A perfect storm? Disclosure obligations post-GDPR in employers’ liability claims

Insurers face challenges investigating claims due to companies’ anxieties over data protection and fear of breaching data management obligations, accentuated by the advent of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

At the same time, defendant companies are under a legal duty to identify and disclose documents relevant to the issues in a case, and insurers must assess liability quickly following the presentation of a claim. They cannot do this without access to data held by their insured, which invariably requires the processing of personal data.

These apparently competing objectives are causing increasing difficulties for insurers.


‘Personal data’ under the DPA means information about a living individual from which they could be identified. Almost anything you do with that data counts as ‘processing’, including recording, analysing and disclosing it. Therefore, providing documentary evidence to enable an insurance company to investigate a claim will inevitably involve the processing of personal data. Furthermore, some personal data is classed as ‘special category’, for example, health information.

The processing of personal data will be lawful if the individual consents, but this is not necessarily required and may be impractical in the context of litigation. In the absence of consent, the processing will be lawful if ‘necessary’ for one of a range of purposes stated in the GDPR.

Processing personal data – when is it ‘necessary’?

If not ‘special category’, personal data processing will be considered lawful if necessary to comply with a legal obligation. A defendant company is legally obliged to disclose relevant data to the claimant. It would seem implicit in that obligation that the company is entitled to legal advice from its insurer as to which documents must be disclosed.

Further, disclosure will be lawful if necessary because of the:

Legitimate interests pursued by the company, or a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the employee.

If ‘special category’, additional conditions must be satisfied, which include being necessary for the ‘establishment, exercise or defence of legal claims’. It seems this must apply where a company is being sued by an employee and needs to provide its insurer with appropriate disclosure to enable them to assess liability.

Exception from GDPR conditions

Even if disclosure is not covered by one of the lawful processing conditions, if the application of the GDPR conditions would prevent disclosure then, in certain exceptional circumstances, the DPA provides that the GDPR conditions do not apply.

Those exceptional circumstances include:

  • When the data controller is legally obliged to make information available to the public
  • When disclosure of the data is required by a rule of law or an order of the court
  • Where disclosure of the data is:
    • Necessary for or in connection with legal proceedings (including prospective legal proceedings)
    • Necessary to obtain legal advice
    • Necessary to establish, exercise or defend legal rights.

The relevance of these exceptions to insurer investigations and the provision of legal advice in the context of litigation is obvious.

Steps to follow

A defendant company must ensure that its disclosure of personal data is lawful, but this should not obstruct its ability to obtain informed legal advice when sued by an employee, or its insurer’s need to assess liability quickly and respond to a claim.

A blanket demand for written consent from the claimant is unhelpful and unnecessary. It presents a number of practical problems, including:

  • Delay – especially problematic when your insurer needs to respond to the Claims Notification Form/Letter of Claim quickly
  • The possibility of refusal - the claimant may refuse to provide it on the basis that it is not required.


Care is needed in relation to documents that identify other individuals, such as training records and attendance sheets. Generally, in such circumstances, the names and other identifiable information of those people not subject to the claim should be redacted. However, there may be cases where it is relevant that another individual is named. In those circumstances, it should be disclosed un-redacted and reliance placed on the exemption that it was necessary for the purpose of legal proceedings or for obtaining legal advice.


GDPR should not prevent a company obtaining proper legal advice, or their insurers being able to assess the merits of a claim. The rules on data protection are designed to place sensible structures in place to ensure that personal data is suitably protected, whilst recognising that legitimate, ‘necessary’ grounds for processing, in the absence of consent, exist.

Companies must familiarise themselves with those grounds and, in the context of litigation, have particular regard to the fact that the GDPR will consider processing necessary if required to comply with a legal obligation or to pursue their legitimate interests. Greater familiarity with the provisions should ensure that insurers’ attempts to investigate claims are not blocked, or delayed, by unfounded fear of a data breach.

Read other items in Personal Injury Brief - June 2019

Related items