- The principles
Conducting an investigation requires the processing of “personal data”; that is, data from which a living individual can be identified. In the United Kingdom, the Data Protection Act 2018 and the EU General Data Protection Regulation (2016/679) (“GDPR”) govern how companies may collect and use personal data. Among other things, the GDPR sets out six data protection principles with which companies collecting and using personal data must comply. At a high level, companies must (subject to limited exceptions):
- tell individuals how their personal data will be used
- ensure that a legal condition for processing is met (for instance, consent of the relevant individual or compliance with a legal obligation other than a contractual obligation)
- take appropriate steps to secure personal data, and
- not transfer personal data outside the European Economic Area (“EEA”) without ensuring an adequate level of protection for it.
In addition, the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Investigatory Powers Act 2016 (“IPA”) prohibit the monitoring of communications, whether by post, telephone or internet usage. There are limited exceptions to this prohibition in the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (SI 2018/356). Moreover, the IPA is gradually replacing some RIPA provisions through statutory instruments and commencement regulations which apply to various sections of the IPA.
In the context of an employment relationship, there are certain nuances to how companies must approach the collection and use of personal data (and the recording of communications). Further information is available in the ICO's Employment Practices Code and the Supplementary Guidance to it. Companies should be particularly cautious if seeking to rely on an individual’s consent as the legal condition for processing data in this context. Such consent is only valid if it is specific, informed and freely given and may not be valid in many circumstances given the inherent imbalance of power within the employee-employer relationship.
Companies engaged in internal investigations or cooperating with regulators in relation to regulatory investigations must ensure that, in doing so, they do not breach their obligations under these data protection and privacy laws. This is frequently a balancing act. Specific circumstances (such as the nature of the information, the purposes for which it will be used or the parties to whom it will be disclosed) will dictate the legal viability of proposed courses of action.
Further legal commentary on data protection and privacy is available on our data protection & privacy page and European General Data Protection Regulation microsite on elexica.
- Recent developments
- On 06 February 2019 the Department for Digital, Culture, Media & Sport and Information Commissioner’s Office (ICO) published guidance on “Using personal data after Brexit” (revoking the previously published technical notice on how the collection and use of personal data would change if a “no deal” Brexit occurs). This guidance includes a series of steps that the ICO recommends organisations should take to prepare for the EU exit in a no deal scenario. The European Commission has stated that it will not begin the process to make a decision on the UK’s “adequacy” status under the GDPR, which provides a data transfer exemption to non-EU countries, until after the UK leaves the EU and becomes a “third country”. The UK government has indicated that, due to the alignment between the UK and EEA’s data protection laws, UK organisations would be able to continue sending data from the UK to the EEA following a “no deal” Brexit. The corresponding ability for companies in EEA and third countries to send personal data into the UK would however be restricted until the UK receives approval in the form of the adequacy decision from the EU.
- On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, creating a harmonised, pan-EU data protection framework. The GDPR has huge territorial scope; applying to data controllers and processors established in the EU, and also those outside the EU who offer goods and services to EU individuals (or where such entities monitor their online behaviour). In the United Kingdom, notwithstanding Brexit, the government has reiterated its commitment to the privacy principles contained in the EU data protection framework. To listen to our podcast providing an overview of the GDPR regime, please click here.
- The GDPR introduces a range of additional obligations, such as the obligation to maintain a record of data processing activities, the obligation to carry out “data protection impact assessments” when engaging in “high risk” processing activities and the obligation to provide more granular information to individuals about how their information will be used. These obligations may be triggered by an investigation, depending on the extent of processing of personal data required.
- The GDPR, similar to existing European law, implements controls around the transfer of personal data outside of the EU, which will be significant in cross-border investigations. Transfers may only be made to countries outside of the EU where the Commission has decided that the third country ensures an adequate level of protection. Following Brexit, the UK will indeed be a “third country” and is not guaranteed an adequacy decision by the Commission, as our article explains. Failing an adequacy decision, organisations may need to rely on certain derogations to transfer data from the EU to the UK and other countries, for instance, the transfer is necessary for the establishment, exercise or defence of legal claims.
- Practical tips
- Before any information about individuals is collected, used or disclosed in an investigation, an analysis should be carried out to check that that collection, use or disclosure is lawful. Where the investigation spans multiple jurisdictions, local legal advice will need to be sought. For example, although the GDPR is “directly applicable” across the EU, there is specific national legislation within Member States that supplements its provisions, such as the Data Protection Act 2018 in the UK.
- Relevant employees should be educated about the legal framework relevant to data protection to ensure that they do not unwittingly put the company in breach of its requirements.
- Disclosures in the context of regulatory investigations often involve a balancing exercise between the rights of affected individuals and other obligations (e.g. court orders or requests from regulators) to which the company is subject. Any decision to disclose personal data should be carefully considered and documented.
- Depending on the precise circumstances, exemptions may be available from the requirement to tell individuals what is happening with their information and the conditions for processing in relation to the required collection, use or disclosure. However, the availability of these exemptions is frequently not clear cut. Additionally, even if an exemption applies, certain obligations may continue to apply. Companies should take an informed, risk-based view on whether exemptions are available and what continuing obligations apply.
- International perspective
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.