interests of the company against those of the data subject. Internal investigations should avoid 'mission creep' and if the investigation identifies another person whose personal data they may need to process (such as another potential wrongdoer), you will need to carry out (and document) a separate balancing exercise in relation to that person.
The employees conducting the investigation should be properly trained and made aware of their GDPR obligations to ensure compliance with the rules.
The following steps provide a basic checklist for employers to follow:
Before the event:
- provide employees with a privacy notice that explains, amongst other things, the legal basis on which you may be processing their personal data, the purposes for which their personal data may be processed, and the rights they have, such as to object to the processing of their personal data;
- provide employees with details of how, if data is processed on the basis of legitimate interests, they can obtain more information about how the balancing of interests test was conducted;
After the event:
- check whether ''legitimate interest'' is the most appropriate legal basis on which to proceed;
- ensure you understand your responsibility as an employer to protect the individual's interests:
- conduct a legitimate interests assessment and document it to ensure you can justify your actions. This should be kept under review and updated as required throughout the investigation;
- confirm that the processing is necessary and there is no less intrusive way to achieve the same result; and
- conduct a balance test and satisfy yourself that the individual's interests do not override your (or a third party's) legitimate interests;
- only use individuals' data in ways which they could reasonably expect, unless you have a compelling reason;
- do not use individuals' data in ways which they would find intrusive or harmful, unless you have a compelling reason;
- consider any safeguards to reduce the impact where possible, such as restrictions as to who can access the personal data and with whom it may be shared, and security measures to protect against unauthorised access to the personal data;
- if your assessment of legitimate interests has identified a significant privacy impact, consider whether you also need to carry out a more detailed "data protection impact assessment" (see the ICO's guidance for more detail on data protection impact assessments);
- remember that the GDPR and Data Protection Act 2018 impose stricter requirements in respect of processing of particularly sensitive data 'special categories of data'. If the investigation involves processing of, for example, health data or data relating to race or ethnicity then further conditions for processing need to be met.
For information on what your need to do when transferring this data outside of the EEA please read our Insight. A full explanation of the implications of some of the significant changes from the current data protection framework can be found here.