The first session at our annual Workplace Privacy Conference saw Alexander Milner-Smith and Bryony Long take us through the latest thinking and share practical top tips on the data and privacy aspects of investigations, workplace monitoring and the necessity of data protection impact assessments (DPIAs).
Our top 5 takeaways are:
1. Be prepared!
The volume of data involved in investigations is often vast. There needs to be clear thinking up front about the lawful basis for processing the personal data, and the different roles of those involved – clarity around who is controller/processor or are you joint controllers? What about an external investigator? Legal privilege may also be a factor.
You need to ensure you follow the UK GDPR/GDPR principles, e g. transparency with an employee privacy notice, data minimisation, data security, retention, deletion etc., as well as maintaining confidentiality.
Pre-investigation do a DPIA and post-investigation, organisations should review and update their policies and procedures to prevent future issues where possible and ensure ongoing compliance with data protection laws.
2. Investigations and DSARs
Data subjects often file access requests before, during and after investigations. Many such requests are for witness statements about any allegations. It is important to understand whether the statements were given with the assurance of confidentiality. Careful consideration must also be given to redaction and whether it would prevent an individual’s identity from being disclosed. The ICO has practical guidance called “Subject access request Q&As for employers” which is very helpful.
3. The importance of Lawful Basis and Transparency in Monitoring
When conducting employee monitoring, it is crucial to ensure compliance with data protection laws. This involves having a clear lawful basis for the monitoring activities and maintaining transparency with employees. The ICO emphasizes that monitoring should balance business interests with employees' rights and freedoms, selecting the least intrusive means to achieve the intended purpose. Proportionality and fairness are key. Again the ICO has useful guidance - “Employment practices and data protection: monitoring workers”.
4. Necessity of Data Protection Impact Assessments (DPIAs)
A key theme running through all the sessions was the clear need for DPIAs – they are essential for high-risk processing activities, whether investigations, employee monitoring or any AI project. A DPIA should detail the purpose of data processing, assess potential risks to data subjects, and outline steps to mitigate those risks. Remember if you can’t mitigate the risk you should consult with the ICO. Also, a DPIA is not a static document, you should regularly review it, especially for projects that are on the border of medium/high risk to make sure your mitigations keep it medium risk. Finally, the ICO’s guidance on DPIAs is well worth a read.
5. Identifying, assessing and mitigating the risk in a DPIA
To identify the risk you should consider the potential impact on individuals and any harm or damage the data processing may cause. When assessing the risk, consider the severity of the impact versus the likelihood of harm. It is important to document the risks, even if it is a remote possibility, as it shows you have undertaken a comprehensive assessment of risk. The example mitigation measures set out in the ICO’s DPIA guidance are very practical and give a clear indication of the types of factors the regulator considers appropriate.
If you have any questions please contact Alexander Milner-Smith, Bryony Long or your usual Lewis Silkin contact.