Court rejects 19 of 20 data protection claims against employer

Together we are Forbes

Governance, Procurement & Information Article

16 September, 2020

In the recent case of Kathryn Hopkins v Revenue & Customs Commissioners [2020] EWHC 2355 (QB), the High Court struck out most claims brought by a civil servant against her employer. This article will focus on some of the 20 data protection claims under the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018), of which 19 were dismissed.

Background

The claimant was a civil servant employed by HMRC. The claim stemmed from the claimant's arrest by Merseyside Police in August 2018. In compliance with her contract of employment, the claimant disclosed the arrest to HMRC. She was suspended on full pay by HMRC pending disciplinary proceedings. More than two years since the arrest, the position remains that the claimant has not been charged with any offences, but the claimant had not been notified that the police investigation was closed.

The primary focus of the claim against HMRC related to the processing of the claimant's personal data, including criminal offence data. HMRC did not dispute that the claimant's arrest information was criminal offence data within the meaning of Art. 10 GDPR. Additionally, the claimant alleged breach of contract and European Convention on Human Rights, which are not covered in this analysis.

The case was heard on the application of HMRC, who sought an order striking out the claim and/or for summary judgment in their favour.

Summary of the court's decision

Of the 20 data protection claims, all but one were dismissed. Among others, these include:

Merseyside Police was the controller of the information and HMRC was a processor

Dismissed. The Court found that it was plain that HMRC had determined the purposes and means of processing the claimant's personal data and was therefore the controller.

HMRC has no lawful basis for processing the personal data for the purposes of instituting disciplinary proceedings or suspending the claimant

Dismissed. HMRC lawfully investigated the conduct that was alleged to have happened outside the workplace and the processing met the requirements of (i) Art. 6 GDPR - it was necessary for the performance of the employment contract, to which the claimant was a party, and (ii) Art. 10 GDPR - the processing was necessary for the purpose of HMRC exercising rights conferred on it by law (i.e. the claimant's contract of employment) in connection with the claimant's employment by HMRC further to provisions in Schedule 1 of the DPA 2018 and HMRC had the required appropriate policy document in place.

Sharing of the claimant's personal data within HMRC (between the claimant's line manager and Internal Governance (IG), Human Resources (HR), Press Office and Permanent Secretaries) was in breach of Art. 5 GDPR

Dismissed. The Court found that it was necessary for the purposes of the disciplinary investigation that the claimant's personal data was shared between HR, IG (whose role it was to undertake the disciplinary investigation) and the claimant's line manager.

The nature of the offences for which the claimant was arrested was such that there was a clear business reason to brief HMRC's press office in order to ensure that if the allegations against the claimant entered the public domain, the press office would be ready to respond. Further, the need for the press office to be briefed was heightened by the press interest in a separate claim brought by the claimant against a different government department.

In circumstances where the Claimant chose to write to the Permanent Secretary and Second Permanent Secretary, it was necessary for internal enquiries to be made to respond to the Claimant's correspondence.

The contractual requirement for the claimant to provide arrest information, and information ancillary to the arrest, was in breach of GDPR

Dismissed. The Court found that the processing of the claimant's personal data by receiving the arrest information met the requirements of:

  • Art. 6 - it was necessary for the purposes of the contract of employment to which the claimant is a party.
  • Art. 10 - the processing was necessary for the purpose of HMRC exercising rights conferred on it by law (i.e. the claimant's contract of employment) in connection with the claimant's employment by HMRC further to provisions in Schedule 1 of the DPA 2018 and HMRC had the required appropriate policy document in place.

The Court found that the claimant's reliance on Art. 7 was misplaced. HMRC's processing of the Claimant's personal data was not based on consent.

HMRC failed to securely process the claimant's personal data when sending a letter to the claimant notifying her of the investigation

Dismissed. The letter was sent by Recorded Delivery to the Claimant's last recorded address, which had the effect of being tracked and signed for on delivery. Before it was sent, the claimant's line manager contacted her to explain how the correspondence would be sent. In line with the disciplinary procedure and policies, HMRC had to send the letter notifying the claimant of the matters which it was investigating. No basis for contention that the use of Recorded Delivery service to send this letter failed to provide an appropriate level of security, contrary to Art. 32 GDPR.

Certain information where personal data are collected from the data subject had not been provided in response to various requests

Dismissed. Art. 13 provides that information does not need to be provided insofar as the data subject already had the information.

A letter to the defendant requesting the claimant's suspension and the disciplinary investigation 'to be halted' invoked rights under the GDPR, which had not been complied with

Dismissed. The letter was not a notice of objection - Art. 21 GDPR, or a request to restrict processing - Art. 18. The claimant did not state that she was making a request in accordance with those Articles and did not specify any of the grounds as a basis on which such rights could be relied on.

HMRC was processing the claimant's personal data for the purposes of disciplinary investigation and was doing so pursuant to Art. 6(1)(b), not Art. 6(1)(e) or (f), which are the relevant bases for the purposes of an objection in accordance with Art. 21.

HMRC had failed to respond to a data subject request within the required time period

Upheld. The Court found that HMRC's response did not appear to have complied with the time limit in Art. 12(3) GDPR.

This case serves as a reminder of the care that must be taken to avoid causes of action brought by aggrieved employees and of the risks of aggrieved employees bringing an extensive list of data protection claims. Having detailed privacy notices in place which identify your legal basis for processing employee personal data and keeping and maintained records of processing activity will greatly assist employers in the event such a claim is made by employees.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 0831

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed