As you will be aware the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. This, together with the Data Protection Act 2018 (DPA), replaces the existing provisions of the DPA 1998. This is likely to change practice when using external consultants or others in employment processes especially grievance or disciplinary matters.

This article anticipates you are familiar with the various definitions and are aware of the key changes implemented by the new legislation. Instead, we focus on engaging an external person in employment processes and what, if any, consequences GDPR has.

Multiple data controllers

An NHS organisation determines the purpose and means by which personal data is processed and therefore is a data controller. This obviously applies in relation to its employees’ personal data. There can be more than one data controller relating to the same or linked data. Each does not have to equally share participation in the personal data processing in order to be a controller.

An external participant (e.g. an independent investigator engaged to investigate alleged misconduct or grievances), who is given an appropriate degree of independence, is likely to be classed as a data controller rather than processor (a processor is responsible for processing personal data on behalf of a controller). For example, whilst an independent investigator is engaged only to process data for a particular purpose (which should be detailed in the agreement/contract between them) the investigator is likely to determine what information to obtain and process in order to carry out the investigation and is responsible for producing the detailed content of the investigation report and associated documents. (This degree of control makes it likely that the classification of ‘data controller’ will apply). Overall, one must consider whether the external participant has controller or processor status; the less constrained they are in handling the data subject’s personal data the more likely they are to be a controller.

Assuming the external participant is a data controller, a further important consideration is whether the NHS body and external participant are ‘joint controllers’ because there are different obligations for joint controllers as opposed to individual controllers. Joint controllers exist where two or more data controllers work together, acting jointly, to decide the purpose and manner of any data processing. Personal data processed in this manner will give the data subject directly enforceable rights against both data controllers.

Joint controllers must, by an arrangement between them, specify each controller's data protection compliance responsibilities and make that summary available to the data subject (Article 26, GDPR). Whereas, individual controllers simply need to have a contract/agreement in place between them (‘them’ in the above instance being the investigator and hiring NHS organisation). This agreement will set out the investigator’s terms of engagement and the remit within which the data subject’s information can be used. Such an agreement does not need to be presented to the data subject.

It is more straightforward if such an external participant is an independent controller. Whilst there are obligations on independent controllers (as set out below) it is more complicated when there is joint controller status.

Privacy notice

The data controller must provide data subjects with a privacy notice to explain the categories of personal data it collects and how it uses, stores, discloses, and secures personal data. This includes when an individual's personal data may be disclosed to third parties (which would encompass external participants) and the purpose(s) for such disclosures. Therefore it is important for an NHS organisation to ensure, at the outset, its privacy notice is broad enough to cover this eventuality. One expects it will fall under a ‘data sharing’ section within the notice. This will explain why, when and to whom the individual’s data might be shared as well as how secure that shared information is.

Given that the external participant is also likely to be a data controller, they too will have to issue the data subject with a privacy notice. To ensure a degree of consistency and expediency, the NHS organisation may prefer to draft a template privacy notice that can be provided to the external participant to populate and forward to the employee.

Another factor to take into account is that the NHS organisation will hold personal information about the external participant and consequently a privacy notice would have to be issued in this instance also.


Where an NHS organisation engages an external participant to assist with disciplinary or grievance matters consider:

  • Does the organisation’s privacy notice envisages data sharing in this way? If not, amendments are required including on existing matters
  • If both parties (the organisation and external participant) are data controllers whether they are joint controllers? If so, compliance with the obligations set out above is necessary. (If the parties are individual controllers the requirements are lesser as explained above)
  • Did the external participant sent a privacy notice to the data subject?
  • The organisation’s obligation to send a privacy notice to the external participant