A victory for defendants in privacy litigation

Disciplinary proceedings within the health and care sector are inherently complex and face numerous challenges. Organisations must maintain the balance between protecting personal data and upholding the standards of professional accountability. 
 
A common tactic employed by individuals subject to investigation is to raise data protection issues. Some concerns may be justified, and it is important that healthcare bodies adhere to UK General Data Protection Regulation (UK GDPR) guidelines, but it is common that issues are strategically raised to derail the investigative process and obstruct the review of valid and necessary evidence. Evidence may be gathered from many sources and, if relevant, should be capable of being used.

In October 2024, multiple Defendants were successful in their High Court application for strike out and/or summary judgment against claims under the Human Rights Act 1998, misuse of private information, and breach of data protection legislation (full decision here: Duke v Tameside College (& others). The Claimant was under investigation by his employer. He objected to the employer’s collection of employment references, WhatsApp messages from a private group, and Facebook messages he had sent to a student.

Some interesting points come from this case that may be useful for health and care organisations to remember:

1. The need to gather and interrogate information, for the purpose of a disciplinary process, can (and did) outweigh an expectation of privacy. The disciplinary investigation itself was necessary to fulfil contractual and general legal obligations of the employer. The UK GDPR was not created, nor should it be interpreted, to prevent normal employment processes from proceeding. 
2. While the Information Commissioner’s Office (ICO) had determined that the request for references from previous employers was not fair or transparent, as the Claimant had not been told it would occur, the obtaining of the references was a necessary part of the disciplinary process as they were needed to ascertain the facts. The judge disagreed with the ICO and states that “it ought to have been well within the Claimant's reasonable expectation that, in order to investigate whether he had failed to disclose the fact of his dismissal from those two institutions, each would be contacted and asked about it.” It is not necessary for a data controller to specifically inform a data subject of proposed processing, in circumstances where the reasonable person would consider it obvious that the processing would likely occur.
3. Where a Claimant is seeking to hinder an investigation through these types of arguments, they should be reminded of the risk that they will have to pay their opponent’s costs.  In this case, an application for indemnity costs was denied although the Claimant did receive specific admonishment as to his conduct and it was indicated that he risked indemnity costs should he repeat his behaviours in the future. Nonetheless, he was ordered to pay £27,250.

This judgment is good news for data controllers processing personal data for disciplinary proceedings. It reminds us that ICO outcomes in a Claimant’s favour are not always correct or persuasive for the courts. Claimants should think extremely carefully before taking a litigious route. 
 
Should you need any assistance following notification of a data protection claim, or responding to any regulatory action, please contact our contentious data law team.

Our content explained