Workplace Investigations
Contributing Editors
Workplace investigations are growing in number, size and complexity. Employers are under greater scrutiny as of the importance of ESG rises. Regulated industries such as finance, healthcare and legal face additional hurdles, but public scrutiny of businesses and how they treat their people across the board has never been higher. Conducting a fair and thorough workplace investigation is therefore critical to the optimal operation, governance and legal exposure of every business.
IEL’s Guide to Workplace Investigations examines key issues that organisations need to consider as they initiate, conduct and conclude investigations in 29 major jurisdictions around the world.
Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.
Choose countries
Choose questions
Choose the questions you would like answering, or choose all for the full picture.
10. What confidentiality obligations apply during an investigation?
10. What confidentiality obligations apply during an investigation?
Australia
Australia
- at People + Culture Strategies
- at People + Culture Strategies
- at People + Culture Strategies
Confidentiality protects the interests of the persons involved in the investigation as well as the integrity of the investigation. Before providing information as part of the investigation, employers should direct the complainant, respondent or witnesses to sign confidentiality agreements. This agreement should direct the person to refrain from discussing the investigation or matters that are the subject of the investigation with any person other than the investigator.
It is also best practice for participants in the investigation to be directed not to victimise (threaten or subject to any detriment) any persons who are witnesses to or are otherwise involved in the investigation.
After an investigation, employers should write to the complainant, respondent and any witnesses reminding them of their ongoing confidentiality obligations.
Austria
Austria
- at GERLACH
- at GERLACH Rechtsanwälte
If the report and the whistleblower fall within the scope of the Whistleblowing Directive, his or her identity must be protected. From a data protection perspective, the principles of the DSG must be observed to protect the legitimate confidentiality of the individuals concerned.
Furthermore, the employer should ensure that information is only disclosed to trustworthy persons to avoid pre-judgements.
Belgium
Belgium
- at Van Olmen & Wynant
A workplace investigation is often a sensitive matter that requires necessary confidentiality to find out the truth discreetly and objectively. Nevertheless, there is often pressure from employees, trade unions or even the media and general public to be transparent and communicate about the case. From a legal perspective, it is not recommended to communicate openly about an ongoing investigation, as this can jeopardise the investigation or the possibility of taking disciplinary measures.
Whistleblower investigations will be bound by a strict duty of confidentiality regarding anything that could reveal the identity of the reporter.
In complaints due to sexual harassment, violence or bullying at work, the prevention adviser is bound by professional secrecy. Consequently, he or she may not disclose to third parties any information about individuals that have come to his or her knowledge in the performance of his or her duties. However, he or she still has the freedom to inform the people concerned to carry out his or her tasks in the procedure.
Brazil
Brazil
- at CGM
- at CGM
Law 14.457/2022 states that companies must guarantee the anonymity of accusers. As a result, it is best practice that companies allow for anonymous submissions, or allow accusers to voluntarily disclose their identity while acknowledging that they agree that it will be kept confidential to the extent required by the investigation.
Also, companies should have internal rules stating that all parties involved in an investigation (accusing party, accused party, witnesses, investigators, and any other person that has any contact with the investigation) must keep the existence of the investigation and of the events related to the investigation confidential to the extent required by the investigation, and discipline any individuals that violate this.
China
China
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
Although there are no specific laws or regulations regulating the extent of confidentiality obligation employers or the investigators shall comply with, in practice, the confidentiality obligation of both parties usually originates from the confidentiality agreement between the employee and the employer, as well as general provisions on protection of personal information and right of privacy, etc.
In this regard, it is advisable to require the relevant personnel responsible for handling the suspension for investigation to sign a confidentiality agreement or a letter of commitment, and require them to pay attention to the protection of the personal information and privacy of the complainant and other relevant personnel, for the purpose of avoiding extra losses caused by the occurrence of disputes relating to right of reputation, right of privacy and personal information leakage during the investigation.
Finland
Finland
- at Roschier
- at Roschier
Concerning a workplace investigation, there is no specific legislation in force at the moment regarding confidentiality obligations. All normal legal confidentiality obligations (eg, obligations outlined in the Trade Secrets Act (595/2018)), and if using an external investigator, the confidentiality obligations outlined in the agreement between the employer and the external investigator, apply. Attorneys-at-law always have strict confidentiality obligations as per the Advocates Act (496/1958).
France
France
- at Bredin Prat
- at Bredin Prat
Interviewers, investigators, interviewees or any others involved in the investigation are often bound by a reinforced confidentiality obligation, particularly when the internal investigation is triggered by a whistleblower alert. In addition, every person that comes to know of the investigation, facts or people involved is bound by an obligation of discretion. Furthermore, investigators should specifically be trained for interviews and be reminded of their obligations relating to the investigation.
The investigators will need to determine the order of the tasks to be carried out in the investigation, as this will have a significant impact on confidentiality management. Should they start with the hearings or a review of documents? The answer may depend on the subject matter of the investigation. It is advisable to first review the documentation before organising interviews, particularly to avoid the destruction of certain documents by employees acting in bad faith or by those wishing to erase the traces of alleged wrongdoing. Sometimes, however, it is possible to start with the interviews, especially in the case of harassment, as there may be no documents to review. If the decision is taken to conduct the documentation review after the interviews, it could be useful to ask the employees involved to sign a document stating that they must preserve and retain documents, meaning that if they delete or destroy documents, they would be acting against the company and in breach of the law.
Germany
Germany
- at Hengeler Mueller
- at Hengeler Mueller
- at Hengeler Mueller
Depending on the subject of the investigation and the severity and significance of the suspected violation, employees who are involved in the workplace investigation may already have to maintain confidentiality based on their contractual duties. The prerequisite for this is that the employer has a legitimate interest in maintaining confidentiality. Criminal acts are not subject to confidentiality, but there is also no general obligation for the employee to report or disclose a criminal act to the authorities or the public prosecutor. However, reporting to the competent authorities may be required in certain cases (see question 25).
Lawyers are bound by professional confidentiality and are generally not allowed to provide information about any information they receive from their clients. An exception exists, for example, if the lawyer must provide information to defend himself in court proceedings. There is also no absolute protection against the seizure of documents at an attorney’s office (see question 14).
Greece
Greece
- at Karatzas & Partners
- at Karatzas & Partners
- at Karatzas & Partners
- at Karatzas & Partners
Confidentiality applies as a general principle in disciplinary investigations.
Moreover, L. 4990/2022, which transposed EU Directive 2019/1937 into Greek Law, regulates the issue of confidentiality during investigations that start based on an internal report. The managers conducting the investigation must respect and abide by the rules of confidentiality regarding the information they have become aware of when exercising their duties[1]. They must also protect the complainant’s and any third party’s (referred to in the report) confidentiality by preventing unauthorised persons from accessing the report[2].
Finally, L. 4808/2021 provides that employers must create a procedure that should be communicated to employees regarding all the necessary steps of an investigation following a complaint. Throughout the whole process, the employer, managers and the employer’s representatives responsible for the investigation must respect and abide by the rules of confidentiality in a manner that safeguards the dignity and personal data of the complainant and the person under investigation[3].
[1] Law 4990/2022, art. 9 par.8(b)
[2] Law 4990/2022, art. 10 par. 2(e)
[3] Law 4808/2021 art. 5 par.1(a) and 10 par.2(b)
Hong Kong
Hong Kong
- at Slaughter and May
- at Slaughter and May
- at Slaughter and May
Workplace investigations should usually be conducted on a confidential basis to preserve the integrity of the investigation, avoid cross-contamination of evidence and maintain the confidentiality of the employee under investigation. This means that those involved in the investigation (ie, the subject employee and any material witnesses) should be made aware of the fact and substance of the investigation on a need-to-know basis.
While the extent of the confidentiality obligations are usually governed by the employer’s internal policies and the employment contract, there are circumstances where the employer has a statutory duty to keep information unearthed in the investigation confidential. For instance, if it is found that certain property represents proceeds of an indictable offence[1] or drug trafficking[2], or is terrorist property[3], the employer should report its knowledge or suspicion to the Joint Financial Intelligence Unit (JFIU) as soon as is reasonably practicable and avoid disclosure to any other person as such disclosure may constitute “tipping off”. Another example is if a workplace investigation is commenced in response to a regulatory enquiry, the employer may be bound by a statutory secrecy obligation and may not be at liberty to disclose anything about the regulatory enquiry to anyone including those who are subject to the workplace investigation. For example, section 378 of the Securities and Futures Ordinance (SFO) imposes such a secrecy obligation on anyone who is under investigation or assists the Securities and Futures Commission (SFC) in an investigation.[4]
[1] OSCO section 25A(5). A person who contravenes the section is liable on conviction on indictment to a fine of $500,000 and to imprisonment for 3 years, or upon summary conviction to a fine of $100,000 and to imprisonment for 1 year.
[2] DTROPO section 25A(1). A person who contravenes the section is liable on conviction on indictment to a fine of $500,000 and to imprisonment for 3 years, or upon summary conviction to a fine of $100,000 and to imprisonment for 1 year.
[3] UNATMO section 12(1). A person who contravenes the section is liable on conviction to a fine and to imprisonment for 3 years, or upon summary conviction to a fine of $100,000 and to imprisonment for 1 year.
[4] A person who fails to maintain secrecy is liable upon conviction on indictment to a maximum fine of $1 million and imprisonment for up to two years (or upon summary conviction, to a maximum fine of $100,000 and imprisonment for up to six months).
