Workplace Investigations
Contributing Editors
Workplace investigations are growing in number, size and complexity. Employers are under greater scrutiny as of the importance of ESG rises. Regulated industries such as finance, healthcare and legal face additional hurdles, but public scrutiny of businesses and how they treat their people across the board has never been higher. Conducting a fair and thorough workplace investigation is therefore critical to the optimal operation, governance and legal exposure of every business.
IEL’s Guide to Workplace Investigations examines key issues that organisations need to consider as they initiate, conduct and conclude investigations in 29 major jurisdictions around the world.
Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.
Choose countries
Choose questions
Choose the questions you would like answering, or choose all for the full picture.
07. What data protection or other regulations apply when gathering physical evidence?
07. What data protection or other regulations apply when gathering physical evidence?
India
India
- at Trilegal
- at Trilegal
- at Trilegal
In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.
South Korea
South Korea
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
It may be difficult for a company to search and collect physical items that personally belong to the employee.
While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws.
Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.
Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.
The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.
Switzerland
Switzerland
- at Bär & Karrer
- at Bär & Karrer
The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]
It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).
It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.
24. What next steps are available to the employer?
24. What next steps are available to the employer?
India
India
- at Trilegal
- at Trilegal
- at Trilegal
In misconduct cases, the next steps for an employer would depend on the outcome of the investigation. If the investigation reveals that the employee has violated the terms of employment and the employer wishes to take disciplinary action (which may include dismissal, depending on the gravity of the misconduct), it would normally be necessary to conduct a disciplinary inquiry as per the principles of natural justice before any actual punishment is meted out. Such a disciplinary inquiry would normally require the issuance of a charge sheet, the appointment of an independent inquiry officer (who should not have been involved in the investigation or otherwise in a position of bias vis-a-vis the parties involved), and conducting disciplinary hearings, etc.
With SH complaints, once the investigation is concluded by the IC, the employer will be provided with a copy of the final report by the IC along with recommendations (ie, the disciplinary measures to be taken against the accused) for the employer to implement. The employer would then be required to act upon the recommendations shared by the IC within 60 days.
South Korea
South Korea
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
After completing an investigation, the company may consider the following measures, among others:
- taking disciplinary action against the relevant employees;
- taking legal action (eg, criminal action, civil action) against the relevant employees; and
- taking appropriate remedial measures (eg, strengthening existing policies and establishing new policies, and conducting training).
The company may also consider making a voluntary report to the relevant authorities as discussed in question 25.
Switzerland
Switzerland
- at Bär & Karrer
- at Bär & Karrer
If the investigation uncovers misconduct, the question arises as to what steps should be taken. Of course, the severity of the misconduct and the damage caused play a significant role. Furthermore, it must be noted that the cooperation of the employee concerned may be of decisive importance for the outcome of the investigation. The possibilities are numerous, ranging, for example, from preventive measures to criminal complaints.[1]
If individual disciplinary actions are necessary, these may range from warnings to ordinary or immediate termination of employment.
[1] David Rosenthal et al., Praxishandbuch für interne Untersuchungen und eDiscovery, Release 1.01, Zürich/Bern 2021, p. 180 et seq.