With current circumstances requiring a higher degree of technological expertise than seen previously, we are seeing increasing amounts of queries from clients in relation to complying with data protection law during the course of investigations.
I should be clear from the outset that the term 'investigations' refers to investigations by regulatory or statutory authorities (such as HMRC) which can of course include criminal investigations. It seems reasonable to say that some authorities have a better grasp of their own obligations than others. Seeking advice early can ensure that any investigation is progressed lawfully and, in the context of personal data, securely.
The basics
It is not difficult to think of a scenario where this could be a key consideration – for example, an employer providing financial information in respect of their employees, clients or business contacts to HMRC further to a request from HMRC for such information. If that information relates to an identified or identifiable living individual, it will be their personal data for the purposes of the GDPR and Data Protection Act 2018. If that employer is the main decision-maker in respect of that data, i.e. they exercise overall control over the purposes and means of the processing of that personal data, they will be a data controller. As the ICO puts it: 'Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your [data] processor(s).' Obligations for data controllers include keeping personal data securely and offering sufficient protection against unauthorised or unlawful processing (which includes disclosing that personal data to third parties).
The risks
If the controller acts in a way which breaches their data protection obligations there are two primary risks:
The matter could be reported to (and investigated by) the ICO. This has reputational and financial implications. It can also be a time-consuming exercise for client staff members dealing with the investigation.
The data subjects affected can also bring a claim for compensation (article 82 GDPR) with similar consequences for the client.
Can't we rely on an exemption?
In order to lawfully provide third parties' personal data to authorities without breaching the GDPR, the client will need to rely on an exemption (Schedule 2 of the Data Protection Act 2018). Whilst the applicable exemptions will of course depend on the circumstances, a common exemption in an investigation scenario is found in Schedule 2, Part 1, paragraph 5. Certain, but not all, data controller obligations will not apply to personal data where:
(2) …'disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure
(3) disclosure of the data
a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
b) is necessary for the purpose of obtaining legal advice, or
c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure.' (emphasis added).
The question becomes: what constitutes necessary if you are relying on Para 5(3)? To give a straightforward example, if HMRC requests information from a company about their employees' finances in relation to an ongoing tax investigation, how can that company say that the material it provides is necessary for the investigation without knowing the ins and outs of the investigation? It may well be the case that the information is necessary for the authority's legal proceedings, but without being able to verify/assess that is the case, it will inevitably be difficult for the company to make that call. The authority will often not be willing or even in a position to provide this information and, if there is a criminal angle, there may be good reasons for their not doing so.
How can clients be protected?
The above can be seen as analogous to a Norwich Pharmacal situation where information is sought by a claimant 'against', for example, a bank in respect of information its holds belonging to its third party clients. In these cases, the bank will invariably insist on the claimant obtaining a Norwich Pharmacal Order. This is to give the bank some protection by ensuring it has a valid legal basis for disclosing information which would otherwise be in breach of their confidentiality (and data protection) obligations owed to their client. The same solution can be found in Sch 2, Part 1, para 5(2) as set out above – insisting the investigating authority obtains a court order gives a valid legal basis to disclose personal data belonging to third parties. However, in scenarios where co-operation is key, clients may feel less than comfortable telling the authority to obtain an order before they can provide any information. There may also be reputational consequences for the client if the authority obtains a public order naming it in relation to an investigation, even if it is not suspected of wrongdoing itself.
Whilst a court order is generally the safest route, a further option involves the client being able to confirm that providing the information is necessary for the purpose of / in connection with legal proceedings. Some authorities will proactively send a 'data sharing request form' clearly setting out what information they are looking for and why it is necessary for the investigation. Others will need prompting in our experience and there are a number of key points which advisers should be looking out for, e.g. what type of information does the authority expect to find and is that clear from the request?
Without ensuring that the authority is specific and targeted in its request for information, the recipient of the request is left with a risk that the data subject (or the ICO) forms the view that the information provided to the authority was not necessary for the investigation (with the subsequent risks of legal claims and ICO investigations). Encouragingly, in the ICO's latest draft Code of Practice on data sharing, Annex B envisages a 'template data sharing request…' currently with a note that 'These will be added before the final publication stage'. It is hoped that this will provide clients (and their advisers) further guidance in this rapidly developing area and help to ensure that potentially serious risks are negated. One thing is clear – a client which meets a request for information from an authority by sharing its employees'/business associates' personal data without detailed consideration of the data protection aspects, does so at its peril.
If you would like any further information or advice in relation to the above, please get in touch with our media, reputation management and data protection team