India
India
- at Trilegal
- at Trilegal
- at Trilegal
Indian labour statutes do not contain any specific confidentiality obligations concerning investigations. However, in practice, the records of investigative or disciplinary proceedings should be kept confidential and shared only on a need-to-know basis to ensure that the parties do not suffer prejudice. The internal policies should also include provisions on confidentiality.
The SH Act, however, provides that certain information must not be published or made known to the public, press and media such as:
- the contents of the SH complaint;
- the identity and addresses of the complainant, accused and witnesses;
- any information on the conciliation and inquiry process;
- the recommendations of the IC; and
- action to be taken by the employer.
The SH Act permits the dissemination of information regarding remedies extended to any victim without disclosing the name, address or identity of the victim or witnesses. The SH Act also outlines punishments for violating confidentiality obligations.
Ireland
Ireland
- at Ogier
- at Ogier
This will depend on the nature of the investigation but, generally, investigations should be conducted on a confidential basis. All who participate in the investigation should be informed and reminded that confidentiality is a paramount consideration taken very seriously. However, it should be borne in mind that confidentiality cannot be guaranteed by an employer as the respondent in an investigation is entitled to know who has made complaints against them. Furthermore, the respondent is entitled to cross-examine the complainant and any witnesses, although in practice this right is rarely invoked strictly and is facilitated by the investigator, with questions from the respondent being put to the complainant and other witnesses.
On occasion, a breach of confidentiality may warrant disciplinary action, but this will depend on the circumstances. Exceptions to the requirement to keep matters confidential will of course apply where employees seek support and advice from others such as companions, trade union representatives or legal advisors. It may also not be possible to maintain confidentiality where regulators or the authorities are informed of the investigation.
Also, confidentiality may not be maintained if it is in the interests of the employer to communicate the complaint and any subsequent investigation, for example on a health and safety basis.
Italy
Italy
- at BonelliErede
- at BonelliErede
From an employment law perspective, confidentiality obligations may be seen from two different points of view:
- as a general duty of the employee related to the employment relationship, according to article 2105 of the Italian Civil Code, a “loyalty obligation”, which includes confidentiality obligations. On top of these, there are usually further confidentiality clauses in individual employment contracts; and
- as a general duty (linked to the outcome of the investigation) of the employer to keep confidential the identity of the employee who cooperates during the investigation (as whistleblower or a witness) to protect him or her.
In defensive criminal law investigations, the witness can’t reveal questions or answers given in his or her interview to a third party.
With regards to the confidentiality applicable to the whistleblower, see above under question 9 and below under question 12.
Japan
Japan
- at Mori Hamada & Matsumoto
See question 9 for the confidentiality obligations of a whistleblower response service employee.
Other than the above, there is no specific legal obligation to maintain confidentiality for persons in charge of investigations, etc. However, if the information falls under the category of confidential information obtained by employees in the course of their work, compliance is required as an obligation attached to a labour contract, and many employment regulations stipulate a duty to keep information obtained in the course of work confidential.
Netherlands
Netherlands
- at De Brauw Blackstone Westbroek
- at De Brauw Blackstone Westbroek
- at De Brauw Blackstone Westbroek
The principle of due care requires employers to act prudently when it comes to sharing the identity of persons involved, such as complainants and implicated persons; and investigative findings, notably when certain employees may be implicated. As a result, such information is usually shared within an employer to designated departments on a need-to-know basis only. Additional safeguards as to the protection of whistleblowers' identities apply since the Whistleblower Directive (see question 9) was implemented in Dutch law. Also, see question 13 for the confidentiality obligations of employees vis-à-vis their employer.
Nigeria
Nigeria
- at Bloomfield LP
Workplace investigations should be kept strictly confidential to protect the parties involved in the investigation from victimisation. Some of the confidential obligations that apply during investigations are the identities of the parties involved in the process (whether as a complainant, respondent or witnesses), the confidentiality of reports, recordings and other documents generated or discovered during the investigation, as well as attorney-client privilege between the employee and his or her attorney, provided that such privilege is within the bounds of the law.
Philippines
Philippines
- at Villaraza & Angangco
Since the right to investigate ultimately belongs to the employer, it may impose strict confidentiality obligations upon the individuals involved, not only to ensure unhampered investigation proceedings but also and more importantly for the protection of the company and employees involved.
Poland
Poland
- at WKB Lawyers
- at WKB Lawyers
- at WKB Lawyers
The law does not cover this issue, apart from whistleblower regulations, as it should be regulated by the employer in their internal rules. The employer should ensure all participants of the investigation keep information related to it secret, as long as is necessary for the investigation (or even longer, if required by law concerning personal data or other specially protected information). Reputation, personal data and the personal rights of other people cannot be breached during the proceedings and this should be protected.
