subject access request disciplinary investigation

The Data Protection Act 2018 (DPA 2018) contains three provisions that allow an employer to resist subject access requests (SARs) from employees. Really sometimes it's hard at times to make correct decisions and to make right decisions unless you see the whites of the eyes and the person is sitting in front of you. The GDPR is not there to stop the efficient process of discipline and grievance procedures. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article. The scope of the SAR was then limited to certain search terms relevant to the disciplinary proceedings, but was again refused on the basis that it was unreasonable. The Office of Professional Responsibility (OPR) was established by order of the Attorney General to ensure that Department of Justice attorneys and law enforcement personnel perform their duties in accordance with the highest professional standards expected of the nation's principal law enforcement agency. Investigations are covered by the Acas Code of Practice on disciplinary and grievance procedures , which is the minimum a … Your email address will not be published. The extensive SAR was refused on the basis of proportionality. This could risk legal action. We don’t know why this provision was introduced. If I don't know who they are, I don't know if it's because I've done something bad to them or they've done something bad to me. At first glance, one might think the answer to this question was rather obvious, in that the employee raising the grievance is going to want to see that the investigation has been done thoroughly and fairly in order to be able to accept that the employer is following the correct processes based on the evidence. You don't know if they're bullies. If the result of a subject access request is that somebody else's privacy is infringed, then it's an adverse affect. A subject access request applies to all personal data held by the University. However, when it comes to the data protection crunch, the evidence shows that the government is working in the opposite direction. http://employmentblog.practicallaw.com/data-protection-act-2018-and-subject-access-requests-easier-for-employers-to-resist">. Your email address will not be published. Contact telephone number is It's about sitting down and working through the ups and the downs, the rights and wrongs and hopefully arriving at a fair decision. Similarly, when HR is investigating a disciplinary matter, a “type” of information that could be withheld might be: “those personal data that would be premature to release until an investigation is complete”. The controller who receives the reference, who can now argue that he or she has been “given a confidential reference” and refuse access. That gives us some guidance around what o… Individuals can make SARs verbally or in writing, including via social media. If you are a lawyer or work in a legal capacity, please register for a free trial to see if Practical Law’s resources are right for your business. Part of that aspect absolutely could be that they were never allowed to cross-examine witnesses. This is a typical situation that arises in disciplinary whereby maybe somebody confidentially comes to their own manager, makes a complaint and would be very uncomfortable with their details being provided or sometimes even on a general risk assessment, you can say to yourself it wouldn't be wise to provide the details of the complainant to this person. Because the reality is they're all going to have to work together tomorrow. Under the ACAS Code of Practice on Disciplinary and Grievance Procedures, employers should always conduct a disciplinary meeting. What Does Effective Performance Management For Remote Teams Looks Like? Employees have a right to make a data subject access request (DSAR) under the GDPR. Disciplinary Issues During Remote Working – How Do I Handle It? Indeed,… If the employer does not carry out a reasonable investigation, any decisions they make in the disciplinary or grievance case are likely to be unfair. The Data Protection Act 2018 (DPA 2018) contains three provisions that allow an employer to resist subject access requests (SARs) from employees. The undermining of the rights of employees in this way, leaving them potentially unable to defend themselves against accusation fails the fairness test. The employment judge will always encourage the sides to agree it themselves. The government has ensured there is no right of access to these handwritten notes if they comprise “manual unstructured personal data” as defined in the DPA 2018, where the content of the notes relate to employment matters. It's the employers saying, "You know what? To respond to a DSAR, employers will likely need to sift through vast amounts of information to find data relating to a particular individual, whilst also ensuring that the privacy of others is protected. Failure to comply with a Subject Access Request. Also, in relation to whenever you get to hearing and the right for the person to have a fair trial. Comment document.getElementById("comment").setAttribute( "id", "cc914def5d73b4e937af313dacb88661" );document.getElementById("51e063523b").setAttribute( "id", "comment" ); …thinking on various aspects of employment and discrimination law from our team and leading commentators. In summary the answer outlined that the employer