Protection of personal data in internal investigations
Poland’s data protection regulations do not directly address internal investigations, but that does not mean they do not apply. In fact they can play a major role in drawing the line between lawful and unlawful investigative measures.
A necessary element of internal investigations is analysis of documents and correspondence of persons working in the company or other organisation being investigated. Depending on the purpose for which it was decided to launch the investigation, the scope of documents may be broad enough to cover not only documents in the traditional sense of the term but also data stored in servers and in individual users’ computers (including email), as well as data from company-owned phones and other mobile devices.
Unavoidably, such data sets contain a range of personal data, from the names of individuals to the IP addresses from which they logged onto the company server.
The general rules that must be complied with for personal data to be processed in accordance with the law also apply to processing of personal data in internal investigations, regardless of whether the investigation is preventive in nature or is carried out due to the existence of an actual incident posing a threat to the organisation. Personal data may be processed only when at least one of the conditions set forth in Art. 23 of the Personal Data Protection Act is met (or Art. 27 with respect to sensitive data, i.e. data related to individuals’ health, criminal record, religious affiliation, or several other categories of information identified in the act).
It may be recognised that two of the conditions in these regulations for processing of personal data also apply in the case of internal investigations. The first is the requirement of the consent of the data subject (except for deletion of data, for which consent is not required). Consent must be given voluntarily. The second condition is that the processing of data must be necessary to achieve legally justified purposes of the data controller, without infringing the rights and freedoms of the data subjects.
Obtaining the consent of all the interested persons can be difficult from an organisational point of view. Asking for consent may also compromise the element of confidentiality essential for the investigation and allow some to eliminate traces of unlawful behaviour. An additional issue arises out of the special nature of the relationship between employer and employee. Consent to processing of personal data given by an employee, regarded as the weaker party to the employment relationship and in a position of dependence on the employer, throws into question the employee’s freedom in this respect, and hence the legality of the processing of the employee’s personal data based on such consent. Theoretically, if the employee has complete freedom in deciding to give consent and could refuse to give consent without facing any negative consequences, such consent could sanction the legality of processing of the employee’s personal data. (A similar view has been taken by the European Commission’s Art. 29 Working Party on Data Protection and in rulings by Poland’s administrative courts.) In practice, however, if a dispute arises it may be difficult to prove that the employee freely consented to processing of his or her personal data in this context.
In addition, there is a use limitation principle in force which requires the data controller to obtain consent also in the event that consent was given before but the purpose originally given for collecting the data did not include internal investigations. In that case it is recommended to obtain consent of the data subjects for the change in the purpose of the data processing.
An alternative basis for processing of personal data in an internal investigation could be derived from the legally justified purposes pursued by the data controller. The Personal Data Protection Act provides two examples of legally justified purposes: direct marketing of the data controller’s own products and enforcement of claims arising out of the data controller’s own business. However, the concept of “justified purpose” as such is not defined in the act.
In practice, the concept of a legally justified purpose of the data controller is interpreted broadly. In employment aspects, it is cited as the basis sanctioning monitoring of employees in the workplace, including monitoring of employees’ use of IT systems and devices belonging to the employer (as the data controller).
Lawfully introduced monitoring of employees may prove to be an incredibly valuable tool when it becomes necessary to conduct an internal investigation, particularly when time is of the essence. Employee monitoring must not only be conducted in compliance with the law (including the Personal Data Protection Act), but must also meet the requirements of a justified purpose and the principle of proportionality. It must also fulfil the requirement of transparency. This means that employees should be aware that they are subject to monitoring, and under what rules, and the rules must be defined in detail. Conducting monitoring of staff without informing them in advance—even if there is a legally justified purpose—will violate the employee’s right to privacy, and in consequence the personal data will be processed without a proper basis.
Agnieszka Szydlik, Katarzyna Żukowska, Personal Data Protection Practice, Wardyński & Partners