Moreover, according to the Draft Law – a whistleblower’s personal data should be kept confidential. It can only be disclosed if law enforcement authorities require it. Also, confidentiality should be guaranteed for the subject and other interested persons.
Portugal
Portugal
- at Uría Menéndez - Proença de Carvalho
The Portuguese Labour Code does not specifically provide for any confidentiality obligations concerning disciplinary procedures. On the contrary, it states that the employee should have access to any information included in the disciplinary procedure. Otherwise, the employee’s defence rights could be jeopardised, which would make the disciplinary procedure (and possible disciplinary sanctions) null and void.
As for the witnesses, even though there is no specific provision on confidentiality, employees are generally bound by a duty of loyalty vis-a-vis the employer, which includes not disclosing information that should be kept reserved,
However, in the cases of whistleblowing, it is mandatory to ensure the confidentiality of the complainant, as per question 9.
Singapore
Singapore
- at Rajah & Tann Singapore
- at Rajah & Tann Singapore
- at Rajah & Tann
The existence and scope of any confidentiality obligations would generally depend on the specific terms of the employment contract, employee handbook or the employer’s internal policies and procedures in dealing with the investigations.
In the context of investigations into workplace harassment issues, the Tripartite Advisory on Managing Workplace Harassment issued by the MOM provides that the identities of the alleged harasser, affected persons and the informant should be protected unless the employer assesses that disclosure is necessary for safety reasons.
This may change with the enactment of the Workplace Fairness Legislation referred to in question 1. The Tripartite Committee on Workplace Fairness recommended, among other things, that employers should protect the confidentiality of the identity of persons who report workplace discrimination and harassment, where possible. As such, it is expected that the upcoming Workplace Fairness Legislation may impose certain confidentiality obligations on an employer during an investigation.
South Korea
South Korea
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
It is general practice in Korea for a company to require interviewees to maintain confidentiality concerning a workplace investigation and instruct them that they are not permitted to discuss the matter under investigation with other employees, etc. If an employee violates this instruction, it may be possible for the company to take disciplinary action against them under the company’s rules.
Further, the company or its employees who have engaged in an investigation for sexual harassment or workplace harassment in the workplace are obliged to maintain the confidentiality of the investigation. Failure to comply with such requirements may lead to an administrative fine from the Ministry of Employment and Labour for the company or its registered representative.
There may be some exceptions to the confidentiality obligation, such as when an employee is required by government authorities to provide relevant information in a parallel investigation.
Spain
Spain
- at Uría Menéndez
- at Uría Menéndez
Companies and employees are not bound by any statutory confidentiality obligation in the context of workplace investigations. However, if a company’s enquiry has the potential to examine employees’ private affairs, then the company must ensure the confidentiality of the investigation.
This confidentiality obligation would not arise from the investigation itself, but from the company’s obligation to safeguard its employees’ rights.
Sweden
Sweden
- at Mannheimer Swartling
- at Mannheimer Swartling
- at Mannheimer Swartling
If the Swedish Whistleblowing Act applies, the persons or entities handling the investigation have a duty of confidentiality and may not, without permission, disclose any information that could reveal the identity of the reporting person, any person subject to the report or any other person mentioned in the report or during the investigation of the report. Access to personal data is limited to designated competent entities or persons. Investigative material including personal data may not be shared with other persons or entities during the investigation. Once the investigation has reached actionable conclusions, investigative material may be shared with other persons or entities, such as HR or the police, provided that such sharing is necessary to take action on the outcome of the investigation. Investigative material may also be shared if it is necessary for the use of reports as evidence in legal proceedings or under the law or other regulations.
If the Swedish Whistleblowing Act does not apply, there are no particular confidentiality obligations for employers. Yet, an employer needs to consider what information is suitable to share during an investigation, how this is done and to whom it is shared. An employer must also respect employees’ privacy in line with what is generally considered good practice in the labour market. This means that an employer should be careful as to what sensitive and personal information is shared during an investigation. Furthermore, the spreading of damaging information (even if true) about an employee to a wider group may be a criminal offence under the Swedish Criminal Code.
