Data protection: the UK perspective

1 Introduction

The legal framework for protecting the personal data of individuals, in internal and government investigations, comprises employment, criminal and privacy laws. For ease, those collective laws are frequently described as data protection, data security or data privacy law.^[1] Organisations conducting or otherwise involved in such investigations must navigate an increasingly complex landscape of domestic and international legislation that seeks to protect individuals’ data, while frequently having to ensure cooperation and transparency with government agencies.

During the course of an investigation, a data controller^[2] or a data processor^[3] will often need to comply with data protection laws in multiple jurisdictions, requiring the collection, processing and transfer of data in accordance with numerous nuanced and seemingly competing obligations. There is a careful balance to strike between the need to process data to fulfil the needs of the investigation and the protection afforded to individuals whose data has been requested or obtained as part of that investigation.

This chapter addresses the data protection laws in the United Kingdom and certain elements of European Union law that are most relevant to the personal data issues that commonly arise in internal and government investigations.

2 Key legislation relevant to personal data processing in investigations

2.1 United Kingdom and European Union

In the United Kingdom, there are two principal pieces of legislation that govern the processing of personal data: (1) the UK General Data Protection Regulation^[4] (UK GDPR), which effectively incorporates Regulation (EU) 2016/679^[5] (EU GDPR) into UK law, following the expiry of the Brexit transition period; and (2) the UK Data Protection Act 2018 (DPA 2018).^[6]

The territorial reach of the UK GDPR and the EU GDPR means that they capture the processing of an individual’s personal data by:

• any corporation or company established or operating in the United Kingdom or the European Union, including UK and EU companies that use personal data outside the United Kingdom and the European Union, to the extent that use of personal data is intrinsically linked with their domestic activities; and
• corporations established outside the United Kingdom and the European Union, with no presence in either territory, if they are processing the personal data of data subjects^[7] located in the United Kingdom or the European Union and the processing activities are in respect of the offering of goods and services to, or monitor the behaviour of, individuals within the United Kingdom or the European Union, even if the data is stored outside the United Kingdom and the European Union.^[8]

The DPA 2018 applies to the processing of data in circumstances where the UK GDPR applies, as well as supplementing the UK GDPR in respect of certain types of processing to which the EU GDPR does not apply.^[9] The territorial reach of the DPA 2018 is broadly similar to that of the UK GDPR.^[10]

The scope of an investigation (including the location of the data subjects, the data controllers and the data processors) will determine whether organisations are required to comply with the DPA 2018, the UK GDPR or the EU GDPR.

In addition to the UK GDPR and the DPA 2018, participants in internal investigations may also be required to navigate UK laws governing the interception and monitoring of employees’ communications. The relevant regulatory framework consists primarily of the Investigatory Powers Act 2016 (IPA 2016), the Interception of Communications Code of Practice under the IPA 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 enacted under the IPA 2016.

In September 2021, the then UK government launched a public consultation – ‘Data, a new direction’ – with a view to reforming UK data protection laws.^[11] Following the consultation process, the Data Protection and Digital Information Bill was introduced into Parliament in July 2022 but failed to pass before Parliament was dissolved ahead of the 2024 general election. The Bill was intended to reform data protection law and included, among other things, provisions concerning the international transfer of personal data.^[12] In July 2024, the King’s Speech set out the new UK government’s priorities, which include a Digital Information and Smart Data Bill. At the time of writing, this Bill has not been published; however, it is expected to deal with a wide range of data issues, including measures to ensure data is well protected. It is not yet known how the reforms will affect investigations.^[13]

Prior to the EU GDPR, the European data protection regime was fragmented and offered varying levels of protection across the Member States. For the most part, the EU GDPR consolidated and harmonised its predecessor regime and required each Member State to implement uniform laws on data protection; however, it provides only a base level of data protection law, and each Member State may implement its own domestic data protection laws, over and above the minimum standard required by the EU GDPR. Accordingly, where there is an EU nexus to an investigation, participants in the investigation should ensure compliance with the EU GDPR and any additional domestic laws that have been implemented by the relevant Member State (or States).

2.2 Competing and conflicting regimes

Multinational companies undertaking, or subject to, an internal or government investigation must carefully consider what legislation applies. In some instances, a company may be requested to transfer personal data to the United States. In response to such a demand, the company is required to undertake an assessment and to determine whether the transfer of responsive data to the United States would breach the UK GDPR or the EU GDPR. This assessment will be shaped in significant part by the consequences of the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems^[14] (Schrems II) and subsequent developments, which are discussed below.