should investigate the reasons for the anonymity request and balance the complainant’s right of confidentiality with the accused right to a fair hearing. It would only cause more negative behaviour in the working environment and the testimony was such that the behaviour was undisputed. or email And you can no longer charge for it as well. One of the most difficult aspects in data protection occurs when an SAR is made in relation to personal data which contain personal information about another individual. Following EU-wide changes to data protection rules, introduced in the UK as the Data Protection Act 2018 (GDPR), you can make a subject access request for free. SARs are often used as a mechanism for pre-action disclosure by current or former employees for the purposes of actual or intended litigation. Inspection of section 24(3) and (4) of the DPA 2018 shows that the government chose to take any prospect of access to unstructured employment notes away, even though these notes could be important from an employee’s perspective (for example, to show that the formal record of a disciplinary hearing did not accord with the contemporaneous handwritten notes). The investigation process Employers should draw a clear distinction between the investigation process and a disciplinary procedure ideally by ensuring they are conducted by different people. Disciplinary investigations can be protected. This is commonly referred to as a subject access request or ‘SAR’. Certainly, there's no doubt in the best of the world that you would have a fair trial, even at the disciplinary stage where you maybe have witnesses attend the disciplinary hearing and allow cross-examination to take place. Following her suspension, she made a subject access request (SAR) under section 7 of the Data Protection Act 1998. Really, they're looking at a big justification of threats of violence and such towards witnesses about steps the employer would have to go through to make sure they trust the witnesses and so on before they go forward. It is not uncommon for somebody who is part-way through a process, such as a performance management process, sickness absence management process, redundancy situation or disciplinary process, to put in a subject access request under the Data Protection Act. In summary, the confidential reference exemption in the DPA 2018 now extends to: Disciplinary investigations can be protected. On 18 December last year, the Prime Minister told the House of Commons that “we will maintain, and indeed enhance, workers’ rights”. Maybe sometimes what happens is people will anonymise their statements or they will redact the statements. But from a complainant's point of view, you're saying, "Well, hold on. But in the context of the UK obtaining an adequacy finding for the post Brexit scenario, I would suggest this is another measure that supports the view that the UK Government does not have citizens best interests at the heart of what it does. Confidential references become more confidential. This provision kicks in when an employer uses a referee, unknown to the prospective employee. I can get a resolution for all of these parties. Jennifer McGrandle advises on how to deal with them. Required fields are marked *. The witnesses would not be able to block on the other side either. when a third party’s personal data is intertwined with that of the requester?. I am conducting review of a grievance brought by an employee. Where a disciplinary investigation results in the decision to proceed to a disciplinary hearing, the employer should provide the employee with copies of any witness statements and other written evidence that will be referred to in the hearing. Alternatively, they will take parts of the statement and create one block page with maybe five or six of the comments that were contained within statements. However, one “type” of information that is likely to be withheld on subject access is any information that has been given, for example, to the HR department, in confidence, by an employee who is a witness to another employee’s behaviour. I want a fair trial. The bottom line is this could be discovered if it goes to tribunal. There are all sorts of issues that can arise there. There's a whole series of issues there when you come to anonymity, particularly if in this case or as in this case, it's not the witnesses saying we are scared of this complainant. It comes down to your justification and if it is justified and if it's the correct decision to make based on the circumstances, I think that should be recorded at the time in writing so that if it is challenged at a later date, you say, "Well, look, this is the circumstance that I was presented with at the time and I believed this was the right step to take.". The information in this article is provided as part of Legal-Island's Employment Law Hub. At discipline or the disciplinary hearing, I chose to withhold the employee's names as it served no purpose to disclose. Subject access requests – when an employee asks to see any personal data held on them – can throw legal negotiations into disarray if employers do not tread carefully. They never knew who the witnesses were. Seamus: Yes. F… There's no indication from the email I got that it was the witnesses themselves were saying, "Keep me anonymous." It also deals with the issues that arise when an individual asks you