Switzerland
Switzerland
- at Bär & Karrer
- at Bär & Karrer
Besides the employee's duty of performance (article 319, Swiss Code of Obligations), the employment relationship is defined by the employer's duty of care (article 328, Swiss Code of Obligations) and the employee's duty of loyalty (article 321a, Swiss Code of Obligations). Ancillary duties can be derived from the two duties, which are of importance for the confidentiality of an internal investigation.[1]
In principle, the employer must respect and protect the personality (including confidentiality and privacy) and integrity of the employee (article 328 paragraph 1, Swiss Code of Obligations) and take appropriate measures to protect the employee. Because of the danger of pre-judgment or damage to reputation as well as other adverse consequences, the employer must conduct an internal investigation discreetly and objectively. The limits of the duty of care are found in the legitimate self-interest of the employer.[2]
In return for the employer's duty of care, employees must comply with their duty of loyalty and safeguard the employer's legitimate interests. In connection with an internal investigation, employees must therefore keep the conduct of an investigation confidential. Additionally, employees must keep confidential and not disclose to any third party any facts that they have acquired in the course of the employment relationship, and which are neither obvious nor publicly accessible.[3]
[1] Wolfgang Portmann/Roger Rudolph, BSK OR, Art. 328 N 1 et seq.
[2]Claudia Fritsche, Interne Untersuchungen in der Schweiz, Ein Handbuch für Unternehmen mit besonderem Fokus auf Finanzinstitute, p. 202.
[3] David Rosenthal et al., Praxishandbuch für interne Untersuchungen und eDiscovery, Release 1.01, Zürich/Bern 2021, p. 133.
Thailand
Thailand
- at Chandler MHM
- at Chandler MHM
Unless the investigation is handled by a qualified professional (eg, attorney or auditor) where certain privileges apply, confidentiality obligations are generally subject to the contractual arrangement between the parties involved in the investigation. The employers need to inform any persons, including the investigators, to respect confidentiality obligations because a leak of the information gathered from the investigations could cause damage to relevant parties.
Turkey
Turkey
- at Paksoy
- at Paksoy
- at Paksoy
- at Paksoy
As a general practice, workplace investigations need to be kept confidential for the integrity of the process. In some cases, employees can specifically request their identity or involvement be kept confidential. In such cases, additional measures need to be taken to protect confidentiality. In any case, obligations and rights arising from the DPL and Labour Law must be respected and complied with by the employer and the investigation team.
United Kingdom
United Kingdom
- at Slaughter and May
- at Slaughter and May
Workplace investigations should usually be conducted on a confidential basis, so that only those involved in the investigation are aware of its existence and subject matter. The need to maintain confidentiality about both the fact of the investigation, and any content discussed with an investigator, should be emphasised to all those involved. It may also be necessary to explain that a breach of confidentiality could be viewed as a disciplinary matter. Appropriate exceptions must, however, be made to allow employees to speak to any relevant employee or trade union representative, legal adviser and potentially the police or other regulators. Confidentiality provisions cannot override the rights of workers to make protected disclosures (see question 9).
In some situations, such as those involving a wide-ranging investigation into the organisation’s working practices and culture, it may be more appropriate to investigate a more “open” basis, and inform employees and other stakeholders.
United States
United States
- at Cravath, Swaine & Moore
- at Cravath, Swaine & Moore
- at Cravath, Swaine & Moore
Information arising from the initial complaint, interviews and records should be kept as confidential as practically possible while still permitting a thorough investigation. Although an employer must maintain confidentiality to the best of its ability, it is often not possible to keep confidential the identity of the complainant or all information gathered through the investigation process. An employer should therefore not promise absolute confidentiality to any party involved in an internal investigation, including the complainant. The investigator should instead explain at the outset to the complaining party and all individuals involved that information gathered will be maintained in confidence to the extent possible, but that some information may be revealed to the accused or potential witnesses on a need-to-know basis to conduct a thorough and effective investigation.
Vietnam
Vietnam
- at Le & Tran Law Corporation
- at Le & Tran Law Corporation
Workplace investigations should be conducted in a strictly confidential manner to preserve the integrity and professionalism of the investigation and to protect the identity of the employee under investigation. This means that all information gathered, received, and shared during the investigation (ie, the subject employee and any material witnesses) should only be disclosed on a need-to-know basis.
26. How long should the outcome of the investigation remain on the employee’s record?
26. How long should the outcome of the investigation remain on the employee’s record?
Australia
Australia
- at People + Culture Strategies
- at People + Culture Strategies
- at People + Culture Strategies
There are legal requirements related to the time you must keep certain employee records in Australia, such as pay slips and time sheets. However, there are no laws concerning disciplinary records.
Employers can rely on previous misconduct to justify an employee’s termination of employment where it can be shown it is part of a course of conduct. Accordingly, if complaints have been substantiated, and disciplinary action has been taken, these records should be maintained. However, if a significant period has elapsed since the misconduct, an employer should carefully consider whether it is appropriate to rely on this past behaviour to justify future disciplinary action for similar conduct.
Austria
Austria
- at GERLACH
- at GERLACH Rechtsanwälte
Data protection law requires that personal data should not be kept longer than necessary for the purpose it was collected. Once the purpose of the internal investigation is fulfilled and the data is no longer needed, it should be deleted or anonymised. Regulations regarding this matter may also be subject to WCAs or internal policies. In any case, it is advisable to keep the results for as long as they may be needed in possible subsequent administrative or judicial proceedings.
