Investigation reports, Inter company disputes and subject access requests – How do I handle it?

There is a growing occurrence of inter-company disputes and the use of subject access requests to elicit sensitive information. Take the following scenario as an example:

Bravo Limited and Charlie Limited form a business partnership and work closely together. However, they are distinct and separate legal entities.

A complaint of bullying/harassment is made by an employee of Bravo Limited (the “Complainant”) against employee of Charlie Limited (the “Accused Employee”).

1. On foot of the complaint, Charlie Limited conducts a full investigation in line with its own internal employee policies and procedures. They also utilise a third-party investigator to ensure independence given the complaint has been made externally.
2. The outcome of the investigation exonerates the Accused Employee, the outcome of which is communicated to Bravo Limited by Charlie Limited.
3. Bravo Limited is not happy with the outcome and have requested a full disclosure of the report.
4. Charlie Limited refuse to share the report. The Accused Employee also refuses to consent to the release of any part of the report, even in a redacted state, to Bravo Limited.
5. There is now a breakdown in relations between the two companies. Bravo Limited has threatened legal proceedings and has also issued a data subject access request seeking a copy of the investigation report on the basis that it contains personal information of the Complainant, who is an employee of Bravo Limited.

How Do I Handle It?

Several issues need to be considered on foot of this subject access request issued by Bravo Limited but given the commercial relationship, Charlie Limited may wish to consider if there is a mechanism outside the DSAR process that will allow it share their report:

A first principles approach should be taken at the outset of any assessment in relation to data. Key considerations include:

1. What information does data protection law apply to? It applies to all personal data held in electronic form and personal data held in manual form (physical records) where they form part of a relevant filing system.
2. What is personal data? Personal data is any information that relates to an identified or identifiable living individual. This is to be interpreted broadly. The Article 29 Working Party, now known as the European Data Protection Board’s guidance on the concept of personal data provides a three-element test which is set out below. If any one of these elements applies to the information in question, it will be regarded as personal data.
3. What personal data may be contained within an investigation report? Presumably basic personal data but also special category personal data of the Complainant and the Accused Employee.
4. What obligations flow to Charlie Limited as a result of the processing of the Complainant’s personal data? This will depend on the facts of each case. However, at minimum, Articles 13 and 14 of the GDPR require Charlie Limited to provide certain information relating to its data processing activities to the data subject in respect of whom personal data is processed. For example, unless an exemption applies, Charlie Limited is required to provide its Privacy Notice to Bravo Limited’s employee.
5. What is the lawful basis for Charlie Limited processing personal data relating to the Accused Employee and the Complainant for the purpose of undertaking the internal investigation i.e., does Charlie Limited’s policies support the undertaking of the investigation?
6. What does Charlie Limited’s Privacy Notice provide in respect of the disclosure of its employee personal data to third parties i.e., does its Privacy Notice provide for the disclosure of employee personal data with business partners (such as Bravo Limited) and what is the lawful basis relied on to facilitate this data sharing activity i.e., is it legitimate interest? Has a legitimate interest assessment/balancing test been carried out to assess/balance the rights of Bravo Limited’s employee against the rights and freedoms of Bravo Limited?
7. Who can submit a subject access request - i.e., can Bravo Limited or must it be the Complainant?
8. Assuming the subject access request is valid, what personal data is Charlie Limited obligated to provide to Bravo Limited/the Complainant?
9. Can Charlie Limited rely on any exemptions in order to withhold the report under data protection law?

What is the lawful basis for processing personal data relating to the employee for the purpose of undertaking an investigation into the complaint and will it involve the processing of special category personal data or personal data relating to criminal convictions and offences?

•  In scenarios such as the above, indeed in nearly all cases of data processing of employee personal data, consent as a lawful basis should be avoided due to the unequal bargaining power between employers and employees and due to the fact that that consent may be revoked at any stage by the data subject, requiring Charlie Limited to dispose of the data.

• Charlie Limited will most likely be entitled to rely on the legitimate interest basis as the lawful basis to process personal data for the purpose of undertaking an investigation as it relates to the performance and conduct of an employee and is necessary in order for Charlie Limited to ensure that its employees conduct themselves to an appropriate standard in support of Charlie Limited’s business.

• Where special category personal data or personal data relating to criminal convictions and offences is involved, there are more limited lawful bases that an employer can rely on under Article 9 of the GDPR. If such data is to be processed for the investigation, it is arguable that the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. However, Charlie Limited will need to ensure that appropriate safeguards are in place to protect the rights and freedoms of the data subject in question.

What does Charlie Limited’s Privacy Notice provide in respect of the disclosure of its employee personal data to third parties?

Data protection law does not, as a general rule, prohibit the processing by disclosure of the personal data contained in an investigation report. As discussed above, provided that an appropriate lawful basis is adopted, such as legitimate interest, and that this basis is provided for in Charlie Limited’s Privacy Notice, Charlie Limited is unlikely to require the Accused Employee’s consent to disclose the investigation report to a third party.