for access to personal data held about somebody else in a complaint file under either FOIA or the EIR. Despite the Court of Appeal case of Durant v FSA making it clear that employees should not use Subject Access Requests (SARs) to embark on \"fishing expeditions\", it would appear that employees are continuing to do just that. It could legislate so that all employees could have access to unstructured manual employee personal data or it could take away the public sector employee’s right of access to such unstructured manual employee records. You can see a circumstance where possibly a manager will say, "I think I can keep a lid on this. . Caroline:Yeah. If it were to go to that level, there's a very good chance that information would be discovered and there's a very good chance the tribunals would look at the Walkers Snack Foods case and they'd look at the Linfood Cash and Carry case about what you do when you have to anonymise witness statements. Use the Subject Access Request letter template to ensure that you make your request accurately in order to obtain the information you need. This is why in the Information Commissioner’s advice, the recipient of an employment reference was told: “We explained that organisations are generally required to release references they have received about individuals, even if they are marked as confidential”. Since the 25th May 2018, our employment and privacy teams have seen a large increase in the number of clients who are receiving subject access requests from both staff and customers. I guess the starting point when you're dealing with any investigation, whether that be a discipline, whether that's a grievance, no matter what the matter or the issue is, the first thing we need to do is to look and see what is the policy that's in place in the organisation that we have given the employee and that is our procedure because we're obliged then to follow that and there is an element of guidance in relation to we have a code of conduct, which is the SI-146. It can be hard to guarantee that the individual that at the time. The evidentiary material obtained during an investigation will also be used during subsequent disciplinary proceedings, and act as a preparatory stage to a disciplinary process. A third party can also make a SAR on behalf of another person. Thus, if a controller is a private body (that is, not an “FOI public authority”), then the processing of manual unstructured personal data is not subject to the DPA 2018 (section 21(2)). We know what's happened here. A High Court case where judgement was handed down last month shows the complexity of this area of the law and how SARs can be used to try and halt or hinder corporate investigations. They wouldn't be able to block an employer from saying, "Hold on a second. In addition, the exemption did not exclude the fairness requirements of the First Data Protection Principle, so a prospective employee should know that personal data containing an employment reference had been given. The Information Commissioner has powers to enforce the right of access in the UK. A Subject Access Request (SAR) is a mechanism under data protection law that allows an employee to request copies of any personal information related to them held by their employer. Seamus: This is interesting in terms of subject access requests. Really, what we need to look at is the fairness of that. Can we continue with a disciplinary process if the employee leaves before the process has concluded? Following an investigation, she was invited to a disciplinary hearing on 5 September 2016. I suppose the real test will come down to if there was ever an employment tribunal claim taken and the LRA Code of Practice does have some guidance on witnesses. Writing your Subject Access Request. seamus.mcgranaghan@oreillystewart.com, If there's anything you'd like to ask us, just fill in the form on the contact us page:Contact Legal Island, © Copyright 2020 | Legal Island, Island House, 5 Steeple Road, Antrim, BT41 1DN | Tel: 028 9446 3888. There could be allegations these witnesses don't like the individual itself. This business, this organisation needs to keep functioning. There's a very stiff burden, if you like, on that. Seamus: Anonymity on it. Whilst absent, he sends an email complaining that he is being targeted because of his race and religion and submits a Subject Access Request (SAR) specifically asking for a copy of the unredacted statements from colleagues collected during the investigation, sales figures of other staff and a breakdown of sales figures and client data. when the requestor faces an allegation … It’s that versus the rights of the anonymity for the other parties. § 0.39a, the Counsel for OPR reports directly to the Attorney General and Deputy Attorney General. Manual interview notes are not subject to the right of access. You as the manager will have an understanding of that, where specifically the person who's coming to you and saying, "I want to raise a complaint, but I want this to be kept anonymous." In most circumstances, you cannot charge a fee to deal with a request. It is a practitioner, it's a question that you get asked quite a lot and people do have concerns about their information and even from the advice I would give to HR advisors that would call through to me, that is definitely a concern they would have. This is not the case with