Where, following an investigation, the employer concludes that no disciplinary action is necessary, what should it do with the information gathered during the investigation?

Under the fair processing principles of the General Data Protection Regulation (2016/679 EU) (GDPR), an employer should not retain information about an employee that is not relevant, and must not keep information for longer than necessary. The Information Commissioner's Data protection employment practices code states that information relating to unsubstantiated allegations should be removed from an employee's disciplinary record unless there are exceptional reasons for retaining some record. While the code relates to the Data Protection Act 1998, rather than the GDPR regime, it remains useful for employers, pending updated guidance from the Information Commissioner, as the underlying principles remain the same.

If the employer decides that no disciplinary action is necessary because it has concluded that there has been no misconduct or that the employee is not guilty of the misconduct, the information gathered during the investigation should not be kept, unless there are exceptional reasons for keeping it.

However, if the employer decides that, although the allegations against the employee are substantiated, no disciplinary action is necessary, for example because of mitigating circumstances, it may be appropriate for it to retain the information. The employer should consider whether or not the information will remain relevant to the employment relationship. The information may be relevant, for example, if the employee claims during future disciplinary proceedings that he or she should be treated leniently because he or she has not committed misconduct in the past. However, the employer should not rely on the information to reach a decision to take disciplinary action against the employee that it would otherwise not take.