This is something which has become more common since the General Data Protection Regulation and the Data Protection Act 2018 came into force last year. Here we look at how issues may arise in practice and suggest some pointers on how to respond.
A surveyor employed by a local authority is subject to an ongoing disciplinary process. She has had sight of emails which she alleges are evidence that an administrative assistant in the HR team has been sharing information about the disciplinary process more widely than is required and in an unprofessional manner. She alleges that the individual has been "forwarding emails to his friends in IT in breach of my data rights just because he's run out of other things to gossip about". It is not the first time she has raised a concern about her HR colleague. The following week, the surveyor makes a subject access request (SAR), which entitles her to be given a copy of her personal data subject to a number of exemptions. She also threatens to report the alleged breach to the Information Commissioner's Office or ICO (the data protection regulator).
If there is evidence of a breach, then the authority will need to take appropriate action. This could include notifying the ICO, notifying insurers as the circumstances could give rise to a claim from the surveyor, taking steps to prevent a reoccurrence and/or taking disciplinary action against the HR assistant. Action may need to be taken promptly, under the GDPR there is an obligation to notify breaches to the ICO within 72 hours unless the breach is unlikely to result in a risk to individuals.
The authority will need to give careful consideration to what information is provided in response to the SAR. It is common practice for an individual to make a SAR (and/or request information under the Freedom of Information Act) in order to fish for information which may assist as part of a wider dispute. In the above scenario, the requester may have made the SAR to get hold of information to fuel a data breach claim or to give her leverage in relation to a proposed settlement.
Of particular concern in this scenario is that there appears to be a history of bad blood between the two employees and therefore some of the information held by the authority may be personal data of both the surveyor and the HR assistant. There is a limited exemption for some 'mixed' information (ie, information that is both about the requester and a third party) but, if the authority discloses too little, the surveyor may complain to the ICO that the authority has not dealt adequately with her SAR. On the other hand, if it discloses too much, the HR assistant may claim that his rights have been infringed.
The authority may also need to look into how the surveyor got hold of the emails in the first place. In some cases, it can be a criminal offence for an employee to go snooping, even if they find something that corroborates their suspicions that their rights have been infringed.
The above scenario illustrates the complexities in this area but perhaps the top tip is that prevention is always better than a cure. Make sure that practices are data protection compliant, for example, that staff are trained on the data protection 'dos and don'ts' (with the training backed up by appropriate policies) and that there are appropriate technical controls in place to safeguard personal data.