Belgium
Belgium
- at Van Olmen & Wynant
According to the GDPR, personal data should only be stored for a proportionate amount of time. Usually, this means that it can be stored as long as it is relevant for the employment contract, and even afterwards, if there is a risk of legal proceedings (ie, regarding the dismissal of the employee).
Brazil
Brazil
- at CGM
- at CGM
The existence of the investigation should be kept on file for at least five years from the date of its conclusion. All information related to the investigation should be kept on file for the same period, but not on the employee’s record, to avoid the risk of accidental access by unauthorised individuals.
China
China
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
- at Jingtian & Gongcheng
The relevant laws and regulations in the PRC have not clarified the retention period of the investigation findings. According to Article 19 of the Personal Information Protection Law of the PRC, unless otherwise required by laws or administrative regulations, the retention period of personal information shall be the shortest period necessary to achieve the purpose of handling the information. Since the employee's personal information is very likely to be involved in the investigation findings, such report should be retained for the shortest period necessary to achieve the purpose of handling the information. In general, once the investigation is completed, the purpose of the internal investigation has been achieved or it is no longer necessary to achieve the purpose, and the employer may, in accordance with Article 22 of the Administrative Regulations of the PRC on Network Data Security (Draft for Comments), delete or anonymize the personal information within fifteen (15) working days. If it is technically difficult to delete the personal information, or it is difficult to do so within fifteen (15) working days due to business complexity or other reasons, the employer shall not conduct any processing other than storing the personal information and adopting necessary security measures, and shall give reasonable explanations to the employee.
Finland
Finland
- at Roschier
- at Roschier
Please see question 7. The outcome of the investigation involving personal data may be retained only for as long as is necessary considering the purposes of the processing. In general, the retention of investigation-related data may be necessary while the investigation is still ongoing and even then the requirements of data minimization and accuracy should be considered. The data concerning the outcome of an investigation should be registered to the employee's record merely to the extent necessary in light of the employment relationship or potential disciplinary measures. In this respect, the applicable retention time depends on labour law-related rights and limitations, considering eg, the applicable periods for filing a suit.
France
France
- at Bredin Prat
- at Bredin Prat
If the outcome of the internal investigation has led to the sanctioning of an employee, this sanction may no longer be invoked to support a new sanction after three years. Moreover, under the GDPR principles, the duration of retention must be proportional to the use of the data. Therefore, the data must be retained only for a period that is “strictly necessary and proportionate”. If the employer wants to keep information about the investigation in the longer term, it is possible to archive the employee’s record even though the employer will no longer be able to use it against the employee after three years.
Germany
Germany
- at Hengeler Mueller
- at Hengeler Mueller
- at Hengeler Mueller
If there is no special statutory storage period (which is the case for investigative reports and findings), personal data may only be stored for as long as is necessary for the purposes for which they are collected. As soon as the data is no longer required, it must be deleted. In connection with workplace investigations, the question arises as to how this obligation to delete personal data relates to the company's corporate interests. From the company's perspective, there may well be legitimate interests that speak in favour of retaining existing data for as long as possible. Under the data protection regulations of the DSGVO and the BDSG, data can be stored for as long as it is required for the assertion, exercise or defence of (civil) legal claims. This means that the data can, in any event, be saved at least as long as any measures related to the workplace investigation have not yet been completed and any legal disputes have not yet been concluded.
Greece
Greece
- at Karatzas & Partners
- at Karatzas & Partners
- at Karatzas & Partners
- at Karatzas & Partners
Under the General Data Protection Regulation, employees’ personal details and information must be kept in the business records for as long as is necessary for the purposes of the employment relationship. Otherwise, stored data must be deleted. However, under L.4990/2022[14], reports remain in the relevant record for a reasonable and necessary time, and in any case until the completion of investigations or proceedings before the courts that have been initiated as a consequence of a complaint against the employee under investigation, the complainant or any third parties.
[14] L.4990/2022 art.16 par.1
Hong Kong
Hong Kong
- at Slaughter and May
- at Slaughter and May
- at Slaughter and May
There is no legal requirement in Hong Kong on this. However, since the investigation records will likely contain personal data, employers should be mindful of the requirement under the PDPO that personal data should not be kept for longer than necessary.[1]
According to the Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data, generally, employment data about an employee can be kept for the entire duration of his or her employment, plus a recommended period of no more than seven years after the employee leaves employment unless there is a subsisting reason that justifies a longer retention period. A longer retention period may be justified where there is ongoing litigation or a parallel investigation. Even where it is deemed necessary to retain the outcome of the investigation concerning a departed employee, the employer should ensure that other personal data on the employee’s record (that is unrelated to the purpose of retention) are erased after the expiry of the recommended retention period.
