UK Trends and Developments Contributed by: Steven Cochrane, Hannah Netherton, Anna Cope and Gillian MacLellan, CMS
Data Protection Compliance Investigations are data‑heavy and often involve large volumes of special category (eg, health and ethnicity) data. Investigations must comply with data protec - tion legislation including the UK’s Data Protection Act 2018 and the GDPR. Ensuring that personal data is collected, shared and reviewed (externally or even internally) in a legally compliant way requires a struc - tured, documented approach. Data protection is increasingly treated as its own workstream in the context of a workplace investiga - tion, in recognition of the highly sensitive nature of the personal data frequently being processed by investi - gators. This workstream will often involve completing a data privacy impact assessment (DPIA), ensuring employee privacy notices are up to date or specifi - cally prepared, securing data in an appropriate way, and controlling data access on a need‑to‑know basis. Data privacy should be kept under review throughout an investigation process as new issues and data pro - tection challenges can arise. Employers have seen a sharp rise in the use of data subject access requests by employees as leverage in the context of workplace disputes. Data subject access requests can be made to employers, and also to investigators. Responding to data subject access requests can be a time-consuming task and can distract from an investigator’s work. Where there are delays in responding to requests, or the output is not as anticipated, there is a risk of complaints to the Information Commissioner’s Office. There are limited but important exemptions within the data protection legislation that investigators can rely on in withholding investigation-related data but those must be carefully assessed on a case-by-case basis. Good project management hygiene in workplace investigations reduces the risk of data privacy-related issues arising. Limiting data collection, documenting decision-making, following secure data-sharing pro - tocols and managing any cross-border data-sharing issues in a proactive way are all key to ensuring data privacy compliance.
there are reputational, professional or even legal con - sequences for those under investigation because it allows for explanation, mitigation or correction before damaging findings are published (and potentially made public). However, there are also drawbacks. Maxwellisation can lead to delays in the investigation process, espe - cially where responses are lengthy and require care - ful assessment. Delays can have a significant impact on those involved who are often anxious about the outcome of the investigation, and can also compro - mise the integrity of the findings due to memory fade. Maxwellisation can also lead to investigative findings becoming diluted where an investigator’s language or criticisms are watered down in response to feedback received. In an employment context, Maxwellisation is typically unnecessary and disproportionate in the context of a fact-finding investigation (and is not legally required). In order to make findings of fact, an investigator will generally carry out an evidence-gathering process, involving the review of relevant documents and the conducting of interviews, during which witnesses are given a fair opportunity to respond to questions or allegations against them. Giving witnesses an oppor - tunity to comment on adverse findings once they have given their evidence at interview invites arguments that findings have been suppressed or watered down, and can be seen as unfair if complainants or third par - ties are not given the same opportunity to comment. Maxwellisation can also shift the investigation pro - cess from a fact-finding one to an adversarial one, which is much more likely to impact on the veracity and integrity of the output where investigators may be inhibited from making unpalatable findings. Sharing draft reports can also increase the likelihood of data breaches or information leaks, which can be hugely problematic where the matters under investigation are particularly serious and/or sensitive. Setting ground rules and short timelines, limiting the response scope to factual accuracy and imposing strict confidentiality obligations can help to mitigate those risks.
415 CHAMBERS.COM
Powered by FlippingBook