The recent Employment Tribunal decision of McWilliams v Citibank NA found that the Claimant had been unfairly dismissed because her employer rejected her subject access request (SAR) made during her disciplinary proceedings.
This decision together with the GDPR requirements imposed from 25 May 2018 highlight the importance of employers being aware of the potential risks and expense of not having adequate policies and procedures to deal with discipline; and SARs.
Facts
Ms McWilliams was employed by Citibank as a foreign exchange trader. During her employment she regularly communicated with traders at other banks through an online trading chat room. During these conversations Ms McWilliams, along with other traders, disclosed confidential information. It was argued this was standard practice at the time.
As a result of a Financial Conduct Authority investigation, Citibank started internal investigations into the practice of sharing confidential information by traders in online chat rooms and the manipulation of exchange rates. Consequently, Ms McWilliams' line manager was dismissed and Ms McWilliams was suspended.
Whilst on suspension, Ms McWilliams made a SAR under section 7 of the Data Protection Act 1998. A SAR is written request that can be made by or on behalf of an individual for information an organisation holds about him/her. This request can also extend to whether any personal data is being processed, a request to be provided with a description of the personal data being processed and the reasons it is being processed. An individual can also request, under a SAR, to be provided with a copy of the information comprising the data and details of the source of the data. This was dismissed on the grounds that it was too wide and disproportionate. Thereafter, the Claimant narrowed the scope of her SAR requesting information she could not access whilst suspended but this was again refused.
Following a disciplinary hearing, the Claimant was dismissed for gross misconduct due to her disclosures through the online trading chat rooms. This decision was made prior to the FCA finding that guidance on chat rooms did not outline the type of communication that was acceptable. As part of the Claimant's defence during her disciplinary was that Citibank had a relaxed attitude to compliance and that the sharing of confidential information was custom and practice, this FCA finding would have supported the Claimant's defence at her disciplinary hearing.
Subsequently, the Claimant brought a Tribunal claim for unfair dismissal. The Tribunal found that Citibank had failed to carry out a reasonable investigation and had failed to investigate the Claimant's defence that her conduct was common practice condoned by senior management. Citibank's refusal to respond to the Claimant's SAR was unfair and materially affected her ability to defend the allegations against her. Albeit, the Tribunal did find that the Claimant had contributed to her dismissal by sharing confidential information.
Implications
Although this is only a first instance decision and so is not binding on other Tribunals, it should serve as a reminder to employers of the risks of refusing a SAR if the requested documents are relevant to a dispute with the employer. The Guidance provided by the Information Commissioner's Office clarifies that the right of subject access is motive blind. Employers should not refuse to respond to a SAR on the belief that it is made for an improper purpose.
McWilliams v Citibank NA also highlights the importance of carrying out thorough disciplinary investigations. When the GDPR comes into force on 25 May 2018 it will introduce additional obligations on employers, including shorter periods to respond to SAR's and a greater level of accountability generally, which attach significant sanctions for non-compliance (including fines of the greater of 4% of global turnover or €20 million for the most serious of breaches).
Employers should be aware that failure to have adequate policies and procedures that deal with SARs can increase the cost and time spent dealing with these issues that could potentially lead to claims of unfair dismissal. Employers should review their policies and procedures as well as reviewing the training provided in relation to disciplinary and grievance investigations; and SARs, focusing on the importance in documenting steps and identifying deadlines for responding to SARs.
Watch out for our mini-series of blogs on what employers and HR teams need to know about the GDPR and preparing for the new regime.
This article was co-written by Ruth Moffett.
As featured in Scottish Legal News
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
