Employers control the extent of information that they provide employees – from how well they are meeting KPIs, to internal discussions about grievances, remuneration and disciplinary actions. In the majority of cases, employers have no obligation to provide to employees information setting out the basis for remuneration or disciplinary outcomes including information which is part of internal investigation or notification to a regulator. A lack of access to such information may make it more difficult for an aggrieved employee to bring a claim against their employer. Increasingly, employees are issuing data access requests (DARs) under the Personal Data (Privacy) Ordinance (PDPO) to seek information related to internal investigations and remuneration or disciplinary outcomes of which they have been the subject. This information may then be used to form the basis of a claim against the employer. We consider the obligations of employers when receiving a DAR and how DAR may be used as a litigation strategy by aggrieved employees.
Right to access personal data
The PDPO allows ‘data subjects’ (typically employees) to request their personal data from ‘data users’ (typically employers) and such personal data must be provided subject to certain procedural requirements and prescribed exemptions.
‘Personal data’ has a broad definition under the PDPO and means any data from which it is possible and practical to ascertain the identity of the individual from that data. Examples of personal data related to employees or potential employees may include an employee’s name and contact details, as well as the contents of their personnel file including their employment terms and records of any disciplinary proceedings and performance appraisals.
In practice, many employees issue a DAR to seek access to their personal data which is held by their employer (or former employer). While employees are entitled to a copy of their personal data, they not have the right to see every document in which the employee is referred to and DARs cannot be used as a guise to access information in lieu of pre-action discovery.
It is therefore important that employers take the time to distinguish whether the DAR has been issued validly, and if so, what they must provide to the requestor to comply with the PDPO while not providing documents being sought by the employee as a ‘fishing’ exercise in anticipation of a claim. Upon receipt of a request for personal data, it will be important for an employer to consider whether:
- the DAR is in the form specified under the PDPO for making a valid request;
- the information sought is personal data (i.e. it is data from which it is possible and practical to ascertain the identity of the individual making the request);
- the information sought does not include personal data related to any third party; and
- whether an exemption applies. For example, privileged communications will usually be exempt as will data that relates to certain employment processes which have not yet concluded or data which is held for the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice) by persons.
Where there are no valid grounds for refusal, a data user must supply a copy of the requested data to the requestor within 40 calendar days from receipt of a DAR. If the data user does not have the requested personal data or refuses to comply with a DAR for a reason listed above, they are obliged to give written notice and reasons to the requestor within 40 days of receiving a DAR. A data user must also keep a log entry setting out the particulars of why a DAR was refused.
There are additional requirements which apply to the form of the response to a DAR relating to, for example, the language of the response and providing explanations necessary to understand the personal data. A data user can impose a ‘reasonable and proportionate’ fee for complying with a DAR within 40 days of receiving a DAR.
Use in litigation
While the Privacy Commissioner has stated that DARs cannot be used as a means of accessing information in lieu of pre-action discovery, this is unlikely to deter those individuals that strongly feel they have been aggrieved or that, due to the nature of the matter, are concerned that such information may be provided to a regulator such as the SFC, or authorities such as the police.
Given the limited remedies available to in relation to statutory claims for unreasonable or unlawful termination, employees have increasingly sought to position claims on the basis that the employer’s actions in conducting internal processes were in breach of an implied contractual term. In the recent decision of the High Court in Chock Kin Ming v Equal Opportunities Commission, the former employee sought to mount a claim that procedural defects in an internal investigation invalidated the decision not to pay certain contractual remuneration. While the case was dismissed, it is easy to see how information in relation to an internal investigation or disciplinary decision obtained by a former employee in response to a DAR could then be used to mount a breach of contract claim.
Given the trend towards claims based on breach of an implied contractual term, employers need to take particular care in how they conduct internal investigations and disciplinary procedures and what personal data is recorded and retained in relation to such procedures.
In particular, employers should be familiar with their obligations under the PDPO to ensure that they are meeting their obligations but are not providing information to employees or former employees which they are not obliged to provide and that is confidential, privileged or may increase their exposure to a potential claim.
For more information, please contact Gareth Thomas, Tess Lumsdaine or your usual Herbert Smith Freehills contact.