The Court of Appeal has ruled that the Serious Organised Crime Agency did not breach the Data Protection Act 1998 when it obtained material about the arrest of one of its own officers from the Sussex police, providing helpful guidance on demonstrating the necessity of processing in disciplinary situations. Although decided under old data protection principles, much of the court's employer-friendly ruling could apply under the GDPR.
The Claimant was an intelligence officer employed by the Serious Organised Crime Agency (now known as the National Crime Agency). He was involved in an altercation outside a Sussex pub, and was arrested for being drunk and disorderly. Whilst in the police van being transported to the nearest station, he kicked another officer (although he said this was by accident). As per the requirements of his employment, the Claimant informed SOCA of his arrest.
SOCA contacted Sussex Police to ask for the arrest material, which Sussex Police supplied. This included the custody report, CCTV footage, and interviews with witnesses. The material was then used to inform SOCA's internal investigations, resulting in the Claimant's dismissal for gross misconduct.
The Claimant brought two sets of proceedings - an unfair dismissal claim in the Employment Tribunal and a claim for breach of the Data Protection Act in the County Court. Both claims were unsuccessful. The Claimant's appeals in both claims ended up being heard together in the Court of Appeal, where the argument centred on whether SOCA had been in breach of the Claimant's rights under the DPA in obtaining the arrest material (which was sensitive personal data) and then using it for internal disciplinary proceedings.
The key aspects of the Court of Appeal ruling were as follows:
- It was necessary for SOCA to investigate what had happened, in particular to find out the extent of the potential reputational damage it was facing as a major law enforcement agency and to see if the Claimant's security profile was in jeopardy. It could not wait to find out what information might be forthcoming in a prosecution.
- SOCA's processing of the data was reasonably necessary for complying with the employment contract (in which the Claimant agreed to comply with SOCA policies and SOCA agreed to follow its policies, which included a careful investigation, before dismissing the Claimant).
- SOCA's processing of the data was also reasonably necessary to comply with its other (essentially public law) legal obligations to uphold proper security standards and deal with misconduct complaints about its officers and to discharge its statutory functions as a crime enforcement agency. It was not, however, reasonably necessary for SOCA to process the data "in connection with legal proceedings" - disciplinary proceedings are not legal proceedings.
- The Claimant had, in any case, explicitly consented to the processing of this data by signing an employment contract including a clause where he agreed to SOCA processing his personal data to comply with its policies and to review his performance.
- When considering the purpose for which the data had been obtained, the focus needed to be on the purpose for which SOCA was obtaining the data - not the purpose for which Sussex Police originally obtained it.
- In any case, there was no loss caused by the supposed breaches of the DPA. SOCA would have come into the same information in any case through interviewing the relevant police officers, or attending the criminal case in which the evidence would have been presented. The Claimant would still have lost his job.
- The Tribunal had not failed to properly grapple with the argument that SOCA was in breach of the DPA in using material in the disciplinary proceedings which led to his dismissal.
Despite this case being heard under the old data protection laws, much of the reasoning could apply to the GDPR, except that consent given in the employment contract is unlikely to count as explicit consent for GDPR purposes.
In this case, there were various public functions and commitments in play which meant that the employer essentially had a public duty to investigate its misbehaving employee. However, the case is nonetheless a helpful decision for all employers, since it illustrates how data protection and privacy arguments rarely operate as a complete block on employers being able to deal with serious misconduct which has come to light, and acceptance by the courts that employers have a legitimate interest in obtaining evidence of employees' wrongdoing.
For an example of a case with a different outcome, where the police were found to overstepped the mark in using their powers to extract data about more minor misconduct of an employee, see here
Michael Cooper v. National Crime Agency, Court of Appeal