The employment tribunal (ET) case of McWilliams -v- Citibank NA considered whether non-compliance with a subject access request made in the context of disciplinary proceedings had any effect on the fairness of the ultimate dismissal.
Facts and findings
The claimant was a foreign exchange trader at Citibank and was dismissed following allegations that she had breached client confidentiality in her use of trading chat rooms. Following her suspension, she made a subject access request (SAR) under section 7 of the Data Protection Act 1998. The extensive SAR was refused on the basis of proportionality. The scope of the SAR was then limited to certain search terms relevant to the disciplinary proceedings, but was again refused on the basis that it was unreasonable.
Following the disciplinary hearing, the claimant was dismissed for gross misconduct. The complaint process with the Information Commissioner’s Office (ICO) was still on-going.
The dismissal was held to be unfair and the company’s failure to comply with the SAR was held to have contributed to its procedural unfairness. The employee was suspended and had no access to the documents that she needed in order to prepare her response to the disciplinary allegations. She was given no alternative but to rely on the employer’s investigation, which was found to have been unreasonable.
However, it was for the ICO to adjudicate in relation to the non-compliance with the SAR itself.
Often when SARs are received during disciplinary processes, or in anticipation of a claim from an employee or former employee, they are considered an abuse of process. However, to reject SARs without any consideration of the legal basis for doing so (particularly in light of the ICO’s guidance, which states that a motive for making a SAR does not negate the need to comply) is a risky approach and likely to lead to complaints to the ICO.
This is, nevertheless, a common issue and one which employers would be well advised to take advice on due to the tension seemingly created between the courts and the ICO (the former exhibiting a data-controller-friendly approach, and the latter a data-subject-friendly approach).
Although this is an ET decision, and does not settle the issue of non-compliance with the SAR in itself, it undoubtedly contains principles that are useful for employers receiving SARs from employees during disciplinary proceedings or from those contemplating litigation.