Employer’s investigation of alleged criminality outside the workplace not in breach of employee’s data protection or privacy rights

Employer’s investigation of alleged criminality outside the workplace not in breach of employee’s data protection or privacy rights

CategoryArticles, News Author David Mitchell Date

On 1st September judgment in Hopkins v HMRC [2020] EWHC 2355 (QB) was handed down by Steyn J sitting in the Media & Communications List of the QBD. Dr Hopkins,  a civil servant employee of HMRC, brought extensive claims against her employer following her suspension and the institution of a disciplinary investigation after she disclosed that she had been arrested for offences including a serious sexual offence. The disciplinary investigation also concerned an incident where a car Dr Hopkins had hired through her employer’s corporate policy, and in which she was travelling as a passenger, was stopped by the police. The driver of the vehicle was a 15-year-old male who did not hold a driving licence, was uninsured and under the influence of cannabis.

Unusually, given the details of the case, Dr Hopkins did not seek orders for anonymisation or restricted reporting. In summary, it was Dr Hopkins’ case that the disciplinary process (including her suspension) was in breach of her employment contract, the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and her fundamental rights. Dr Hopkins raised various other claims including defamation and malicious falsehood.

Steyn J struck out the claims in their entirety, alternatively granted summary judgment in HMRC’s favour, save for two complaints of breach of contract concerning the length of her suspension (some two years) which the Claimant contended had caused her psychological illness (Gogay v Hertfordshire County Council [2000] IRLR 703) and one complaint under the GDPR concerning HMRC’s delay in responding to a subject access data request (Article 12(3)).

The remainder of the Claimant’s claims under Articles 5, 7, 12, 13, 15, 18 and 21 GDPR were struck out. Steyn J gave short shrift to the Claimant’s contentions that the Civil Service Code did not regulate her conduct outside the workplace or that it was unlawful for her employer to investigate allegations of the commission of criminal offences which had taken place outside the workplace (applying Cooper v National Crime Agency [2019] EWCA Civ 16 and Laverty v Police Service for Northern Ireland [2015] NICA 75).

Whilst the judgment firmly rebuts the Claimant’s attempts to undermine the lawfulness of HMRC’s disciplinary procedures based on the processing of her personal data, including criminal offence data, it nonetheless serves as a reminder of an employer’s obligation to keep under close review the period of an employee’s suspension.

David Mitchell acted for HMRC.

Related Barristers

Legal updates

Subscribe to our newsletters, updates and seminars.


Call +44 (0)20 7832 1111 for more information

Barrister portfolio


Click the + icon next to any barrister to add their profile to this portfolio.

Barrister Call CV Email