The Data Protection Act 2018 (“DPA2018”) contains three provisions that allow an employer to resist subject access requests from employees; this will undoubtedly make life easier for employers when dealing with such requests.
I also make comments on the shifting balance (in favour of non-disclosure of personal data) when information about another individual is present in requested personal data. The context of this blog is processing personal data for Human Resources purposes, but clearly it has wider application.
Disciplinary investigations can be protected
One of the most difficult aspects in data protection occurs when personal data, subject to an access request, contains personal information about another individual. For example, when an employee exercises the right of subject access to personal data concerning complaints made by another member of staff (e.g. when the requestor faces an allegation of bullying from another member of staff).
The DPA2018 makes it easier to protect such personal data from the right of access because when deciding whether it is reasonable to release of the information concerning that other individual, account has to be taken of “the type of information that would be disclosed” (Schedule 2, Part 3, para.16(3)(a)). The inference is that information of a certain “type” should not be disclosed as part of a subject access request; readers familiar with FOI requests will recognise this as a class exemption.
As with most exemptions, there is no information explaining why this provision has been introduced. However, one “type” of information that is likely to be withheld on subject access is any information that has been given, for example, to the Human Resources (HR) Department, in confidence, by an employee who is a witness to another employee’s behaviour. Another “type” of information that is likely to be withheld on subject access is private information that relates to that other individual.
Similarly, when the HR Department is investigating a disciplinary matter, I would argue that a “type” of information that could be withheld might be: “those personal data that would be premature to release until an investigation is complete”. This would protect an investigation until it was complete.
Enter Dr. B, the GMC and the Court of Appeal
This position of withholding until the investigation is complete can be justified in terms of the recent Court of Appeal decision (see references) which also applies to the DPA2018 (which has the same construction as the DPA1998).
The part of the judgement of relevance dealt with the presumption in the Durant judgment (booing and hissing permitted), that there was a presumption that information about the third-party individual was protected.
Paragraph 55 of Durant stated: “the provisions (in S.7(4)-S.7(6)) appear to create a presumption or starting point that the information relating to that other, including his identity, should not be disclosed without his consent. The presumption may, however, be rebutted if the data controller considers that it is reasonable “in all the circumstances”, including those in section 7(6), to disclose it without such consent”. (of Durant)
Paragraph 68 of the judgment in Dr B agreed with the above but added that “the presumption (of non disclosure of information relating to the third party individual) does not apply as a starting point for a particular exercise of analysis”….rather it acts “as a final tie-break if all other competing factors are otherwise precisely in balance”.
In other words, there is not a significant hurdle or threshold that the requester has to overcome before a decision can be made in releasing third party information.
Only if the interests between third party and requester are perfectly balanced then the wording tips the balance in favour of non-disclosure of the third-party information.
The point being made is that one cannot perform a balancing act between the interests of the complainant (e.g. of bullying or of harassment) and the complained about (e.g. of the alleged bully or harasser) until an investigation of an employee complaint about the actions of another employee is complete.
Confidential references become more confidential
Schedule 7, paragraph 1 of the previous Data Protection Act 1998, under the heading “Confidential references given by the data controller, stated that personal data were exempt from the right of access…:
“…if they consist of a reference given or to be given in confidence by the data controller for the purposes of … employment, or prospective … employment, of the data subject…..,” (my emphasis)
This meant that the exemption from subject access relating to a confidential employment reference could only be applied by the sender of the reference (the giver) and not the recipient. This is why in the Information Commissioner’s advice, the recipient of an employment reference was told: “We explained that organisations are generally required to release references they have received about individuals, even if they are marked as confidential”.
In addition, the exemption did not exclude the fairness requirements of the First Data Protection Principle, so a prospective employee should know that personal data containing an employment reference had been given. This provision kicks in when an employer uses a referee, unknown to the prospective employee.
This is not the case with the equivalent exemption in the DPA2018 which omits the phrase “given by the data controller” and states…:
The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of .. employment (or prospective … employment) of the data subject …. (Schedule 2, paragraph 24)
As the “listed GDPR provisions” (in paragraph 18 of Schedule 2 of the DPA2018) include the right to be informed (Articles 13 & 14 of the GDPR), the existence of any further confidential reference might not be transparent to the prospective employee.
In summary, the confidential reference exemption in the DPA2018 now extends to:
- the controller who receives the reference who can now argue that he has been “given a confidential reference” and refuse access.
- the right to be informed so a prospective employee might be unaware of the fact that a confidential reference about him has been given or received.
Manual interview notes are not subject to the right of access
Have you ever been to a meeting where someone has taken handwritten notes of what was said? Have the minutes of that meeting, subsequently circulated to attendees, been completely different to your recollections of the actual meeting?
The Government has ensured there is no right of access to these handwritten notes if they comprise “manual unstructured personal data” as defined in the DPA2018, where the content of the notes relate to employment matters.
In general, such manual unstructured processing of personal data is subject to the DPA2018 but only if the controller is a “FOI public authority” and only for the rights of access, erasure and correction. Thus, if a controller is a private body (i.e. not a “FOI public authority”), then the processing of manual unstructured personal data is not subject to the DPA2018 (Section 21(2)).
However, this opened the prospect that public sector employees would have preferential subject access rights merely because their employer was a “FOI public authority”.
So, when constructing the DPA2018, the Government was faced with a political choice. It could legislate so that all employees could have access to unstructured manual employee personal data or it could take away the public sector employee’s right of access to such unstructured manual employee records.
Inspection of Sections 24(3) and 24(4) of the DPA2018 shows that the Government chose to take any prospect of access to unstructured employment notes away, even though these notes could be important from an employee’s perspective (e.g. to show that the formal record of the disciplinary hearing did not accord with the contemporaneous handwritten notes).
On the 18 December last year, Mrs May told the House of Commons that after Brexit “we will maintain, and indeed enhance, workers’ rights”. However, when it comes to the data protection crunch, the evidence shows that with respect to employee rights, the Prime Minister’s Government is moving in the opposite direction.
Advert: Data Protection/FOI courses
- BCS Data Protection Practitioner, Leeds, 6 days starts Sept 4 (nearly full)
- BCS Data Protection Practitioner Upgrade (2 days; Edinburgh, Oct 11, 12)
- BCS Data Protection Foundation (3 days; Edinburgh, Oct 8-10)
- BCS FOI Practitioner, 5 days, starts London on Oct 2
- Details on www.amberhawk.com or by emailing firstname.lastname@example.org
Court of Appeal references
- Dr B -v The General Medical Council  EWCA Civ 1497
- Durant v Financial Services Authority  EWCA Civ 1746