Sheriff finds use of employee’s personal data in context of defending legal proceedings did not breach UK GDPR
A Dunfermline sheriff has dismissed an action by a former employee of a student housing provider who alleged that his employer had breached UK GDPR rules when processing his personal data in the context of defending tribunal proceedings brought by another employee.
About this case:
- Citation:[2023] SC DNF 7
- Judgment:
- Court:Sheriff Court
- Judge:Sheriff Lugton
Courtney Riley, who was employed by the Student Housing Company until 31 December 2019, sought £75,000 for distress and anxiety caused by the tribunal proceedings, which named him directly and caused him to be the subject of negative press coverage. The defender averred that it was exempt from the relevant provisions as any disclosures were made in connection with legal proceedings.
The action was heard by Sheriff Charles Lugton in Dunfermline Sheriff Court. McWhirter, advocate, appeared for the defender and Sloan, advocate, for the pursuer.
Normal principles
While in employment with the defender, the pursuer was the line manager of another employee, Mr Adamson, who made a number of complaints about his behaviour. Mr Adamson raised employment tribunal proceedings against the defender based on breaches of the Equality Act 2010 in which he claimed the pursuer had used derogatory language in reference to his disability.
Mr Adamson was awarded £9,500 by the employment tribunal, which referred to the pursuer 162 times in its written decision. The decision was later reported on the website of The Sun, with the pursuer named a further 6 times in the article. The pursuer, who was not involved in the proceedings directly, averred that the defender should have told him about the tribunal claim, asked him to comment on the allegations made against him, and invited him to provide a witness statement.
It was the pursuer’s case that the defender’s failure to take these steps constituted a breach of its duty to process his personal data fairly in terms of Article 5(1)(a) of the UK General Data Protection Regulations. The exemption for legal proceedings would only take effect if the data controller could not otherwise comply with the listed provisions.
For the defender it was submitted that it was not necessary for a controller to demonstrate it was impossible to comply with the listed GDPR provisions in order to rely on the exemption. The effect of the exemption was that there was no need for data to be processed in accordance with the normal principles, otherwise it would serve no purpose. It was further submitted that the pursuer’s averments as to causation were irrelevant and as regards quantum, lacking in specification.
Inherently fact-sensitive
In his decision, Sheriff Lugton began by observing: “The rationale for the exemption contained in Paragraph 5(3) of Schedule 2 appears to be that a party’s duties as a data controller should not fetter its discretion to conduct litigation as it sees fit in pursuance of the vindication of its legal rights, or impinge on its right to a fair trial in terms of Article 6 of ECHR. It is because of the potential for tension to arise between these considerations that the exemption is necessary.”
Assessing the pursuer’s position on the operation of the exemption, he said: “Counsel for the pursuer submitted that when data is to be disclosed in the context of litigation the data controller must undertake a two-stage process, first assessing what the requirements of fairness and transparency demand in the circumstances and only seeking to rely on the exemption if those steps would prevent disclosure. He described this as an inherently fact- sensitive exercise.”
He continued: “But in practice requiring a party to go through an evaluative process of this kind would have the potential to inhibit a party’s conduct of the litigation. It is not hard to imagine the looming spectre of a possible claim for a breach of Article 5(1)(a) interfering with the sort of tactical decisions that a litigant will usually take at the point of lodging productions and citing witnesses. It is not consistent with the right to a fair trial that a party should have to look in two directions in this way.”
Turning to the purpose of the legislation the sheriff said: “Given [the] scope for the process of applying Article 5(1)(a) to restrict or prevent the content of disclosures, Paragraph 5(3) of Schedule 2 exempts a data controller from complying with it. This interpretation is consistent with the purpose of the exemption, which is to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.”
He concluded: “As the pursuer does not offer to prove what personal data was processed, it is difficult to see how he can establish either that the defender breached its duties or that he suffered any damage as a result. Accordingly, I consider that the pursuer’s averments regarding the personal data alleged to have been processed are so lacking in specification as to be irrelevant.”
Sheriff Lugton therefore held that the pursuer’s case was irrelevant and dismissed the action.