Company investigations are often fraught with issues and there is much to consider. Those in charge are commonly afforded very little time before having to proceed. It therefore pays to be aware of some of the potential pitfalls at the outset.

The decision to embark on an internal investigation will not be taken lightly. Investigations can arise in a number of ways, following a complaint or allegation, a report from a whistle-blower or third party, or an enquiry from the authorities.

Whatever the catalyst, a key goal will be to investigate the facts and get to the bottom of the suspicion or allegation as quickly as possible and with minimal legal exposure along the way. The risks to the organisation will need to be assessed and the next steps will have to be planned very carefully.

Protecting a company’s rights

Although an investigation may be purely ‘internal’ to begin with – and may indeed stay that way – it is important to appreciate that this could change. If law enforcement or a regulator becomes involved and/or obligations to report arise, documents may come to be shared with an external agency and form part of their investigation. They could also make their way into court proceedings if litigation follows the investigation.

It is in that context that regard must be had to one of the most important rights provided by English law: legal professional privilege. It protects all confidential communications between a lawyer and client for the purpose of providing advice. But the law around privilege in investigations is complex, and it is all too easy, inadvertently, to create non-privileged material or to lose privilege over previously existing privileged material. That can mean that otherwise confidential material may have to be handed over to an enforcement agency, or a counterpart to a civil lawsuit, with sometimes serious ramifications. The privileged status of the investigation and/or material created pursuant to it should be considered at the outset and regularly reviewed throughout.

Issues around evidence

In some cases where an internal investigation reveals serious wrongdoing, a company may voluntarily choose to hand matters over to law enforcement; in other circumstances law enforcement may look to take control.

In any event the authorities do not appreciate arriving at a crime scene which has already been ‘trampled over,’ with potentially important forensic evidence compromised, be it virtual or digital material or hard copy documents. A company undertaking an investigation should always bear in mind the integrity of any evidence and make sure the correct processes are followed to preserve this. Witness evidence can also become tainted, decreasing or even destroying its value in a criminal investigation. As a general rule, witnesses being interviewed should not be given disclosure of material they have not previously had access to.

The rules around admissibility of evidence in court proceedings form another very complex area of law. The factors which a judge will weigh in determining admissibility are many and varied, but where evidence has been obtained incorrectly or improperly this is more likely to tip the balance away from admissibility.

Data privacy

An investigation involves gathering, collating, analysing, summarising and sharing large volumes of personal data, for example, when conducting email reviews and interviewing witnesses. Investigations should be conducted within the statutory data protection framework in order to minimise the risk of a successful regulatory complaint or litigation.

At the outset a data protection risk assessment should be prepared and kept updated throughout the course of the investigation. This will identify and mitigate privacy, confidentiality and security risks, and provide an audit record of these considerations in the event of data breach or challenge.

Generally, personal data should only be processed where it is lawful, fair and transparent. This involves an ongoing balancing exercise between the legitimate interests of the company and others, such victims and authorities, with individual privacy rights. Measures should be in place to ensure that personal data is only processed insofar as it is necessary and relevant to the terms of reference of the investigation, and any intrusion into individual privacy can be justified as being proportionate. Specific protections apply when processing sensitive personal data. The company’s privacy notices and policies should be reviewed for provisions relevant to the processing of data belonging to employees, clients and suppliers.

Data breaches or data leaks are an ongoing risk during the life of an investigation. The extended investigation team should know how to recognise and report a breach, and act swiftly to minimise the harm caused. Companies should be prepared to respond to individuals exercising statutory data protection rights, such as seeking the correction or deletion of data, objecting to the processing of their data, or making Data Subject Access Requests. Although various exemptions may apply to different categories of data, it is wise to gather and create data bearing in mind the possibility of later disclosure.

Employee rights

In the vast majority of investigations there are important employment considerations to take into account. One of the earliest decisions will be how to deal with employees who may be implicated in an enquiry. There was a time when it was common to move to suspend such individuals on full pay and benefits for the duration of the investigation. That has now changed since a number of court decisions culminating in the issue of fresh guidance by Acas in September 2022. That guidance has emphasised that any decision to suspend must be taken very carefully and must not be a “knee jerk” reaction. The employer should only suspend if it has no other option; if it does suspend, the welfare of the person being suspended must be considered. Suspension after all may not be a “neutral act” so far as the employee is concerned and may have lasting implications for their job and career, whatever the result of the investigation.

Decisions may also have to be taken as to how best to safeguard the position of employees who may be the victim, complainant or the whistle-blower. That may involve changing the geographical location in which they work, the times they work and how they work.

It may be appropriate to offer those involved the opportunity to take legal advice, for example, if they will be asked to attend interviews as part of the investigation.

From an employment perspective there may be many decisions to be taken such as potential disciplinary proceedings, grievance hearings, mediation and other processes. This may ultimately result in action being taken before the court or employment tribunal, so the fairness of processes taken to get to that point may fall to be carefully examined by a judge. It is important to ensure the correct procedure has been followed at all times, with employees’ rights being noted and safeguarded as much as is possible in the circumstances.

Coupled with the rapid growth in the role of the regulator in many walks of professional life, these issues make it all the more important that companies and organisations that find themselves having to become involved in an investigation do so extremely carefully to ensure all the many angles are covered, and they expose themselves to the least possible amount of risk.