Employment and Immigration Update – HMRC’s processing of employee criminal offence data lawful

The High Court has struck out and summarily dismissed an employee’s claims against her employer, HM Revenue & Customs (HMRC), for breach of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (DPA 2018).

Hopkins v The Commissioners for her Majesty’s Revenue and Customs [2020] EWHC 2355 (QB)

The Court held that HMRC had processed the claimant’s personal data lawfully in all but one claim brought in the context of ongoing disciplinary proceedings relating to her suspected involvement in a serious sexual offence, for which she was arrested but not charged. Following her arrest and pursuant to provisions in her employment contract, she disclosed the arrest and the offence to her line manager. She was suspended and notified that she would be subject to disciplinary proceedings.

The employee raised numerous causes of action, including breach of the Rehabilitation of Offenders Act 1974, the Health and Safety at Work Act 1974, misfeasance in public office and defamation. This update focuses on the Court’s decision in relation to breach of the GDPR and DPA 2018, which found that:

• neither Article 10 of the GDPR nor section 11(2) of the DPA 2018 create a discrete obligation to “acknowledge” that data is criminal offence data
• HMRC had a lawful basis for the processing of special category (here, criminal offence) data to suspend the employee and to commence the disciplinary investigation. The processing was necessary for the performance of her employment contract (Article 6(1)(b), GDPR) and the processing met the requirements of Article 10, as supplemented by section 10 of the DPA 2018:

1. the processing was necessary for the purpose of HMRC exercising rights conferred on it by law (the employment contract)
2. HMRC had an appropriate policy document in place

• HMRC’s sharing of personal data internally in connection with the investigation was lawful
• HMRC’s sharing of personal data externally, with the Independent Office for Police Conduct, was lawful because processing was necessary for reasons of substantial public interest and necessary in the exercise of a function conferred on HMRC by law
• the employee’s letter of 18 November 2018 to HMRC, requesting that they cease distributing “highly personal information”, was not a subject access request but it was reasonably arguable that the request was for information falling within Article 15(1)(a), (c) and (d) and the time limit by which to respond, had not been met by HMRC
• HMRC provided information detailing how it would process employee personal data in its Staff Privacy Notice, which was widely available on the staff intranet and had been provided to the employee along with copies of HMRC’s conduct and disciplinary policies.

The decision provides a useful insight into the application of the GDPR and DPA 2018 in the context of internal disciplinary proceedings and the sharing of personal data within and outside an organisation. It emphasises the importance of good staff privacy notices and policies, identifying a lawful basis for processing and maintaining records of processing activities.

These articles are from the September 2020 issue of Employment and Immigration Law Update, our monthly newsletter for HR professionals. To download the latest issue, please visit the newsletter section of our website. For further information please contact Liz Stevens or another member of Birketts’ Employment Law Team.