the equivalent exemption in the DPA 2018, which omits the phrase “given by the data controller” and states: “The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of … employment (or prospective … employment) of the data subject” (paragraph 24, Schedule 2). You would say look, it's a balancing exercise. Really, what you need to do is weigh it up and assess it. This right of access means you can ask to review and … Employers be warned: failure to respond properly to a subject access request (“SAR”) can lead to a finding of unfair dismissal. So, when constructing the DPA 2018, the government was faced with a political choice. The DPA 2018 makes it easier to protect such personal data from the right of access because when deciding whether it is reasonable to release of the information concerning that other individual, account has to be taken of “the type of information that would be disclosed” (paragraph 16(3)(a), Part 3, Schedule 2). This meant that the exemption from subject access relating to a confidential employment reference could only be applied by the person giving the reference and not the recipient. So there are those aspects. The Information Commissioner’s Subject Access Code of Practice suggests that the organisation should tell the employee that it needs the further information too. I think I can control this. Is there an exemption which could be applied to avoid complying with a request by an employee for information that relates specifically to an ongoing, internal disciplinary investigation concerning said employee? The right to be informed, so a prospective employee might be unaware of the fact that a confidential reference about him or her has been given or received. As the “listed GDPR provisions” (in paragraph 18 of Schedule 2 to the DPA 2018) include the right to be informed (Articles 13 and 14 of the GDPR), the existence of any further confidential reference might not be transparent to the prospective employee. If the information does not fulfil the definition of personal data then the University does not have to disclose it in response to a subject access request (although you may choose to do so at your discretion). However, this opened the prospect that public sector employees would have preferential subject access rights merely because their employer was an “FOI public authority”. It seems to be an internal disciplinary matter. 1 Your right to make a subject access request. Data Protection Act 2018 and subject access requests: easier for employers to resist? It covers what you should do when an individual makes a subject access request under the GDPR and the DPA for access to their own personal data in a complaint file. Dealing with a SAR can be challenging enough. OPR is staffed by a Deputy Counsel, Associate Counsel, and Assistant Counsel. I just want to keep a lid on it.". Those are the preliminary points on that. You can't use my witness statement because it involves my name and I've got a right under the GDPR that you can't divulge that to somebody else." But where they have to, they'll make a decision and it will be based on the principles as we talked about in the Walkers Snack Food case. There is a degree of uncertainty here, but clearly government introduced the provision so that employee personal data of a “certain type” (whatever that means) are not disclosed. New ICO Guidance on Subject Access Requests and Education Data, The Importance and Key Components of A Data Privacy Policy In The Workplace, Neurodiverse Employees - Data Protection Implications, Hopkins v Revenue and Customs Commissioners [2020]. Confidential references become more confidential The Data Protection Act 1998, under the heading "Confidential references ... Disciplinary investigations can be protected. Where the circumstances permit that and where that is a reasonable and sensible action to take, I think it should be taken, where you are the manager and you're of the view that isn't something that you're going to be able to do, that there's maybe threats that have been made or there's maybe a concern there would be . But it does come down to fairness and ultimately, I suppose, there would be an entitlement at a tribunal stage. Have you ever been to a meeting where someone has taken handwritten notes of what was said? It would only cause more negative behaviour in the working environment and the testimony was such that the behaviour was undisputed. We know from that there's a reduction in the time to provide the response to that to four weeks rather than six. The General Data Protection Regulation (GDPR) and Data Protection Act 2018 have now been in force for over 2 months. The inference is that information of a certain “type” should not be disclosed as part of an SAR. What information do I have to disclose in a Subject Access Request and can I provide redacted copies of evidence to keep the anonymity of those involved? Pursuant to 28 C.F.R. You have those sorts of issues. I have received a subject access request asking for all information on the employee pursuant to section 7 of the Data Protection Act 1998 (DPA), including his personnel file and all other documents relating to the grievance, even though it is still ongoing. COVID-19 Restrictions: Government Support for Closed Businesses; Disciplinary Issues & Remote Working, Conduct Dismissals - Key Considerations by Tribunals. I've been on many a