McWilliams v Citibank NA

Why care?

Regulation of data subject access requests (SARs) do not form part of the remit of the UK Employment Tribunals. Employers should be aware that the current sanctions for breaches or failures to comply with the SAR regime are not overly stringent, particularly when stacked against other business interests and needs.

On that basis, it could be tempting for employers to dismiss SARs as not relevant to employment disputes or litigation. Before doing so, employers would be well advised to heed the warning heralded by the Citibank case, where the Tribunal found that an employer’s refusal to comply with a SAR contributed to the material unfairness of the dismissal process. The purpose of the SAR in question was to obtain information as part of disciplinary proceedings.

The case suggests that tribunals are becoming more aware of employee data rights and data obligations, and less receptive to the refusals to comply and allegations of ‘fishing expeditions’. Employers should think carefully before refusing a SAR in the context of an employment dispute.

The case

Ms McWilliams started employment with by Citibank as a trader in August 1998. Whilst employed, she regularly communicated with individuals at other banks via an online chat facility. These communications involved disclosure of confidential information. It is unclear from the judgement whether this was permitted, encouraged or incidental to her activities, but what was established was that the practice was relatively commonplace.

In June 2013, the Financial Conduct Authority (FCA) began to investigate certain financial institutions, including Citibank, with regard to concerns about the sharing of confidential data by traders in online chat rooms and the manipulation of exchange rates. Citibank, as might be expected, then commenced internal investigations in to these matters. As a result, Ms McWilliams’ line manager was dismissed, and Ms McWilliams herself was subject to disciplinary proceedings and suspended.

Ms McWilliams submitted a SAR shortly after she was suspended. Citibank rejected the SAR on the grounds that it was disproportionate. Ms McWilliams narrowed the scope of the data requested and informed Citibank that the data was vital for her response to the disciplinary allegations. Again, Citibank refused to comply. Ms McWilliams complained to the Information Commissioner’s Office (ICO).

Ms McWilliams asked Citibank to postpone the disciplinary hearing until the FCA’s investigation was completed, because part of her case was Citibank’s allegedly relaxed attitude to compliance and the assertion that the sharing confidential information was custom and practice. Citibank instead pressed ahead with the disciplinary hearing in May 2014. Citibank made the decision to terminate Ms McWilliams employment in September 2014, and subsequently did so in November 2014, prior to the FCA findings being published. This stated, amongst other things, the guidance on chat rooms did not detail which types of communication were unacceptable. This supported Ms McWilliams’ defence.

The ICO has not yet ruled on this matter, but the important point to note is that the Employment Tribunal held that the dismissal was unfair on a procedural basis, with specific reference made to Citibank’s treatment of the SAR. The Tribunal said Citibank had failed to carry out a reasonable investigation and had failed to investigate Ms McWilliams’ argument that sharing confidential information was general practice. However, the Tribunal noted that she had contributed to her dismissal through the sharing of confidential information.

The Tribunal stated clearly that the SAR in this case did not constitute a fishing expedition. It noted that Ms McWilliams was suspended without access to the documents she needed to defend herself, which she had tried to obtain using a SAR, and this had materially affected her ability to defend herself against the allegations against her.

In essence, the Tribunal found that Citibank’s refusal to comply with the SAR contributed to the material unfairness of the process since it had a material effect on the ability of Ms McWilliams to defend herself in the disciplinary proceedings.

What to take away

As a general comment, the McWilliams case reinforces the need for employers to carry out fair and reasonable investigations and consider an employee’s defence.

Case law and the Data Protection Act (DPA) make clear that the SARs regime is not intended as a mechanism to enable a data subject to obtain documentation outside the usual litigation process,. This case suggests that that employers should not automatically dismiss or reject a SAR because of the potential or on-going litigation. Employers should note that the courts have wide discretion. HR teams dealing with these kinds of employee issues should be wary, particularly in light of the enhanced requirements under the General Data Protection Regulations (the GDPR) due to come into force on 25 May 2018 (for further details see Global Data Hub).

When the GDPR comes into force, SARs will remain, but with additional obligations imposed on employers and with significant sanctions for breaches (including fines of up to 4% of global annual turnover, or 20 million Euros, whichever is greater - a huge increase to the current maximum of £500,000 under the DPA). This is in addition to any compensation due on successful unfair dismissal claim, and the cost and time of dealing with the potentially issues before the Employment Tribunal and the ICO in tandem.

All of this means increased risk and costs for employers. With that in mind, employers should be putting in place an appropriate policy and procedure in place to deal with SARs, identifying those responsible for responding to SARs and providing appropriate training, and documenting steps and identifying deadlines for responding to SARs.