18 November 2020
Law at Work - November 2020 – 7 of 9 Insights
Since the advent of the GDPR in 2018, many employees have become more aware of their data protection rights and there is an increasing tendency for employees to challenge the employer’s use of their data, either in an internal grievance or as part of litigation. In the case reported below, an employer successfully defended an employee’s challenge to processing of data, voluntarily disclosed to the employer, which related to the alleged commission of an offence.
In Hopkins v Revenue and Customs  8WLUK 232 HMRC applied to strike out Dr Hopkins’ claims for breach of her data protection and privacy rights (amongst other things) when her employer processed data relating to her arrest for the alleged commission of a sexual offence. Under her contract, she was required to inform her line manager if arrested or charged with an offence, which she duly did. He then passed this information to the human resources department, as well as the press office, with a disciplinary investigation being commenced.
Dr Hopkins brought an unsuccessful grievance, then a claim in the High Court, alleging that her data had not been processed lawfully or transparently under the GDPR and Data Protection Act 2018. Her claim was struck out as having no reasonable prospect of success.
It was clear that her employer had lawful grounds for processing the data under Article 6 of the GDPR (necessary for the performance of the employment contract), namely investigating a disciplinary matter as it was entitled to do under the contract. It was also necessary for the purpose of HMRC exercising rights conferred on it by law (article 10). Both the contract and the privacy notice issued to Dr Hopkins had highlighted that her employer might use her data in this way and there was nothing disproportionate about the matter having been disclosed to several individuals within the organisation.
This was a costly and time-consuming case. Although the employer was eventually vindicated, it demonstrates the scope for employees to cause havoc, using grievances and litigation to challenge the data protection practices of their employer. If the employer in this case had not been clear and transparent in a privacy notice, the outcome might have been different. Employers should take particular care, when dealing with special category or criminal convictions data, to ensure that it has legitimate grounds for processing the data, has done so proportionately and been transparent with the employee. No doubt further cases will further clarify the limits of the GDPR in due course.
by Multiple authors