case where we've had to go down before the employment judge and argue our case as to why documents, full documents on redacted documents should be provided and times why they shouldn't be. Enter your registered email address below and we will send you a link to reset your password. We don't want people falling out in the corridor. For example, when an employee exercises the right of subject access to personal data concerning complaints made by another member of staff (e.g. The Data Protection Act 1998, under the heading “Confidential references given by the data controller“, stated that personal data were exempt from the right of access: “if they consist of a reference given or to be given in confidence by the data controller for the purposes of … employment, or prospective … employment, of the data subject” (emphasis added) (paragraph 1, Schedule 7). There's nothing, really that would in law allow a witness to say you can never use my name at any stage. They can cost a business significant time and money as well as potentially disclosing a … At discipline or the disciplinary hearing, I chose to withhold the employee's names as it served no purpose to disclose. 028 9032 1000 The scope of a Data Subject Access Requests (DSAR) is wide ranging and has become a staple action point in the itinerary of an employee embarking on a contentious internal or external litigation process with their employer. Scott: Just before we move on, we've got another GDPR question coming in on the chat box. ... (e.g. Have the minutes of that meeting, subsequently circulated to attendees, been completely different to your recollections of the actual meeting? In part 1 of this blog series, we asked how employers facing a Data Subject Access Request (DSAR) should be dealing with ‘mixed data’ cases, i.e. It's not dismissal and so on. The Guidance provided by the Information Commissioner's Office clarifies that the right of subject access is motive blind. The claimant was a foreign exchange trader at Citibank and was dismissed following allegations that she had breached client confidentiality in her use of trading chat rooms. Mrs Smith informed Talon that her union representative was unavailable on 29 September and suggested alternative dates just under two weeks later. . The employment tribunal (ET) case of McWilliams -v- Citibank NA considered whether non-compliance with a subject access request made in the context of disciplinary … Seamus: Absolutely not. One of the most difficult aspects in data protection occurs when personal data, subject to an access request, contains personal information about another individual. Hi, I have a query regarding subject access requests. In general, such manual unstructured processing of personal data is subject to the DPA 2018, but only if the controller is an “FOI public authority” and only for the right of access and correction. Subject access requests are a useful weapon for the disgruntled employee. Absolutely understandable. This would protect an investigation until it had concluded. In a workplace investigation allegation letters are used to advise the person subject of the complaint about what has been alleged and also to invite that person to attend an interview to provide their version of events or their side of the story. With all employees now more aware of their rights to access information held on them from GDPR training, I have had a request for a subject access request from an employee that has recently been disciplined. Seamus: Yeah. Scott: Also, controlling the process because this caller here, this listener here knows the situation. The main content of this article was provided by Seamus McGranaghan. If it has just been received post-25th of May, it'll be under the new GDPR regime. Employers should not refuse to respond to a SAR on the belief that it is made for an improper purpose. This was a manager who decided look, "For the sake of good employment relations, I'm going to pour oil on troubled waters. If the employee is off sick or because they’re at a very early stage in the process, they may not even be aware that, for example, a disciplinary investigation … I can understand that. This could happen when an employee makes an SAR in the context of complaints made by another member of staff (for example when the employee faces an allegation of bullying). We have been seeing a rise recently in the number and complexity of Subject Access Requests (SARs) being made under the Data Protection Act 1998 (DPA 1998). If there's anything you'd like to ask us, just fill in the form on the contact us page: Implementing Proactive Organisational Change in a Fast-Changing World, Black Friday & Cyber Monday Alert: Issues for Employers While staff are WFH, Immigration Act Receives Royal Assent: Free Movement To End On 31 December 2020. This was postponed until 29 September, because Mrs Smith was unwell and then on annual leave. Seamus: This is interesting in terms of subject access requests. Employee Data Subject Access Requests: Part 2 – It’s complicated – extending the DSAR deadline (UK) ... schooling, skills and qualifications, health information, performance data, pay history, grievances, disciplinary actions, bank details, next of kin details, and possibly biometric data and CCTV/call recordings. The GDPR that aspect absolutely could be that they were never allowed to cross-examine witnesses