If the company cannot lawfully transfer responsive data to the United States, it may need to negotiate with the requesting authority to narrow the scope of the request or to develop other ways of resolving the legal conflict.

3 Internal investigations

The principal obligations for an organisation to consider when conducting an internal investigation^[15] (as set out in the UK GDPR) are:

• establishing a legal basis for the processing of personal data, such as the consent of the individual whose data is required, or a legitimate third party or public interest;
• if applicable, and in addition to establishing a legal basis for the processing, demonstrating the presence of a relevant condition that permits the processing of any ‘special categories’ (see ‘Special category data’, below) of personal data or any criminal offences data;
• identifying a legal basis for any international transfer of personal data from the United Kingdom to a third country (again, in addition to a legal basis for the processing);
• ensuring that the use of the personal data is proportionate to the aims of the investigation; and
• upholding the principle of transparency, namely the requirement to inform individuals about how their personal data is being used (unless there is a relevant exemption).

Additional considerations that can arise in the context of internal investigations include:

• monitoring of employees’ electronic communications; and
• involvement of third parties.

3.1 Processing data on the basis of consent

If individuals consent to the processing of their personal data, that will constitute a legal basis for the processing in the course of an investigation.^[16] However, the provision of consent must satisfy a number of conditions. Consent must be given freely and clearly, and in plain language, and must be an affirmative act by, for example, actively ticking a box on a website – consent cannot be given by inactivity, such as pre-ticked boxes in an online form.^[17] Prior to giving consent, individuals must also be informed that they have the right to withdraw their consent at any time. Blanket clauses in employment contracts have historically been used to demonstrate consent; however, the Information Commissioner’s Office (ICO), an independent regulator responsible for enforcing data protection legislation, has issued guidance on consent, which suggests this may no longer be sufficient.^[18]

Given the perceived imbalance of power between employers and employees, caution should be exercised when relying on the legal basis of consent. The European Data Protection Board (EDPB) guidelines on consent under the EU GDPR deem it ‘problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given’.^[19] The EDPB advises that situations when it is possible for an employer to demonstrate consent is freely given will be the exception, but may be possible when there will be no adverse consequences whether or not the employee gives that consent.

3.2 Processing data on the basis of legitimate interests

The UK GDPR provides numerous other legal bases for the lawful processing of personal data.^[20]

A data controller can justify the processing of personal data on the basis of its own legitimate interests, or the legitimate interests of a third party or the public interest. However, any legitimate interest held by an organisation (or by a third party) can also be overridden by an individual’s own interests or the individual’s fundamental rights.^[21]

The ICO refers to legitimate interests as ‘the most flexible lawful basis for processing’ under the UK GDPR, and has prescribed a three-part test^[22] for establishing a legitimate interest:

• Purpose test: Is the processing in pursuit of a legitimate interest?
• Necessity test: Is the processing necessary and proportionate for the purpose, or is there an alternative, less intrusive, means of gathering the same information?
• Balancing test: Does the risk of undue harm to the individual’s interests, rights and freedoms concerning the protection of personal data outweigh the legitimate interest in processing the data?

The recitals to the UK GDPR provide non-exhaustive examples of ‘legitimate interests’, including:

• ‘a relevant and appropriate relationship between the data subject and the controller’ (such as where the data subject is a client or employee of the controller);
• the prevention of fraud;
• the intra-group transfer of data, network and information security; and
• disclosing possible criminal acts or security threats to the authorities.^[23]

3.3 Special category data

Data controllers must consider whether any personal data they are processing falls into one of the special categories identified by the UK GDPR.^[24]

Special category data includes ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.^[25]

Before data controllers can process special category data, they must first establish a legal basis for the data processing (as set out above) and then establish an additional and specific legal basis for it.^[26]

In an investigation, the conditions that are likely to fulfil this additional basis are the explicit consent of the individual; the establishment, exercise or defence of legal claims; or reasons of substantial public interest.

In addition, the DPA 2018 provides further conditions that must be satisfied in respect of certain legal bases, for the lawful processing of special category data under Article 9 of the UK GDPR (including the ground of substantial public interest).^[27]

3.4 Criminal offence data

Some investigations may involve ‘personal data relating to criminal convictions and offences or related security measures’,^[28] including information about an individual’s criminal allegations, proceedings or convictions.