[1] DPP2 (in Sch. 1) and PDPO section 26.
India
India
- at Trilegal
- at Trilegal
- at Trilegal
There is no statutory guidance on this. It is common for employers to retain details of disciplinary proceedings on an employee's record for the entire duration of their employment.
It is also advisable to retain the details of any investigations or disciplinary proceedings for at least three years after an individual has been dismissed on account of such proceedings, as this is the general limitation period for raising claims of unfair dismissal. In labour matters, courts in India often allow delays in filing suit after the limitation period, meaning organisations sometimes make a practical call to retain details of investigations and disciplinary proceedings for longer.
Ireland
Ireland
- at Ogier
- at Ogier
Irrespective of the outcome of the investigation, the fact that an employee was subject to an investigation is not the key issue. The key concern is whether any further action was taken as a result of the investigation. If a disciplinary process ensued, then it is the outcome of that disciplinary record and any subsequent appeal that would or would not be noted on an employee's record. If a disciplinary sanction were imposed then the length of time the sanction remains on the employee's record would depend on what is specified in the disciplinary policy.
Italy
Italy
- at BonelliErede
- at BonelliErede
The employer would normally keep the outcomes of the investigation for the entire duration of the employment relationship with the involved employee.
After the termination of the employment relationship, it appears reasonable to conclude that the employer would be entitled to retain this information for the time necessary to exercise its defence rights in litigation (taking into account that 10 years is the statute of limitations for contractual liability). Further requirements or restrictions under general privacy laws (and particularly the GDPR) should also be checked.
According to Art. 14 WB Decree, internal and external whistleblowing reports (including related documents) must be kept for as long as necessary for report processing, but no more than five years from the date of transmission of the procedure's final outcome.
Japan
Japan
- at Mori Hamada & Matsumoto
Records related to responses to whistleblowing must be kept for an appropriate period, but there is no legal stipulation on the retention period. Each entity is required to set an appropriate period after considering the need for evaluation and inspection, and the handling of individual cases. There is no legally stipulated retention period for other investigation results.
Netherlands
Netherlands
- at De Brauw Blackstone Westbroek
- at De Brauw Blackstone Westbroek
- at De Brauw Blackstone Westbroek
The outcomes are usually kept in the records until termination of the employment agreement and only deleted when personal records are deleted.
Nigeria
Nigeria
- at Bloomfield LP
The law does not provide for the time the outcome of the investigation may remain on the employee’s record. However, this will depend on the employer’s record-retention policies, which must comply with applicable data protection laws.
Philippines
Philippines
- at Villaraza & Angangco
The outcome of the investigation should only remain on the employee’s record for as long as is necessary, but shall not be less than three years as this is the record-keeping requirement under the Philippine Labor Code. If circumstances deem that such a report ceases to have any purpose whatsoever, it should be struck out of the employee’s record.
Poland
Poland
- at WKB Lawyers
- at WKB Lawyers
- at WKB Lawyers
Neither Polish law nor the Draft Law specifically provide for a mandatory period during which the outcome of the investigation should be kept on the employee’s record.
At the same time, the Draft Law indicates that the register of whistleblowing reports, which should also contain information about follow-up actions undertaken as a result of the report, should be kept for 15 months starting from the end of the calendar year in which the follow-up actions have been completed, or the proceedings initiated by those actions have been terminated.
Also, while determining how long the outcome of an internal investigation should be kept, additional legal considerations can be taken into account, especially data privacy.
The GDPR does not specify precise storage time for personal data. The employer must assess what will be an appropriate time for storage of the data, taking into consideration the necessity of keeping personal data concerning the purpose of the processing in question. Employees' personal data should be kept for the period necessary for the performance of the employment relationship and may be kept for a period appropriate for the statute of limitations for claims and criminal deeds. A longer retention period may result from applicable laws. Following the Regulation of the Minister of Family, Labour and Social Policy on employee documentation, the employer may keep a copy of the notice of punishment and other documents related to the employee’s incurring of disciplinary responsibility in the employee record.
There are different retention periods for the data contained in employee files:
- 10 years if the employee was hired on or after 1 January 2019;
- if the employment relationship began between 1 January 1999 and 1 January 2019, the retention period is 50 years, but may be reduced to 10 years if the employer provides the Polish Social Insurance Institution with certain mandatory information; and
- for 50 years if the employee was hired before 1 January 1999. It does not matter whether the person is still working or not.
Portugal
Portugal
- at Uría Menéndez - Proença de Carvalho
There are no specific rules in the Portuguese Labour Code on this matter.
However, article 332 of the PLC states that the employer should keep an updated record of disciplinary sanctions, so the competent authorities can easily verify compliance with applicable provisions. Accordingly, it is advisable to maintain a record of disciplinary sanctions during the entire employment relationship.
