Workplace Investigations

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

It would be difficult to assert privilege over materials that relate to the investigation itself.

Privilege may arise before the instigation of an investigation where an employer may seek legal advice from their legal advisors over the initial complaint and appropriate next steps. Subject to the relevant tests being met, Legal Advice Privilege arises in respect of a confidential communication that takes place between a professionally qualified lawyer and a client. Who the client is will be of significant importance as they must be capable of giving instructions to their lawyer, on behalf of the employer. Caution should be exercised by employers if advice to "the client" is disseminated further within the business to other members of management. If such a scenario arises, then there is a risk that privilege may be waived and such material could be disclosable under a data subject access request. Litigation privilege arises with respect to confidential communications that take place between a lawyer or a client and a third party for the dominant purpose of preparing for litigation, whether existing or reasonably contemplated.

It is also prudent to consider whether an external investigator should have access to their own independent legal advisor, and the funding arrangements for such advice would have to be considered by the employer.

As outlined above, all employees generally have the right to know whether and what personal data is being or has been processed about them (article 8 paragraph 1, Swiss Federal Act on Data Protection; article 328b, Swiss Code of Obligations).

The employer may refuse, restrict or postpone the disclosure or inspection of internal investigation documents if a legal statute so provides, if such action is necessary because of overriding third-party interests (article 9 paragraph 1, Swiss Federal Act on Data Protection) or if the request for information is manifestly unfounded or malicious. Furthermore, a restriction is possible if overriding the self-interests of the responsible company requires such a measure and it also does not disclose the personal data to third parties. The employer or responsible party must justify its decision (article 9 paragraph 5, Swiss Federal Act on Data Protection).[1]

The scope of the disclosure of information must, therefore, be determined by carefully weighing the interests of all parties involved in the internal investigation.