Harassment and sexual misconduct: personal data governance

An essential aspect of complying with condition of registration E6 (that comes fully into force on 1 August 2025) is the “sensitive and careful” handling of information and personal data. We have set out below how institutions can put themselves in the best position to comply with the data protection regime in connection with handling complaints and investigations into harassment and sexual misconduct, and supporting those involved, by considering and addressing these issues now, in advance of the new requirements coming into force. We recommend that these steps are taken with the institution’s Data Protection Officer. 

Information handling and use

• Map the proposed data that is likely to be processed in relation to receiving and responding to allegations (including undertaking investigations, decision-making and the provision of support) in relation to incidents of harassment and sexual misconduct. This will include personal data contained in the disclosure (beware those “free text” boxes in reporting tools!) or allegation itself and all personal data collected as part of any wider handling of the concern under institutional processes, for example the personal data of witnesses. 
• Mapping other relevant data flows, for example in connection with preventative action.  For the purpose of E6, this will also include any record of staff/student relationships, depending on the approach taken. Other data flows such as those appropriate for good governance requirements should also be considered.
• Consider whether special category or criminal conviction personal data is likely to be processed. It is highly likely that special category personal data will be processed as this includes any personal data pertaining to an individual’s sex life or sexual orientation. Criminal conviction personal data also includes the allegation of any criminal offence, therefore it is likely to be relevant to any allegation of harassment or sexual misconduct.
• Consider with whom the personal data could be shared within and outside the institution. For example internal departments, witnesses, emergency services, police, external investigator, reporting and responding parties etc.
• Consider the lawful basis to be relied on in each of the above circumstances as the lawful basis is likely to differ depending on the recipient of the information and the circumstances in which it is shared e.g “vital interests” is likely to be relied on to give information to the emergency services, however it may be less relevant in other contexts, depending on the facts.  
• When processing special category or criminal conviction personal data, identify the additional processing condition to be relied upon in sharing that personal data (see Article 9 and 10 of the UK GDPR). The additional processing condition is likely to be different depending on the reason the personal data is being shared. For example, sharing personal data with the police is likely to engage a different processing condition to instructing an external investigator. 
• In complex scenarios and/or when sharing sensitive information it is advisable to record decisions and judgments reached appropriately, whilst bearing in mind that such records could become accessible in response to a subject access request or litigation. Avoid taking blanket approaches as decisions need to take account of the particular circumstances.
• Once the above mapping and considerations have been undertaken, review the relevant privacy information and notices to ensure they reflect accurately the entirety of the data processing that is likely to take place. Consider how such privacy information and key elements of it are made clear to individuals in appropriate ways including at relevant points of any process when they are involved in what is likely to be a very stressful and sensitive situation. 
• It can also be helpful to establish data sharing protocols with certain key stakeholder organisations where it is envisaged data sharing requests between organisations are likely. But these frameworks should allow flexibility on the question of precisely what information may be shared, which will depend on the circumstances.

Risk management

If the personal data of those involved is not handled correctly there is a risk of harm being caused to an individual and a valid complaint to the ICO and also a risk of civil claim from anyone who believes they have suffered loss or damage as a result of their personal data or private information being shared incorrectly. 

It is also important to have in mind potential confidentiality obligations under common law which are separate to the data protection obligations. Again thought needs to be given and advice taken on how policies and procedures may be drafted to make clear where it is envisaged there might be justification for sharing what might otherwise be confidential information – and on how individuals will be told about what will happen to the information they give. Also bear in mind that other legal frameworks and regulatory obligations can be relevant, such as human rights and equality law.

On receipt of a disclosure or allegation of harassment or sexual misconduct, there are further data protection considerations that should be borne in mind to ensure compliance with the UK GDPR and minimise the risk of a successful complaint to the ICO or civil claim. These include:

• Minimising the personal data involved at each stage of processing, in other words limit what is being recorded to what is truly necessary for each stage of the investigation. This does not mean that no detailed or comprehensive notes may be taken, but it does mean that one needs to consider carefully what happens to those detailed notes.
• Only share the personal data that is truly necessary for that purpose e.g what you give to the police could look very different to what you might share with reporting or reported individuals.  In addition, is it truly necessary to share with each witness to the full extent of the allegation or indeed what other witnesses have said?
• Consider the confidentiality and integrity of what you are sharing and to whom and how securely the personal data is stored and for how long. For example, consider password protecting internal emails and securing the personal data in a secure location that can only be accessed by relevant individuals. If appropriate, consider anonymisation to limit the impact of any data breach.  
• If using an external investigator, remember “data protection by design” and ensure their data protection compliance through adequate privacy notices and data sharing agreements. Consider carefully the terms of reference for any external investigation and how that dovetails into internal procedures to ensure good governance.

Should you need any assistance with compliance with policy and process reviews or audits, E6 generally or any specific allegation or investigation, please contact your usual Mills & Reeve contact or a member of our education law team or employment education team.