Workplace Investigations

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Brazilian General Data Protection Law (LGPD) does not have specific rules or principles that apply to internal investigations conducted within private organisations. Despite that, the general principles and obligations set forth by the LGPD apply to any processing of personal data carried out within the context of such investigations. As a result, the company must ensure the transparency of such processing activities through a privacy notice addressed to the data subjects; only process the personal data that is necessary for the investigation; define the lawful basis that applies to such processing activities (especially for sensitive data); and apply any other obligations established by the LGPD.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

When collecting physical evidence that contains personal information, the Personal Information Protection Law and its related guidelines apply. In addition, when collecting physical evidence that contains privacy information or an employee's photograph, care must be taken to ensure that the right to privacy and the image rights are not violated.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

When gathering evidence, the person being investigated is protected by the Constitution, the Freedom of Information Act and the Nigerian Data Protection Regulation (NDPR), among others.

The Constitution, particularly section 37, guarantees the right of a person to privacy.

The NDPR is the main data protection regulation in Nigeria. It regulates the processing and transfer of personal data.

Further, the Freedom of Information Act, 2011 prohibits the disclosure of information gathered during an investigation to the public.

The procedure for gathering physical evidence is governed primarily by company policy. Nevertheless, the Data Privacy Act of the Philippines protects all data subjects from unlawful processing of their personal information without consent.

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The employer may collect the personal data of an individual without the individual’s consent or from a source other than the individual, where it is necessary for any investigation according to section 17(1) read with paragraph 4 of Part 3 of the Third Schedule of the Personal Data Protection Act 2012 (PDPA). Under section 2(1) of the PDPA, “investigation” means an investigation relating to:

• a breach of an agreement;
• a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in the exercise of its powers under any written law; or
• a circumstance or conduct that may result in a remedy or relief being available under any law.

Under the Banking Act 1970, a bank and its officers cannot disclose customer information to third parties, subject to certain exceptions. An employer carrying out a workplace investigation does not fall within any of the exceptions.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The basic premise is that all evidence is admissible unless it violates the law of admissibility and production of evidence, which may vary depending on the jurisdiction. In a criminal court, for example, evidence gathered in violation of the fruit of the poisonous tree doctrine would be typically inadmissible, yet in a civil court, this doctrine would not be an exclusionary rule.

The Personal Data Protection Act, BE 2562 (2019) (PDPA), which is the main data protection law in Thailand, applies when collecting, using, and disclosing pieces of evidence containing the personal data of employees. If the investigation requires sensitive information of the employee under investigation, for example, race, ethnic origin, political opinion, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data and biometric data, consent from the employee should be obtained.

The conditions applicable to gathering physical evidence mainly stem from the precedents of the Turkish Constitutional Court about employment disputes and the rules set forth under Turkish Law No. 6698 on the Protection of Personal Data (DPL). It is generally accepted that employers can gather physical evidence for certain legitimate purposes, such as disciplinary investigations, the prevention of bribery and corruption, fraud or theft, money laundering, and employee performance monitoring and compliance. In doing so, employers must, however, comply with the fundamental principles of the Turkish Constitutional Court as briefly described below:

• The grounds for the gathering of evidence must be legitimate. The definition of the legitimate interests of the employer may change depending on the characteristics of the business, workplace and employee job description, as well as the specific circumstances of the case. Therefore, it is advisable to carry out a balancing test between the legitimate interest the employer is seeking to protect and the employee’s interest in the protection of their privacy.
• The collection activities must be proportionate, in the sense that the measure implemented by the employer must be appropriate and reasonably necessary to achieve the legitimate purpose, without infringing upon the fundamental rights and freedoms of the employees. For instance, e-mail monitoring to collect evidence may not be proportionate if it is determined that e-mails that are not related to the incident subject to investigation are also accessed. To achieve this, certain keywords or algorithms can be used while monitoring e-mails during a disciplinary investigation.
• The collection process must be necessary to achieve the purpose. In other words, the collection of physical evidence must only be carried out to the extent there are no other measures allowing the employer to achieve its purpose, such as witness testimony, workplace records, or examining the results of projects. If the purpose can be achieved through less invasive means, the collection of physical evidence may not comply with the principles established by the decisions of the Constitutional Court.

Separately, depending on the type of physical evidence collected, the collection process may lead to the processing of the concerned employees’ personal data. Under the DPL, personal data collected in Turkey can only be processed if the explicit consent of the data subject is obtained; or the data is processed based on one of the exceptions to consent provided by the law. To the extent the data processing can be deemed to be based on the pursuit of a legitimate interest of the employer, it should also meet the following conditions:

• it should be the most convenient and efficient method to identify any employee wrongdoing to protect the legitimate interests of the company; and
• the data processing should not harm the fundamental rights and freedoms of the employees.

The employer should in any case comply with the obligation to inform employees before the processing of their data, through a privacy notice containing mandatory information required by the DPL.

In addition, as a general principle, the evidence-gathering process should always be conducted based on the assumption that the internal investigation can lead to litigation. Any evidence that will be used in litigation needs to have been gathered in compliance with the law. In both criminal and civil litigation, the courts will review each piece of evidence to confirm whether it was gathered through lawful methods and disregard any evidence that fails to comply with due process.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

Decree No. 13/2023/ND-CP on personal data protection is the main data protection regulation in Vietnam. It regulates the processing of personal data, including the collection or gathering of data. If the physical evidence contains personal data of an individual, the gathering of physical evidence must comply with this decree.