Articles

Can employers disclose details of disciplinary sanctions given to third parties as a result of their grievance?

Picture of Charlie Maples

By Charlie Maples, Joe Bryon-Edmond, Harry Jupp

28 Apr 2026 | 4 minute read

Employers faced with grievances by an employee about serious misconduct by a colleague are often required to strike a delicate balance between supporting the wellbeing of the individual who raised concerns and complying with their wider obligations under data protection law.

On the one hand, as the employer you will want to provide reassurance to the individual who raised concerns that have been sustained following investigation, particularly where their ability to return safely to work or their confidence in the employer’s response is at stake. It can feel almost like a no-brainer when considering looping back to the person who has raised sexual harassment allegations; for example, the Equality and Human Rights Commission recommends that employers should take steps to enable the disclosure of disciplinary outcomes to victims of sexual harassment where appropriate to do so. On the other hand, disciplinary sanctions and details relating to the perpetrator involve personal data, the disclosure of which is tightly regulated. Deciding whether, and to what extent, you can share information about disciplinary sanctions, therefore, requires a careful assessment of both employment relations considerations and data protection risks.

The general position under both data protection and employment law is that disciplinary matters are confidential, and employers should approach any disclosure to third parties with care, even where those parties were directly affected by the underlying behaviour. However, that doesn't mean disclosure is always prohibited.

Lawful basis for disclosure: legitimate interests

One viable legal basis for sharing details of a disciplinary outcome with the individual who raised the grievance is on a 'legitimate interests' basis. The range of purposes that can fall within a legitimate interest is wide-ranging and taking steps to reassure an employee that serious concerns have been properly addressed, or to enable them to return to work safely, would potentially amount to a legitimate interest provided a three‑stage legitimate interest test is satisfied.

This involves:

  1. Purpose test: Do you have a legitimate interest for using the personal information?
  1. Necessity test: Is your use of personal information necessary for that purpose? If those purposes can reasonably be achieved by alternative, less intrusive means, the legitimate interests basis will not apply.
  1. Balancing test: Do the person’s interests, rights or freedoms override the legitimate interest you’ve identified? An individual's interests are likely to override your legitimate interests where:
    • The use of their personal data would not be reasonably anticipated; or
    • The proposed use would cause unjustified harm.

It is important to be aware that while it may be possible to rely on the legitimate interests basis to share information about a disciplinary sanction with the individual who raised the complaint which led to it, it is far less likely that the same basis would justify sharing such information more widely within the organisation.

A very limited exception may arise where the incident has implications for the wider workforce. Even in those circumstances, any broader disclosure would need to be carefully assessed as part of the legitimate interests balancing exercise and would carry a heightened risk of data protection issues, given the potentially increased number of recipients.

Data protection risks and complaints

Even where you consider that there is a strong lawful basis for sharing grievance‑related personal data, it is important to remain mindful of the potential consequences of doing so. For example, the subject of the disciplinary sanction may:

  • raise a formal data protection complaint;
  • submit a data subject access request, which can be burdensome for employers as such requests often require significant time and resources to manage; and
  • where they remain employed, they may allege that the disclosure amounts to a breach of the implied term of mutual trust and confidence, resign, and pursue a claim for constructive unfair dismissal.

To mitigate these risks, employers should ensure that there is a clear written data protection impact assessment and record setting out the rationale for any decision to disclose grievance‑related information. This should include:

  • The lawful basis relied upon;
  • The legitimate interests assessment undertaken (if relying on this lawful basis); and
  • Why the disclosure was considered necessary and proportionate in the circumstances.

Key takeaways for employers

Decisions about disclosure will always need to be assessed on a case-by-case basis. Any employer which decides disclosure is justified must also comply with their data minimisation obligations (i.e. ensuring that only information that is strictly necessary to achieve the intended aim is shared, and nothing more). This might be the difference between confirming to an individual that the appropriate disciplinary action has been taken and disclosing the precise sanction or the internal reasoning behind the decision. Again, what is considered necessary and proportionate will depend on the underlying circumstances of each case.

Employers should avoid adopting a blanket approach when dealing with these situations. Instead, best practice would be to:

  • Make sure your privacy policy wording does not prevent disclosure of this kind (i.e. by anticipating that you may share personal data with third parties where it is necessary for the purposes of a legitimate interest for you to do so).
  • Consider signposting the possibility of sanction disclosure (only on a limited basis and where deemed necessary and proportionate) to those who have raised serious complaints which led to the disciplinary, in your disciplinary and grievance policies.
  • Always start from the principle of confidentiality.
  • Clearly identify what you are trying to achieve by any disclosure.
  • Assess whether sharing the fact of disciplinary action is sufficient, without disclosing the sanction itself.
  • Carry out and document a data protection impact assessment in every case.
  • Only share the minimum necessary information and ensure you have a clear audit trail.

With careful handling, it is possible to balance support for complainants with data protection obligations, but this balance must be reached thoughtfully and be capable of withstanding scrutiny.

Please contact Charlie Maples and/or Joe Bryon-Edmond, if you would like to discuss further how we can support your organisation.

Get in touch

Related

View all