The UK GDPR treats this criminal offence data independently of and separate to special category data, and the circumstances in which it may be processed are particularly narrow. There must first be an established lawful basis for the processing of the criminal offence data and then the processing must be carried out:

• under the control of an official authority (in which case there is no need to satisfy any of the conditions in Schedule 1 to the DPA 2018); or
• as authorised by domestic law (in which case there is an additional requirement to meet one of the relevant conditions in Schedule 1 to the DPA 2018).^[29]

Depending on the circumstances, certain of the domestic law authority grounds may be available in investigations, including prescribed public interest grounds, consent of the individual and establishing or defending a legal claim.

3.5 Proportionality: data minimisation

The UK GDPR requires the processing of personal data to be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.^[30] This is known as the principle of data minimisation. The UK GDPR does not define the terms ‘adequate, relevant and limited’: they will differ depending on the individual in question and the purpose for which it is intended that personal data will be processed. However, the recitals to the UK GDPR explain that data minimisation includes limiting the period for which personal data is stored to a strict minimum, and processing personal data only if the purpose of the processing could not reasonably be fulfilled by other means.

At the outset of an investigation, organisations should identify the minimum amount of individuals’ data necessary to achieve the legitimate purpose of the investigation. Data controllers should then (and continue to) ensure that the collation, review, use and disclosure of personal data remains proportionate and no more invasive than is required to realise the legitimate purpose.

3.6 Transparency under UK GDPR

The UK GDPR and the DPA 2018 require the processing of personal data to be transparent.^[31] Where an organisation intends to collect personal data directly from the data subject, it must provide the individual in advance with the specific privacy information prescribed by the UK GDPR.^[32] This privacy information includes:

• the purpose of the processing;
• the legal basis for the processing;
• the recipients or categories of recipients of the personal data;
• details of any transfers of personal data outside the United Kingdom; and
• the period for which the personal data will be stored.

The UK GDPR also requires privacy information provided to data subjects to be ‘concise, transparent, intelligible and easily accessible . . .using clear and plain language’. The data subject may request that the organisation provides the information orally, as long as the data subject can verify their identity.^[33]

There are limited exemptions from providing the prescribed privacy information to a data subject, but when an organisation is collecting personal data directly from an individual (and not from a third party), there is no requirement to provide the individual with data protection information they already have.^[34]

Data controllers can rely on a wider range of exemptions when they are collecting personal data from other sources.^[35] In internal investigations, the most relevant exemptions are likely to include the following:

• Providing the prescribed privacy information would prove impossible or would involve a disproportionate effort, or would seriously impair the achievement of the objectives of the data processing.^[36]
• Obtaining or disclosing the individual’s personal data is expressly required by domestic law, which already provides for appropriate measures to protect the individual’s legitimate interests with regard to personal data.^[37]

3.7 Monitoring electronic communications as part of an investigation

Organisations must also be transparent with employees about the interception and monitoring of their communications. Communications will be considered to have been intercepted, including circumstances in which a communication is monitored in the course of its transmission and made available to a person who is not the sender or intended recipient of the communication, at the time of or after transmission.^[38]

Employers can intercept their employees’ communications with the consent of both the sender and the recipient.^[39] This consent is distinct from any consent given for the purposes of data processing under the UK GDPR. Employers may also lawfully monitor or record their employees’ communications without consent in order to:

• establish the existence of facts;
• ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business;
• ascertain or demonstrate standards that are, or ought to be, achieved by persons using the telecommunications system;
• prevent or detect crime;
• investigate or detect the unauthorised use of the telecommunications system; or
• ensure the effective operation of the system.^[40]

The monitoring or recording of communications without consent is subject to additional restrictions.^[41]

Organisations can take practical steps to protect themselves against claims of employee privacy infringement and non-compliant monitoring practices by proactively providing employees with data privacy information notices and ensuring that employees have access to their policies on employee monitoring.

3.8 Third parties to internal investigations

If a third party is required to process data on behalf of a data controller as part of an investigation, the engagement of the processor must be governed by a contract (or by another legal act under domestic law).^[42] These types of engagements are often necessary to assist with tasks such as data analysis, legal advice or document review; all of which potentially require access to personal data.

