This is a very interesting article by Gareth Thomas and Tess Lumsdaine from the Herbert Smith Freehills team in Hong Kong. And although they are speaking predominantly from their experiences in Hong Kong, I cannot help but notice how it mirrors what we are seeing in the EU under GDPR and preceding legislation.
Employers undoubtedly hold a lot of information about employees - there is no alternative. But the requirements under employment law and data protection law can vary substantially in terms of what employers have to provide, therefore there has been a rise in the number of data requests that coincide with employment disputes, or potential employment disputes.
In situations like this, employers need to be careful about what is provided and ensure they are not shooting themselves in the foot. Specific attention needs to be taken when determining what information needs to be disclosed as part of the response to a data request, as stated in the article: "While employees are entitled to a copy of their personal data, they [do] not have the right to see every document in which the employee is referred to..."
To enable companies to respond to data requests efficiently and effectively, they need to ensure that they both fully understand their data environment, including where and how data is stored, as well as how best to use technology. This can often involve the use of machine learning and other analytical tools to enhance the process, but there is no panacea. Therefore, anyone facing these challenges not only needs to address the problem from a legal perspective but also from a technology / eDiscovery practice.
Given the trend towards claims based on breach of an implied contractual term, employers need to take particular care in how they conduct internal investigations and disciplinary procedures and what personal data is recorded and retained in relation to such procedures. In particular, employers should be familiar with their obligations under the PDPO to ensure that they are meeting their obligations but are not providing information to employees or former employees which they are not obliged to provide and that is confidential, privileged or may increase their exposure to a potential claim.