Workplace Investigations

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Workplace investigations should usually be conducted on a confidential basis to preserve the integrity of the investigation, avoid cross-contamination of evidence and maintain the confidentiality of the employee under investigation. This means that those involved in the investigation (ie, the subject employee and any material witnesses) should be made aware of the fact and substance of the investigation on a need-to-know basis.

While the extent of the confidentiality obligations are usually governed by the employer’s internal policies and the employment contract, there are circumstances where the employer has a statutory duty to keep information unearthed in the investigation confidential. For instance, if it is found that certain property represents proceeds of an indictable offence[1] or drug trafficking[2], or is terrorist property[3], the employer should report its knowledge or suspicion to the Joint Financial Intelligence Unit (JFIU) as soon as is reasonably practicable and avoid disclosure to any other person as such disclosure may constitute “tipping off”. Another example is if a workplace investigation is commenced in response to a regulatory enquiry, the employer may be bound by a statutory secrecy obligation and may not be at liberty to disclose anything about the regulatory enquiry to anyone including those who are subject to the workplace investigation. For example, section 378 of the Securities and Futures Ordinance (SFO) imposes such a secrecy obligation on anyone who is under investigation or assists the Securities and Futures Commission (SFC) in an investigation.[4]

Besides the employee's duty of performance (article 319, Swiss Code of Obligations), the employment relationship is defined by the employer's duty of care (article 328, Swiss Code of Obligations) and the employee's duty of loyalty (article 321a, Swiss Code of Obligations). Ancillary duties can be derived from the two duties, which are of importance for the confidentiality of an internal investigation.[1]

In principle, the employer must respect and protect the personality (including confidentiality and privacy) and integrity of the employee (article 328 paragraph 1, Swiss Code of Obligations) and take appropriate measures to protect the employee. Because of the danger of pre-judgment or damage to reputation as well as other adverse consequences, the employer must conduct an internal investigation discreetly and objectively. The limits of the duty of care are found in the legitimate self-interest of the employer.[2]

In return for the employer's duty of care, employees must comply with their duty of loyalty and safeguard the employer's legitimate interests. In connection with an internal investigation, employees must therefore keep the conduct of an investigation confidential. Additionally, employees must keep confidential and not disclose to any third party any facts that they have acquired in the course of the employment relationship, and which are neither obvious nor publicly accessible.[3]