Who can submit a subject access request?

Typically, only a data subject can submit a subject access request for personal data which relates to him/her. A subject access request submitted by a company on behalf of an individual or employee should immediately raise question marks over its validity.

However, it is possible for a third party to make a request on behalf of data subject. This is typically seen in requests made by parents on behalf of minors.

In the above scenario, Charlie Limited will need to take certain steps to satisfy itself that Bravo Limited has the requisite authority to make such a request on behalf of one of its employees and it should collect appropriate supporting documentation.

For example, it could ascertain proof that the employee is in fact an employee of Bravo Limited and request an authorisation form signed by the Complainant.

Can an employee investigation report fall within a Subject Access Request?

Whether the investigation report falls within a subject access request depends on one key question. Does the report contain personal data? If it does, then there are a number of follow-on considerations to be taken by Charlie Limited.

As a general rule, when considering whether a document relates to a data subject, in this scenario, the Complainant, then Charlie Limited should consider whether the Complainant is the focus, or main focus, of the report. Where, for example, the report contains the data subject’s name, but the information would be unchanged if their name was replaced with another, there is an argument that the information does not relate to the data subject and is therefore not their personal data.

For the report, or parts of the report, to be about the Complainant, one of the following three elements must be present: -

• The content element. This is where information contained in a file is clearly about a particular person, regardless of any purpose or impact, i.e., information contained in a file titled with the name of a particular person.

• The purpose element. This arises where the information is used or likely to be used to evaluate, treat in a certain way, or influence the status or behaviours of an individual.  For example, a call log which is used to determine when a call was made could be personal data of the person making or receiving the call.

• The result element. This arises where the use of the information is likely to have an impact on the rights or interests of an individual.  The guidance has provided that if the individual is likely to be treated differently from other persons as a result of the processing it is sufficient to satisfy this element.

Assuming that the subject access request is valid, and personal data is identified as relating to the Complainant (don’t forget in this scenario it is the Complainant who has submitted the subject access request, not the Accused Employee), the next question Charlie Limited must consider is whether the request, firstly,

1. seeks a copy of the personal data contained in the report and secondly,
2. if the disclosure of the report will involve the processing, by disclosures, of any third-party personal data i.e., if the report is released, what third party personal data will also be disclosed.

If a subject access request was submitted by the Bravo Limited’s employee, the Complainant, then it is likely that the investigation report will contain personal data relating to them. Presuming this to be the case, the Complainant will be entitled to seek access to it.

If the report contains any other third party personal data i.e., personal data relating the Accused Employee or other witnesses, Charlie Limited may be required to restrict access to that third party personal data. It can do this by redacting the third-party personal data or, if it cannot be full achieved in that way, by providing the Bravo Employee with a description of the personal data contained in the report and not provide a full copy of the report. This is discussed next.

What exemptions can Charlie Limited rely on to withhold the report?

The fact that Charlie Limited’s employee, the Accused Employee, refuses to consent to the release of the report, even redacted, is not a shield that Charlie Limited can cover behind. So, what other steps could it take to withhold the report?

1. During the investigation process, if any statements were obtained from colleagues or third parties which were provided on the basis that it was the individual’s opinion and it was provided in confidence or on the understanding that it would be treated as confidential, Charlie Limited is entitled to reply on Section 60(3)(b) of the Data Protection Act 2018 to restrict access.
2. Given that Bravo Limited has threatened legal proceedings, Charlie Limited may be entitled to invoke aspects of Section 60 of the Data Protection Act 2018 and restrict access to the report on the grounds that the restriction is necessary and proportionate in contemplation of a legal claim being brought by either Bravo Limited or the Complainant.
3. Given that the report is likely to contain a significant amount of sensitive personal data belonging to the Accused Employee (remember personal data relating to one's health or trade union membership is special category data under Article 9 of the GDPR), Charlie Limited could reply on Article 15(4) of the GDPR and withhold the document on the grounds that the release of the report is likely to negatively impact the rights and freedoms of the Accused Employee. In such a situation, Charlie Limited would need to assess the likeliness and severity of risks to the Accused Employee.
4. If the investigation report contains health information relating to the requestor, Charlie Limited is also required to have regard to it obligation to restrict the Complainant’s right of access under the Data Protection Act 2018 (Access Modification) Health Regulation 2022 which was signed into law in March 2022.
5. Lastly, a step that could be taken to reconcile the conflict between the rights of the data subject (the Complainant) and the Accused Employee would be to provide a redacted copy of the report and only provide extracts which contains personal data of the Complainant. This may mean that the document is heavily redacted and illegible. Where a document is illegible owing to redactions, then Charlie Limited would have grounds to withhold it entirely on the basis that the rights of the Accused Employee continue to prevail and the report cannot be released in a legible form.