Workplace Investigations

Internal investigations are usually initiated after reports about possible violations of the employer's code of conduct, applicable laws or regulations have been submitted by employees to their superiors, the human resources department or designated internal reporting systems such as hotlines (including whistleblowing hotlines).

For an internal investigation to be initiated, there must be a reasonable suspicion (grounds).[1] If no such grounds exist, the employer must ask the informant for further or more specific information. If no grounds for reasonable suspicion exists, the case must be closed. If grounds for reasonable suspicion exist, the appropriate investigative steps can be initiated by a formal investigation request from the company management.[2]

The trigger could come from several sources, such as a grievance from a current or former employee, a complaint from external sources, a whistleblowing disclosure, or as the result of internal governance measures.

In each case, the employer will need to decide if an investigation is warranted. It may be required by internal policies or regulatory requirements in some circumstances. Consideration must be given to whether an investigation is feasible; for example, is the evidence still in existence and accessible? Are key witnesses still employed or contactable?

If the employer concludes that an investigation is warranted, it should start without unreasonable delay. The first step would usually be to set terms of reference, which outline the purpose and remit of the investigation. These should be closely drafted and continually referred to, to avoid the investigation’s scope expanding when new points arise (as they almost always will). An investigator will also need to be appointed (see question 4).

A workplace investigation is often, although not always, prompted by a complaint of workplace misconduct, usually made directly by the employee who was harmed by the conduct, a third party who witnessed the conduct, or a manager or supervisor who was made aware of the issue and has reporting obligations as a result of his or her role in the organisation. 

It is best practice – and often a legal requirement depending on the applicable state law – for companies to clearly outline a complaint process in their policies and to provide employees who experience, have knowledge of, or witness incidents they believe to violate the company’s policies with one or more options for making a report. Although the specific complaint procedure may vary depending on the size of the organisation, the nature of the business and the type of complaint at issue, many companies provide for (or require) making a report through one of the following channels:

• a company-managed hotline or online equivalent;
•  human resources;
• an affected employee’s supervisor or manager; or
• a member of the legal or compliance department.    

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.