Use of personal data in litigation and the legal proceedings exemption
23 March 2023
A recent decision has applied a wide interpretation of the legal proceedings exemption in the context of use of a non-party’s personal data in the Employment Tribunal.
The decision of the Sheriff’s Court in the case of Riley v The Student Housing Company (Ops) Limited concerned an employer’s data protection obligations when referring to a former employee in the course of defending a claim in the Employment Tribunal (ET). The main obligations in question were fairness and transparency, and purpose limitation. It is a helpful reminder of the issues that can arise when referring to a non-party in litigation, and considers the application of the legal proceedings exemption in defending a data protection claim by an enterprising claimant in those circumstances.
The claim was brought by R against his ex-employer. R complained that his personal data had been used by his ex-employer when defending itself in ET proceedings brought against it by another former employee, A. R had been A’s line manager and in those ET proceedings A had made various allegations about R’s behaviour, including that R had used derogatory language that referred to A’s disability. A was successful in his claim. R was referred to 162 times in the ET’s written decision. That decision was subsequently reported in an online article published by The Sun where R was named six times.
As a result, R claimed £75,000 for his ex-employer’s failure to comply with the UK General Data Protection Regulation (UKGDPR). The claim was for anxiety/distress and loss of employability caused by his ex-employer’s alleged failure to take the following steps:
- tell him about the ET proceedings;
- provide him with copies of the bundles;
- ask him to comment on the allegations made against him; and
- invite him to provide a witness statement.
R said that his ex-employer’s failure to take these steps constituted breach of its duties, as a data controller, to process his personal data:
- fairly and transparently (A5(1)(a) UKGDPR); and
- in a way that is compatible with the purpose for which it was collected (A5(1)(b) UKGDPR).
The ex-employer’s defence was that it was exempted from those duties in reliance on the legal proceedings exemption (paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 (DPA 2018)). This exempts a controller from complying with various “listed” provisions – including fairness and transparency, as well as purpose limitation – where disclosure of the personal data is necessary for the purpose of, or in connection with, legal proceedings; or establishing, exercising or defending legal rights.
However, a controller is exempted only to the extent that applying the “listed” provisions would prevent the disclosure from being made. R argued that this meant that a data controller must attempt to comply with those provisions before seeking to rely on the exemption. This would be by undertaking a two-stage evaluative process: (1) assess what the requirements of fairness and transparency demanded in the circumstances; and (2) only seeking to rely on the exemption if those steps would prevent disclosure. It would be an inherently fact-sensitive exercise.
The Court rejected this argument. Instead, it found that the ex-employer was exempted from even attempting to apply the “listed” provisions because any evaluative process would have the potential of inhibiting a party’s conduct of the litigation. Even if the process were narrowed simply to informing R that his personal data was to be used, the Court considered that requiring a litigant to undertake a process of identifying what action is necessary creates the mischief in itself, regardless of what steps are ultimately identified and how limited or extensive they might turn out to be.
It held that a central tenet of an adversarial system, and therefore a vital characteristic of a fair hearing, is the right of a party to prepare and present its case as it deems fit. This includes when it comes to choosing who to call as a witness (in this case, it is notable that R was an alleged wrongdoer). Any process of seeking to comply with fairness and transparency, including through the steps identified by R, had the potential to impinge on a litigant’s right to a fair trial, and the purpose of the exemption was to ensure that the data controller’s duties do not impinge on that right.
The outcome in this case is not altogether unexpected taking into account the far-reaching consequences to the adversarial process were a litigant required to undertake the two-stage process proposed – a point acknowledged by all involved. However, whether (and, if so, the extent to which) this reasoning can be read over to other situations where this exemption is engaged, or indeed to the application of other prejudice-based exemptions (there are plenty of them in the DPA 2018) remains to be seen. Either way, it provides a nuance to the exemption which will be useful to controllers embroiled in litigation in that it suggests a very wide interpretation.
Some points perhaps to note:
- Whilst the legal proceedings exemption exempts a controller from many provisions in the DPA 2018, it will still need to comply with the lawfulness requirement. This includes having a lawful basis for the processing. Whilst in this case there was some debate about the correct lawful basis given that the ex-employer had mistakenly sought to rely on “vital interests”, it was conceded that the disclosure was lawful on a different basis.
- The word “necessary” is often overlooked when it comes to applying the various exemptions (and indeed much of the DPA 2018) – this requires that whilst the processing does not have to be essential, it must be a targeted and proportionate way to achieve the purpose. That was not a matter of dispute in this case, but worth keeping in mind.
Whilst the decision is interesting from a data protection perspective, it raises another big issue. The claimant in this case was attempting to grapple with the thorny issue of what happens when someone who is not involved in the litigation, and may know nothing about it, is referred to in the course of the proceedings and a resulting judgment. This is not unusual, especially in employment claims, but it can cause significant damage to that non-party’s rights and interests. As was seen here, the information can generally be republished without any legal recourse for the non-party, and is likely to become a matter of permanent public record, indexed by search engines.
Making such information available about a non-party is likely to engage procedural rights at common law (i.e. a duty of fairness) and under Article 8 of the European Convention on Human Rights (ECHR) (right to a private and family life) given that reputation is an aspect of an individual’s right to personal autonomy protected by the ECHR. But at the same time, documents filed in proceedings are covered by the open justice principle and rights under Article 10 ECHR (freedom of expression). These issues were not touched on in the decision though the judge did refer to rule 50 of the ET Rules and the power to anonymise a judgment even after proceedings have concluded. The 2021 Employment Appeal Tribunal decision in the case of TYU v. ILA Spa Ltd suggests that it is likely to be easier for individuals who are not a party to or a witness in the proceedings (and so had no expectation that they might be named in a public judgment) to secure such an order, as compared to the parties themselves. We consider this issue in more detail in our article Privacy and publicity: seeing justice done in the Employment Tribunal.
In this case, rather than attempt to put the genie back in the bottle by asking the ET to anonymise the judgment, the claimant chose instead to pursue a damages claim against his ex-employer. This strategy backfired and, as a result, there are now two available judgments publicly recording his behaviour instead of just one.
Riley v The Student Housing Company (Ops) Limited – judgment available here.