In today’s digital workplace, organisations hold vast quantities of potentially probative data: emails, instant messages, documents, logs and metadata. This material can be crucial in investigating suspected fraud, theft of confidential information or breaches of compliance rules. But while the data may be technically accessible, a careful, proportionate approach is needed to respect employees’ data privacy rights under the UK GDPR and the Data Protection Act 2018 (DPA 2018). Individuals are increasingly aware of, and prepared to enforce, these rights.
In this article, Jonathan McDonald and Henry Fox of Osborne Clarke, outline practical steps for organisations to balance privacy and business protection before and during internal investigations.
Different considerations may arise where an organisation is involved in litigation or a regulatory investigation, where more onerous disclosure obligations may apply. By contrast, where an organisation chooses to investigate suspected wrongdoing of its own accord, the balance is more delicate: the organisation must be able to show it considered and respected privacy interests and avoided overreach.
The digital workplace: the blurring of business and personal
Employees live much of their waking lives on corporate systems: drafting documents, emailing, messaging across platforms, and using company-issued mobiles. This creates immense volumes of personal data and digital “breadcrumbs”.
Most of it will reflect innocent business-as-usual activity. Where wrongdoing occurs, however, digital trails often exist: explicit emails or messages, or metadata pointing to suspicious behaviour.
At the same time, regardless of policy, many employees use corporate systems for private purposes: personal conversations, medical or financial matters, storing personal documents or photos. Employees may object to investigators searching through routine or private communications; even the act of review can feel intrusive and may be challenged as an infringement of privacy/data protection rights.
The legal framework: rights and obligations
In the UK, employers are “controllers” of personal data and must comply with the UK GDPR and the DPA 2018. Employees are “data subjects” with enforceable rights. The key point: employers can search personal data they lawfully hold, but will not have free rein. Some key principles include:
- Lawfulness, fairness and transparency: searches need a lawful basis (often legitimate interests or legal obligation) and must be fair and transparent in light of workforce expectations.
- Purpose limitation: personal data should be used for specified, legitimate purposes.
- Data minimisation and necessity: gather and review only what is necessary for defined aims.
- Security and confidentiality: restrict access and safeguard data during and after review.
IT policies as the starting point
Clear, well-drafted policies on acceptable use, monitoring and privacy anchor expectations and are a first line of defence against complaints and legal challenges. They should make clear, in terms which employees can understand, that:
- Company IT systems are primarily for business use.
- In certain circumstances the company may access or review communications and data.
- This will only be for legitimate reasons, e.g. investigating misconduct, protecting company assets, or meeting legal obligations, with non-exhaustive examples of scenarios.
Policies should also set out safeguards: internal authorisation (e.g. senior manager sign-off with HR and legal oversight), defined roles and a need-to-know approach.
Crucially, organisations must show these policies were brought to employees’ attention, via onboarding, periodic reminders and training. Allied to this point, consideration should be given as to whom the policies apply to. For example, are contractors, agency workers or workers engaged via an employer of record subject to and, if so, subject to the policies? Eliminating ‘surprise’ reduces the risk of privacy complaints.
Documenting a proportionate investigation
Policies frame expectations; they do not replace careful planning. Once an investigation is warranted, organisations should document why and how searches will be conducted. This serves two goals:
- Better decision-making: thinking through privacy before acting improves the investigation’s focus and lawfulness.
- Audit trail: a contemporaneous record can be vital in defending legal claims or complaints to the Information Commissioner’s Office, demonstrating reasoned, proportionate decision-making.
The record should repeatedly address privacy considerations and explain how they were balanced against business needs.
Define scope: the “why” and the “how”
Any investigation should start with a clearly documented ‘scope’, which answers the following questions:
- What are we investigating? How did the issue arise?
- Why are we doing this? What are the specific business interests at stake?
- Who and when? Which custodians are in scope and what time period is relevant?
- How will we investigate? Which systems and what methods will be used?
Proportionality and minimisation in practice
The UK GDPR’s emphasis on necessity and minimisation requires consideration of whether objectives can be achieved through less intrusive means. Show that alternatives were considered and why they were rejected. For instance:
- Narrow allegation: If a single employee is suspected of sending a small number of emails over a short period, a targeted search of that mailbox within the relevant date range may be sufficient.
- Broader concerns: If multiple employees are implicated over a longer period, cast the net wider, but resist blanket review. Start with targeted ‘keyword’ searches, date ranges, specific custodians, and relevant systems. Use iterative, staged searching to limit intrusion and volume.
Targeted approaches are typically more respectful of privacy but are also more efficient and cost-effective. If initial results justify expanding: e.g. emails which suggest a separate, relevant messaging channel, record the trigger, rationale, additional scope, and approvals before proceeding.
Governance: approvals, access and storage
Where searches are needed, make a record of who approved these, and limit the review team to a small pool and retain activity logs.
All data gathered should be stored securely, and retained only as long as necessary. If personal data is found to be irrelevant, avoid unnecessary review; and consider whether it can be deleted or promptly archived.
Transparency and communication
Transparency is largely achieved through clear policies and privacy notices. During a live investigation, notifying an employee in advance may risk prejudicing the inquiry. Document the reasoning for any delayed notice and ensure post-investigation communications are handled sensitively and lawfully.
Keep in mind too that an impacted employee may exercise their rights of subject access to request a copy of any of their personal data gathered during the investigation.
The bottom line
Organisations are often duty-bound to investigate suspected wrongdoing. Data protection law should not be seen as an obstacle; applied properly, it helps shape efficient, effective and defensible investigations that respect employees’ rights. Clarity in policies, thoughtful scoping, documented proportionality, limited access, and robust safeguards help strike the right balance: protecting the business while maintaining trust with the workforce.
This article highlights core steps and considerations. The specific balance will depend on context, but the principles are consistent: plan, narrow, document, and protect.