The UK GDPR sets out specific matters that must be covered in the contract between the controller and the processor: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subjects; and the obligations and rights of the controller.

The UK GDPR also identifies the specific obligations of the processor that must be stipulated in the contract, including to process the personal data only on documented instructions from the controller unless required to do so by domestic law, and to ensure that persons authorised to process the personal data are under a duty of confidentiality.

4 Investigations by government authorities

When an organisation receives a request from a government investigation to provide personal data, it must strike a balance between its regulatory obligations and its obligations under the UK GDPR. Although, in the spirit of cooperation, organisations may be inclined to share personal data in response to an authority’s request for information, the data controller should ensure that any disclosure is compliant with its UK GDPR obligations.

All the UK GDPR obligations described above (for example, transparency and data minimisation) apply equally to the processing of personal data in response to a request from an investigating authority.

4.1 Investigations by authorities: legal obligations

A data controller must satisfy itself that there is a lawful basis for sharing data with an investigating authority, consistent with Article 6(1) of the UK GDPR. The most common means of doing this is to rely on the basis that the ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.^[43]

A ‘legal obligation’ includes a UK common law or UK statutory obligation, such as regulatory requirements where the regulatory regime is provided by statute and requires the compliance of the regulated organisation. It is important to note that contractual obligations do not constitute legal obligations.

This ground will not be satisfied if there is another reasonable and proportionate way to procure compliance with the legal obligation beyond the processing of the personal data. When documenting their reliance on this ground, data controllers should record the source of the obligation in question, for example, the specific statutory provision or guidance.

4.2 International data transfers: internal or government investigations

Where an investigation requires the transfer of personal data internationally, there are additional considerations under the UK GDPR; for example, if an organisation wants to transfer personal data from inside the United Kingdom to a group company or a third party outside the United Kingdom, the data controller must not only establish a legal basis for the data processing (under the UK GDPR) but also satisfy conditions for the transfer itself (UK GDPR, Chapter V). This means that the transfer must be based on the existence of an adequacy regulation, appropriate safeguards or a derogation for a specific situation.^[44]

Certain third countries are considered to have an adequate level of protection for personal data, under their own national laws, to meet the UK standards. In the United Kingdom, those designations are made by way of ‘adequacy regulations’.^[45] The effect of a third country being deemed adequate is that personal data can be transferred from the United Kingdom to that third country without any further restrictions.

For the purposes of the UK GDPR, at the time of writing, the following third countries have been deemed ‘adequate’: Gibraltar and all countries within the European Economic Area (i.e., all Member States of the European Union and the European Free Trade Association). In addition, all countries and territories covered by the European Commission’s adequacy decisions^[46] are recognised as adequate, although the United Kingdom has made more limited findings of adequacy for data transfers to Japan (private sector organisations only) and Canada (data that is subject to Canada’s Personal Information Protection and Electronic Documents Act). The EU–US Data Privacy Framework (EU–US DPF, see below) has also been extended to the United Kingdom.

In the absence of adequacy regulations, personal data may be transferred from the United Kingdom to a third country where the controller or processor has provided appropriate safeguards, and where enforceable rights and legal remedies are available to the data subject.^[47] In certain circumstances, the approval of the ICO is required.

The following safeguards are available and do not require the approval of the ICO:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules;
• standard contractual clauses for data protection (SCCs);
• an approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including the rights of data subjects; and
• an approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including the rights of data subjects.

The following safeguards, however, do require approval from the ICO:

• bespoke contractual clauses between the controller or processor and the controller, processor or recipient of the personal data in the third country or international organisation; and
• provisions to be inserted into administrative arrangements between public bodies, which include enforceable and effective data subject rights.

The safeguard most commonly relied on for the transfer of personal data is the use of SCCs. The validity of SCCs was reaffirmed by the CJEU in Schrems II.^[48]

On 4 June 2021, the European Commission adopted a new, modernised set of SCCs under the EU GDPR,^[49] replacing the old SCCs that had been adopted under the Data Protection Directive 95/46/EC. In the United Kingdom, the SCCs include the International Data Transfer Agreement (IDTA) and an addendum to the EU SCCs (which enables the EU SCCs to be used in the United Kingdom), each of which was adopted by the ICO under the UK GDPR. The IDTA and the addendum came into force on 21 March 2022. As of 21 March 2024, UK organisations can no longer rely on the old EU SCCs.