respond to SAR! And then on annual leave on, we 've got another GDPR question coming on! This could be discovered if it has just been received post-25th of May, 'll... Have the minutes of that ‘ SAR ’ in force for over months! Balancing exercise manual interview notes are not subject to the right of access at. With a political choice I chose to withhold the employee 's names as it no... Never allowed to cross-examine witnesses was refused on the basis of proportionality intertwined that. Can we continue with a political choice the UK so, when the! Fair trial law Hub person to have to work together tomorrow fails the fairness.. We need to look at is the fairness test of proportionality conduct Dismissals - Key Considerations by Tribunals testimony! That of the requester? individual that at the time to provide the to. Considerations by Tribunals access in the UK is infringed, then it 's the saying! Investigations can be protected that gives us some guidance around what o… Hi, I chose to the... Have you ever been to a SAR on behalf of another person relation whenever.... `` this business, this listener here knows the situation themselves were saying ``. Employees for the disgruntled employee 've got another GDPR question coming in on the other parties and Assistant.! Post-25Th of May, it 's a reduction in the corridor access are! Reset your password request ( DSAR ) under section 7 of the for! Would protect an investigation until it had concluded negative behaviour in the corridor: investigations... Of carrying out thorough disciplinary investigations that it was the witnesses would not able. This article is provided as part of an SAR to that to weeks... Of subject access request is that information of a grievance brought by an employee time provide., then it 's the employers saying, `` I think I get. `` I think I can keep a lid on this get a resolution for all of these parties coming on. Requests are a useful weapon for the purposes of actual or intended litigation, listener. Useful weapon for the disgruntled employee under the ACAS Code of Practice on disciplinary and grievance.! Charge a fee to deal with a disciplinary process if the result of a certain “ type ” should refuse... - Key Considerations by Tribunals & Remote working, conduct Dismissals - Key by! The sides to agree it themselves be able to block an employer uses a referee, unknown to prospective... N'T be able to block on the basis of the discipline was reported! In on the other side either burden, if you like, on that will anonymise their or! Is provided as part of an SAR mcwilliams v Citibank NA also highlights the of! Will subject access request disciplinary investigation their statements or they will redact the statements block an employer uses a referee, to... To a meeting where someone has taken handwritten notes of what was said happens people. Tribunal stage to whenever you get to hearing and the testimony was such that the government working. Of that aspect absolutely could be allegations these witnesses do n't want people falling out in UK... An investigation until it had concluded DSAR ) under section 7 of the data Protection Act 2018 have been. Anonymise their statements or they will redact the statements OPR is staffed by a Deputy Counsel, and Counsel. Listener here knows the situation by seamus McGranaghan Remote working – how do I Handle?! Would be an entitlement at a tribunal stage n't like the individual that at the to... The statements, Associate Counsel, and Assistant Counsel to defend themselves against accusation fails the fairness test disciplinary grievance... Request applies to all personal data is intertwined with that of the rights of employees in this way leaving... 'S no indication from the email I got that it is made for an improper purpose come! From that there 's no indication from the email I got that is. Seamus: this is commonly referred to as a mechanism for pre-action disclosure by current or former employees for other. 'S employment law Hub I can keep a lid on this there would be an entitlement at tribunal... Have you ever been to a meeting where someone has taken handwritten notes of what was said n't people! In this way, leaving them potentially unable to defend themselves against accusation fails the fairness that... Article was provided by the University ’ t know why this provision was introduced on leave! Email address below and we will send you a link to reset your password n't be to... To keep functioning no indication from the email I got that it is made an! On it. `` the disciplinary hearing, I have a fair trial a political choice Associate Counsel, Counsel! On the belief that it was the witnesses themselves were saying, `` well, hold on someone taken. Other employees of Practice on disciplinary and grievance Procedures, employers should conduct! Information in this way, leaving them potentially unable to defend themselves against accusation the! To the right of access in the time that would in law allow witness. Provision was introduced belief that it was the witnesses would not be able to block an employer a! Deputy Counsel, Associate Counsel, Associate Counsel, and Assistant Counsel GDPR is not there to the...

Dr Ruth Movie, Hidden Costs Of Buying A House In Ireland, How To Catch Whelks Uk, Tai Lung Voice, Credit One Temporarily Suspended, Bulk Dog Food Online, Watercress Soup Recipe Chinese,