Legal Articles

Subject access requests and the link to unfair dismissal

Home / Knowledge base / Subject access requests and the link to unfair dismissal

Posted by Christine Jackson on 28 September 2016

Christine Jackson - Commercial Contracts Solicitor
Christine Jackson Partner

In the recent case of McWilliams v Citibank NA the tribunal looked at the failure of Citibank to provide Ms McWilliams’ data following a Subject Access Request (SAR), and whether this contributed to an unfair dismissal.


Ms McWilliams had worked for Citibank since August 1998 as a trader. She regularly communicated with people from other banks, an online chat facility, and the discussions involved the disclosure of confidential information.

In June 2013, the Financial Conduct Authority (FCA) began investigating some financial organisations, including Citibank, because of its concerns about the sharing of confidential data by traders in online chat rooms and the manipulation of exchange rates. Citibank also held internal investigations, and this led to Ms McWilliams’ line manager being dismissed for sharing confidential client information with a trader at another bank. Subsequently, Ms McWilliams was investigated and suspended. Soon after, Ms McWilliams submitted a subject access request (SAR) requesting all of her data, together with her data collected by 25 colleagues. The bank refused to provide any data using the defence that it was disproportionate. Ms McWilliams narrowed down her search criteria and stated that the data requested was imperative to her responding to the disciplinary allegations. Again the bank refused, so she complained to the Information Commissioner’s Office (ICO). 

Ms McWilliams requested for the disciplinary hearing to be postponed following the outcome of the FCA’s investigation, as part of her case was Citibank’s relaxed attitude to compliance and that sharing confidential information was custom and practice. Despite this, Citibank pressed ahead with the disciplinary hearing in May 2014, and it dismissed Ms McWilliams in November 2015. However, importantly, it had undertaken a limited investigation before making its decision to dismiss, and the decision was made in September 2015 (two months before it was communicated to her).

Soon after, the FCA provided its outcome and stated, amongst other things, the guidance on chat rooms did not detail which types of communication were unacceptable. This supported Ms McWilliams’ defence.

Employment tribunal proceedings

The employment tribunal held that Citibank had failed to carry out a reasonable investigation as it did not investigate Ms McWilliams’ argument that sharing confidential information was the general practice. Together with other factors, Ms McWilliams was successful with her claims of unfair dismissal and wrongful dismissal (failure to pay notice); albeit she contributed to her dismissal through the sharing of confidential information.

Although this is to be dealt with by the ICO, the employment tribunal touched upon the SAR and stated it was not a fishing exercise (unlike a lot of SARs we see). It held that the internal investigation was unsatisfactory. As Ms McWilliams was out of the office suspended without access to information, this materially affected her ability to defend the allegations against her. 


In terms of employment lawMcWilliams v Citibank NA reinforces the need for employers to carry out fair and reasonable investigations and listen to the employees’ defence, or potentially face Employment Tribunal proceedings. From a data protection perspective, although previous case law suggests SARs are not a mechanism to assist a person with their litigious claim, it appears from this case that an employer should not dismiss a SAR because of the potential or on-going litigation.

Data protection is ever-changing, so we recommend training your staff on Data Protection, including SARs, the exemptions and the consequences of not complying with the DPA. You may not be aware, but currently, the ICO can issue fines of up to £500,000 (although this will increase to 4% of an organisation’s global annual turnover for the preceding year or 20 million Euros, whichever is the greater when the General Data Protection Regulations (GDPR) come into force on 25 May 2018). In addition, there is the employment tribunal side of litigation where an employee who is successful with their unfair dismissal could receive up to a years’ salary as compensation. This is not factoring in the cost and time of preparing for the hearing itself. 

About the author

Christine helps clients manage risk and financial exposure in their day to day business dealings.

Christine Jackson

Christine helps clients manage risk and financial exposure in their day to day business dealings.

Recent articles

20 October 2020 Setting up an EMI scheme for your company

Over 12,000 companies across the UK use an EMI scheme (Enterprise Management Incentive) as a way of attracting, retaining and motivating their key employees. Our guide covers all the steps to set up your EMI scheme.

Read article
16 October 2020 Sales and leasebacks and the changes to the planning use classes order

We're covering just two topics very different to each other but both in their own way creatures of this pandemic which is truly dominating our lives. Those topics are sales and lease backs and the recent changes introduced to the planning use classes order

Read article
16 October 2020 Co-habiting couples - How much protection do you have?

It is becoming more and more common for couples to live together and start a family without getting married or entering into a civil partnership. Until the law catches up in this area, cohabiting couples need to be aware of their limited legal rights.

Read article
How can we help?
01926 732512