Notwithstanding the CJEU’s declaration of validity with regard to SCCs in Schrems II, the Court also opined that, before relying on a safeguard such as SCCs, personal data exporters should undertake an assessment, in each case, to determine whether the law of the third country ensures adequate protection of the personal data transferred pursuant to an SCC by providing additional safeguards, where necessary. The Schrems II decision was retained in UK law, following the expiry of the Brexit transition period. This means that, when a UK data controller intends to rely on a safeguard such as SCCs, it must first conduct a transfer risk assessment (TRA) to determine whether, in the circumstances of the transfer and with the relevant safeguards in place, the level of protection offered to the personal data in the third country will be essentially equivalent to and will not undermine the UK GDPR. The ICO has published guidance to assist data controllers undertaking a TRA.^[50]

On 10 July 2023, the European Commission adopted its adequacy decision for the EU–US DPF, which the Commission describes as introducing ‘significant improvements’ compared with the EU–US Privacy Shield to address the concerns raised by the CJEU and bridge the data gap that arose in the wake of Schrems II.^[51] As a result of this adequacy decision, it is not necessary to put in place additional data protection safeguards to facilitate the transfer of personal data from the European Union to US organisations participating in the EU–US DPF. To participate in the DPF programme, US organisations must be subject to the jurisdiction of the US Federal Trade Commission or the US Department of Commerce. They must self-certify their compliance to the International Trade Administration within the US Department of Commerce and publicly commit to comply with the EU–US DPF Principles.^[52] The UK Extension to the EU–US DPF came into force on 12 October 2023. As a result, UK organisations can transfer personal data to participating US organisations without requiring any further safeguards.

On 19 January 2021, the ICO published a letter sent to the US Securities and Exchange Commission (SEC) dated 11 September 2020, in which the ICO set out its analysis of the application of the UK GDPR (specifically, Chapter V) to certain UK-based companies with US regulatory obligations.^[53] In this letter, the ICO confirmed that UK organisations that are regulated by the SEC can rely on the public interest exception under the UK GDPR to transfer personal data to the SEC. That exception can be invoked only on a case-by-case basis, and the transfer must have been subject to a necessity and proportionality assessment. If that exception is applicable, UK organisations are not strictly required to rely on transfer safeguards such as IDTAs or the addendum to the EU SCCs. Nonetheless, the ICO stated its expectation that UK organisations and the SEC should work together, where possible, to implement a suitable safeguard under Article 46 of the UK GDPR.

5 Enforcement

The ICO has the power to issue a maximum penalty of £17.5 million or up to 4 per cent of the organisation’s worldwide turnover (whichever is higher) for an infringement of any of the data protection principles, or any rights an individual may have under Part 3 of the DPA 2018 (‘Law enforcement processing’) or in relation to any transfers of data to third countries.

To date, the ICO has taken a robust approach to data breaches. In October 2020, it fined a major airline £20 million (approximately 0.16 per cent of its total worldwide turnover) for a data breach that affected more than 400,000 customers.^[54] In the same month, the ICO fined Marriott International Inc £18.4 million in relation to a data breach concerning Starwood Hotels.^[55] In April 2023, the ICO issued a £12.7 million fine to TikTok for infringement of the UK GDPR.^[56]

Where both the UK GDPR and EU GDPR apply, organisations face the prospect of enforcement under both regimes.

6 Practical steps to be taken in all investigations

All data controllers must keep a record of data processing activities under their responsibility, and data processors must keep a record of processing activities carried out on behalf of a controller.^[57]

Additionally, it is advisable that data controllers within organisations undertaking or subject to an investigation should take the following steps to demonstrate good practice compliance with data processing laws:

• At the outset of an investigation, document the purpose and scope of the investigation, and identify the personal data that needs to be processed to achieve that purpose.
• Document the assessment to ensure that processing is proportionate and identify the minimum amount of personal data required to fulfil the purpose of the investigation, including narrowly defining custodians, search terms and date ranges if possible.
• Document the legal basis for the processing, including any consent given by individuals and any legitimate interests assessment.
• Document the basis for the processing of any special category or criminal offences data.
• Carry out an early assessment of whether personal data needs to be transferred outside the United Kingdom, ensure adequacy regulations or other safeguards are in place, and document the basis for any transfer made to a third country.

Endnotes