In the recent case of Hopkins v Commissioners for Her Majesty's Revenue and Customs, the High Court found that HMRC (the employer) had lawfully processed an employee’s criminal convictions data under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
The High Court looked at the test for the lawful processing of this data and the obligation to have an "appropriate policy document" in place.
Dr Hopkins was employed by HMRC. She was arrested on suspicion of having carried out four serious offences including a sexual offence. She disclosed this to her line manager as she believed she was contractually obliged to tell her employer. Her line manager then passed this information to internal governance, HR and the press office. Dr Hopkins was suspended on full pay pending a disciplinary investigation. She was never charged with the offences.
HMRC used data about the allegations when suspending Dr Hopkins, instituting the disciplinary proceedings, handling her subsequent grievances and responding to a complaint she made to the ICO.
Dr Hopkins brought numerous claims against HMRC, the main one of interest being for breach of the GDPR and the DPA. She alleged that HMRC had unlawfully processed details of the criminal allegations against her when suspending her and subjecting her to disciplinary proceedings.
The High Court found in favour of HMRC. The High Court judgment looks at the complicated provisions regarding the lawful processing of criminal convictions data. In summary, in order to process such data lawfully, employers must fulfil the following conditions:
- Fall within one of the six lawful grounds for processing personal data in Article 6 of the GDPR. The court described this as passing through one of the Article 6 gateways.
- Meet one of the conditions in parts 1, 2 or 3 of Schedule 1 of the DPA.
- In certain cases, have in place an "appropriate policy document".
- In certain cases, have additional safeguards in place.
In this case, HMRC had a lawful ground for processing under Article 6, as the processing was necessary for the performance of a contract to which the data subject was a party – in this case, the employment contract. The Article 6 gateway was therefore passed.
HMRC also met one of the conditions in part 1 of Schedule 1 of the DPA, specifically that the processing is necessary for the purposes of exercising rights conferred by law in connection with employment. In this case, the court held that the rights conferred by law where conferred by the employee’s contract of employment.
If relying on this condition, the controller of the data is required to have an appropriate policy document in place. An appropriate policy document must, in summary, explain:
- The controller’s procedures for securing compliance with the data protection principles in the GDPR (in relation to the processing of criminal convictions data in this case) and
- The controller’s policies as regards retention and erasure of that personal data, giving an indication of how long it is likely to be retained.
The court held HMRC had an “appropriate policy document” in place as it had a staff privacy notice that had been provided to employees. This document included the statement that HMRC would use information about criminal allegations, it set out the legal grounds on which HMRC would process personal data and, in the examples of situations in which the personal data would be used, there was a statement saying that it would be used for grievances and disciplinaries and making decisions about continued employment. The court did not drill down in detail into what an appropriate policy document should cover, but accepted that the privacy notice was sufficient in this case.
“Appropriate policy documents” are required in most circumstances where criminal convictions data or special categories of data are processed by an employer. This is the first case that looks at this requirement.
It is somewhat surprising that HMRC’s staff privacy notice was sufficient to cover the requirements for an “appropriate policy document” in the DPA in this case. This could suggest that the courts and ICO may be relaxed as long as there is some formal document dealing with criminal convictions data that has been provided to staff. However, it is not clear that this privacy notice strictly complied with all the requirements of the DPA as regards the data protection principles and data retention. A far safer and more obviously compliant option would be for employers to have two documents working together to form the appropriate policy document. The first would be the data protection policy which would set out the way the employer complies with the data protection principles in the GDPR. The second limb sits neatly into a data retention policy – possibly one limited to employment documentation. We would recommend a clear statement of where the appropriate policy document sits.
Although not mentioned in this case, the DPA requires that “additional safeguards” are also followed when relying on some conditions (in particular, where necessary for the purposes of exercising rights conferred by law in connection with employment). This means that employers must retain the appropriate policy document, review and update it from time to time and make it available to the Information Commissioner on request. Also, the employer must maintain a record of processing which specifies the legal ground for processing, the condition relied upon and whether the personal data is retained and erased in accordance with the appropriate policy document.
It should be noted that under the DPA, criminal convictions data includes personal data relating to the alleged commission of offences, not just convictions, so employers should take particular care with any information about criminal matters involving their employees.