16 September, 2020
In the recent case of Kathryn Hopkins v Revenue & Customs Commissioners  EWHC 2355 (QB), the High Court struck out most claims brought by a civil servant against her employer. This article will focus on some of the 20 data protection claims under the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018), of which 19 were dismissed.
The claimant was a civil servant employed by HMRC. The claim stemmed from the claimant's arrest by Merseyside Police in August 2018. In compliance with her contract of employment, the claimant disclosed the arrest to HMRC. She was suspended on full pay by HMRC pending disciplinary proceedings. More than two years since the arrest, the position remains that the claimant has not been charged with any offences, but the claimant had not been notified that the police investigation was closed.
The primary focus of the claim against HMRC related to the processing of the claimant's personal data, including criminal offence data. HMRC did not dispute that the claimant's arrest information was criminal offence data within the meaning of Art. 10 GDPR. Additionally, the claimant alleged breach of contract and European Convention on Human Rights, which are not covered in this analysis.
The case was heard on the application of HMRC, who sought an order striking out the claim and/or for summary judgment in their favour.
Of the 20 data protection claims, all but one were dismissed. Among others, these include:
Dismissed. The Court found that it was plain that HMRC had determined the purposes and means of processing the claimant's personal data and was therefore the controller.
Dismissed. HMRC lawfully investigated the conduct that was alleged to have happened outside the workplace and the processing met the requirements of (i) Art. 6 GDPR - it was necessary for the performance of the employment contract, to which the claimant was a party, and (ii) Art. 10 GDPR - the processing was necessary for the purpose of HMRC exercising rights conferred on it by law (i.e. the claimant's contract of employment) in connection with the claimant's employment by HMRC further to provisions in Schedule 1 of the DPA 2018 and HMRC had the required appropriate policy document in place.
Dismissed. The Court found that it was necessary for the purposes of the disciplinary investigation that the claimant's personal data was shared between HR, IG (whose role it was to undertake the disciplinary investigation) and the claimant's line manager.
The nature of the offences for which the claimant was arrested was such that there was a clear business reason to brief HMRC's press office in order to ensure that if the allegations against the claimant entered the public domain, the press office would be ready to respond. Further, the need for the press office to be briefed was heightened by the press interest in a separate claim brought by the claimant against a different government department.
In circumstances where the Claimant chose to write to the Permanent Secretary and Second Permanent Secretary, it was necessary for internal enquiries to be made to respond to the Claimant's correspondence.
Dismissed. The Court found that the processing of the claimant's personal data by receiving the arrest information met the requirements of:
The Court found that the claimant's reliance on Art. 7 was misplaced. HMRC's processing of the Claimant's personal data was not based on consent.
Dismissed. The letter was sent by Recorded Delivery to the Claimant's last recorded address, which had the effect of being tracked and signed for on delivery. Before it was sent, the claimant's line manager contacted her to explain how the correspondence would be sent. In line with the disciplinary procedure and policies, HMRC had to send the letter notifying the claimant of the matters which it was investigating. No basis for contention that the use of Recorded Delivery service to send this letter failed to provide an appropriate level of security, contrary to Art. 32 GDPR.
Dismissed. Art. 13 provides that information does not need to be provided insofar as the data subject already had the information.
Dismissed. The letter was not a notice of objection - Art. 21 GDPR, or a request to restrict processing - Art. 18. The claimant did not state that she was making a request in accordance with those Articles and did not specify any of the grounds as a basis on which such rights could be relied on.
HMRC was processing the claimant's personal data for the purposes of disciplinary investigation and was doing so pursuant to Art. 6(1)(b), not Art. 6(1)(e) or (f), which are the relevant bases for the purposes of an objection in accordance with Art. 21.
Upheld. The Court found that HMRC's response did not appear to have complied with the time limit in Art. 12(3) GDPR.
This case serves as a reminder of the care that must be taken to avoid causes of action brought by aggrieved employees and of the risks of aggrieved employees bringing an extensive list of data protection claims. Having detailed privacy notices in place which identify your legal basis for processing employee personal data and keeping and maintained records of processing activity will greatly assist employers in the event such a claim is made by employees.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.