Employers often face grievances raised by staff involving allegations against work colleagues. Whilst there is a duty to support and safeguard employees’ safety and wellbeing, employers also have wider obligations relating to confidentiality and data protection. A careful balance must therefore be struck between helping, supporting and reassuring the “victim” whilst at the same time managing or sanctioning the alleged perpetrator.

The Equality and Human Rights Commission (EHRC) recommends that, where appropriate, disciplinary sanctions relating to sexual harassment may be disclosed to the victim. However, doing so involves sharing personal data and confidential information about the perpetrator, which is regulated by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The general principle under data protection and employment law is that disciplinary records, notes and outcomes are confidential, and employers should therefore exercise caution before making any disclosures.

Lawful Basis for Disclosure

Disclosures may be justified where there is a “legitimate interest”. This raises the question of what constitutes a legitimate interest.

Taking steps to reassure victims that their concerns have been addressed, that appropriate action has been taken, or to support their safe return to work, may amount to a legitimate interest capable of justifying disclosure.

Before any disclosure is made, employers should carry out the three-stage “legitimate interests” assessment:

• Purpose – Is there a legitimate interest in using or sharing the personal data?

• Necessity – Is the use of the personal data necessary for that purpose? Could the objective be achieved without disclosing the information? If so, disclosure should not be made.

• Balancing Test – Do the perpetrator’s interests, rights or freedoms override the legitimate interest being relied upon?

Employers should also consider whether:

• The use of the personal data would be unexpected by the individual concerned; and

• The disclosure could cause unjustified harm.

Where these tests are satisfied, limited information may potentially be shared with the victim. However, care should still be taken, particularly where the incident may have wider implications for the workforce.

Data Protection Risks

Even where disclosure is based on legitimate interests, employers should remain aware that disclosure could:

• Lead to formal data protection complaints;

• Result in a Subject Access Request (SAR), which may be time-consuming and resource-intensive;

• Trigger grievances alleging breach of confidentiality or breach of the implied duty of mutual trust and confidence; and

• Increase the risk of resignations and potential constructive dismissal claims.

Key Message

Employers should ensure they have robust data protection policies in place, identify a lawful basis for any disclosure, and carry out a legitimate interests assessment before sharing information.

Disclosures should only be made where necessary and proportionate, and only the minimum information required should be disclosed.

As every case will depend on its own facts, employers should avoid adopting a blanket approach. Where there is uncertainty, employers should seek guidance from the Information Commissioner’s Office (ICO) and contact the HR Helpline on 01455 852 028 for further advice and assistance.