Also, please note that some collective bargaining agreements state that the disciplinary register must be deleted from the employee’s record periodically.
Singapore
Singapore
- at Rajah & Tann Singapore
- at Rajah & Tann Singapore
- at Rajah & Tann
This depends on the company’s internal disciplinary policy and the severity of the offence. For instance, a written warning issued against an employee for minor misconduct is usually kept in the respondent employee’s file for one year and if the employee does not commit any further breaches during this time, the written warning will be expunged. However, if there is a finding of serious misconduct, particularly if such a determination results in the dismissal of the employee, these records are generally kept in the employee’s file for the duration of time such records are statutorily required to be maintained.
South Korea
South Korea
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
- at Kim & Chang
There is no legal requirement on how long the records of the investigation (eg disciplinary action) should be maintained by the company. Many companies maintain a record of disciplinary action throughout the employment period.
Spain
Spain
- at Uría Menéndez
- at Uría Menéndez
The outcome of the investigation will contain personal data of the affected employee. For this reason, this information should only be kept for as long as a legal obligation or liability in connection with the information could arise for the company. Since the general statute of limitations for employment liability is one year, this is a good guideline.
In addition to the above, two specific rules apply:
- once the information becomes irrelevant for the purpose for which it was obtained and processed, the information should no longer be stored on the employee’s record or elsewhere; and
- the employees’ information (including those of the reporter and the affected employees) should only be stored in whistleblower systems during the time that is necessary to decide on whether the facts need to be investigated or not and, in any case, for a maximum period of three months.
Sweden
Sweden
- at Mannheimer Swartling
- at Mannheimer Swartling
- at Mannheimer Swartling
Under the GDPR personal data may not, according to the general principle on storage limitation, be retained for longer than is necessary for the purposes for which the personal data are processed. The GDPR does not stipulate a generally applicable storage limitation period. Such a regulation is, on the other hand, included in the Swedish Whistleblowing Act. If the Swedish Whistleblowing Act applies, the outcome of the investigation and all personal data should be retained for as long as necessary, but not for longer than two years after the investigation has been closed.
Switzerland
Switzerland
- at Bär & Karrer
- at Bär & Karrer
From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.
From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]
[1] Wolfgang Portmann/Isabelle Wildhaber, Schweizerisches Arbeitsrecht, 4. Edition, Zurich/St. Gallen 2020, N 473.
Thailand
Thailand
- at Chandler MHM
- at Chandler MHM
There is no period required by law for keeping the outcome of the investigation on the employee’s record. However, if termination of employment is the outcome of the investigation, an employer should keep details of the investigation for at least 10 years, in line with the prescribed period for an employee to file an unfair dismissal claim against an employer. An employer may use the details of an investigation to defend such a claim. For other disciplinary action, the retention of investigation details on the employee’s record is at the employer’s discretion.
Turkey
Turkey
- at Paksoy
- at Paksoy
- at Paksoy
- at Paksoy
There is no provision in the legislation setting forth a specific duration for keeping the outcome of the investigation findings in personnel files. However, based on general principles, the outcome of the investigation can remain on the employee’s personnel files as long as the employer has a lawful interest in such processing without unnecessarily harming the privacy rights of the employee.
United Kingdom
United Kingdom
- at Slaughter and May
- at Slaughter and May
The investigation outcome may not need to be noted on the accused employee’s record at all. Usually only the outcome of any subsequent disciplinary or grievance process would be noted, rather than the prior investigation.
The employer should keep the investigation report for as long as it remains relevant. This would usually be no longer than six years, unless regulatory obligations dictate otherwise. The report along with all documentation and witness statements gathered during the investigation should be retained securely and confidentially but for no longer than is absolutely necessary under the requirements of the DPA 2018 and the employer's data protection policies and procedures. There may be additional retention requirements in a regulated context; the position for each particular business and employee should be checked.
United States
United States
- at Cravath, Swaine & Moore
- at Cravath, Swaine & Moore
- at Cravath, Swaine & Moore
There is no requirement for the results of a workplace investigation to remain on an employee’s record for any specific period. It is often helpful, however, for information relating to the outcome of such an investigation (regardless of whether the allegations are substantiated) to be accessible to the human resources or legal functions such that during the initial complaint intake process described above, any prior complaints and investigations relating to the same individual or group of individuals can be taken into account to identify any recurring issues or systemic violations.
Vietnam
Vietnam
- at Le & Tran Law Corporation
- at Le & Tran Law Corporation
Vietnamese law does not provide for a period during which the outcome of the investigation should remain on the employee’s records and files. However, this will depend on the employer’s record-retention policies, which must comply with applicable data protection laws.