Is an employer required to redact personal data due to their UK GDPR obligations when disclosing documents in ET or High Court litigation?

Consider the following scenario: you are advising a Respondent in an equal pay and sex discrimination claim where the Claimant argues that she received a lower base salary and discretionary bonus due to her sex. As part of the Respondent’s defence, they intend to deploy a series of male and female evidential comparators so that the Employment Tribunal (“ET”) can have a better understanding of how remuneration is approached within their organisation. The Respondent then discloses a series of documents regarding these evidential comparators but decides to redact information regarding their personal data since the Respondent is of the view that they are required to do so in order to comply with their obligations as a controller under the UK GDPR.

Is this approach permissible?

In this article, I set out: (i) an overview of how the High Court (in particular, the Business and Property Courts) and the ET approaches redactions; (ii) a general overview of an employer’s obligations under the UK GDPR (and whether any exemptions applies when an employer is pursuing or defending a claim); and (iii) the circumstances in which an employer can redact personal data due to their obligations under the UK GDPR (when disclosing documents in the High Court and the ET).

How does the ET and the Business and Property Courts approach redactions?

The principles behind redactions are virtually the same in the ET and the High Court. In summary:

• The overriding objective of both rule 3 of the ET Rules 2024 and CPR 1.1 state that dealing with a case fairly and justly includes ensuring that the parties are on an equal footing. The courts are mindful that enabling a party to disclose heavily redacted documents (without justification) might mean that the parties are not on an equal footing; see, for example, Atos Consulting Ltd v Avis Europe Plc [2007] EWHC 323 (TCC) at §34.
• It is well-established in both the ET and the High Court that a litigant can redact parts of a document where it contains information covered by legal professional privilege.
• A litigant should not unilaterally redact documents to protect confidentiality, as doing so reduces the value of the redacted document for the purpose for which it was disclosed; Rahmatullah v Ministry of Defence [2019] EWHC 3849 (QB) at §§25-27 and Matthews and Malek on Disclosure (6th Edition) at §9-48. 
• Practice Direction 57AD – Disclosure in the Business and Property Courts (“the Practice Direction”) state at §16.1 that a party only has the right to redact part or parts of a document that comprises data that is “irrelevant to any issue in the proceedings, and confidential” or which is covered by legal professional privilege. The Practice Direction goes on to state at §16.2 that “[a]ny redaction must be accompanied by an explanation of the basis on which it has been undertaken and confirmation, where a legal representative has conduct of litigation for the redacting party, that the redaction has been reviewed by a legal representative with control of the disclosure process. A party wishing to challenge the redaction of data must apply to the court by application notice supported where necessary by a witness statement.” It is advisable that a party’s legal representative adopt the same approach in ET litigation (particularly where they disclose a large volume of redacted documents), as this will assist them in responding to any challenge.
• The EAT stated in Frewer v Google UK Limited [2022] EAT 34 at §25 that “if material is likely to support or be adverse to a party's case and is necessary for the fair disposal of the proceedings it should be disclosed, and cannot be redacted merely on the basis that it is confidential. Any order for redaction on grounds of confidentiality must be made only where necessary on an application supported by evidence having full regard to the open justice principle, usually pursuant Rule 50 ET Rules [2013] [now rule 49 ET Rules 2024].” Similarly, a party in High Court proceedings can make an application pursuant to CPR 39.2(2) or 39.2(4) to achieve the same effect.

Both the Employment Appeal Tribunal and the High Court have in the past expressed significant concerns over the practice of redacting disclosable documents, not least because of the fear that the legal representative overseeing the disclosure process might either abuse the right to redact documents or otherwise liberally interpret the rules; see, for example, Virgin Atlantic Airways Limited v Loverseed [2024] EAT 79 at §36 and WH Holding Limited v E20 Stadium LLP [2018] EWHC 2578 (Ch) at §37.

A broad overview of an employer’s obligations under the UK GDPR when managing the disclosure process in litigation

An employer is treated as a controller for UK GDPR purposes. A controller is the main decision-maker who exercises overall control over the purposes and means of the processing of personal data of job applicants and employees.

A controller is expected to comply with and demonstrate compliance of the data protection principles as well as other UK GDPR requirements. They are also responsible for the processor’s compliance of the UK GDPR.

The following provisions of the UK GDPR are of relevance here:

• Article 5(1) of the UK GDPR sets out the various principles regarding how personal data should be processed. One of the principles is that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”.
• To comply with this requirement, the employer must satisfy one of the grounds set out in Article 6(1) UK GDPR, which are:

1. “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. (b)  processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

• Article 9(1) UK GDPR goes on to state that the processing of personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”(“special categories of personal data”) , unless if one of the exceptions in article 9(2) UK GDPR apply. Of note, article 9(2)(f) expressly allows the processing of special categories of personal data where this is “necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”

Furthermore, paragraph 5(2) and (3) of the Schedule 2 of the Data Protection Act 2018 (“DPA 2018”) provides that:

“(2)  The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.

(3)  The listed GDPR provisions do not apply to personal data where disclosure of the data—

1. is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings
2. is necessary for the purpose of obtaining legal advice, or
3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

 to the extent that the application of those provisions would prevent the controller from making the disclosure.”

Can third party data be redacted from a disclosure bundle due to the employer’s obligations under the UK GDPR?

In the recent High Court decision of Cotham School v Bristol City Council & Ors [2025] EWHC 1382 (Ch), HHJ Paul Matthews was faced with a situation where the trial bundle contained documents which were redacted (usually to remove names and other personal details of individuals). HHJ Paul Matthews in Cotham School held that as a general proposition, this practice should not happen. He further stated at §§97-98 that:

“97.  I do understand that in these modern times those who handle documents containing personal data (particularly in public sector occupations) are used to routinely redacting documents before allowing third parties to see them, because they do not wish to fall foul of data protection rules. But, in deciding a case like this, with events over many years to consider, and many people involved from different organisations, it makes the court's job much more difficult if the identities of those sending or receiving letters or emails, or taking part in meetings, are anonymised from an excess of data protection zeal. I remind all parties (and indeed all readers of this judgment) that the data protection legislation contains wide exemptions for the use of personal data in legal proceedings, so that liability will not attach to the disclosure of personal data for the purposes of these proceedings: see eg the Data Protection Act 2018, section 15, Sch 2 paras 5 and 14.

98.  Of course, there are types of litigation (such as where the interests and welfare of children are concerned) where a different regime applies. But this is ordinary litigation in the Business and Property Courts, and such special regimes do not apply here. I also accept that there may be exceptional cases even in ordinary civil litigation where some special harm may ensue from the disclosure of personal data, quite outside the data protection rules. However, lawyers are well used to dealing with such cases, for example by specific redaction (justified in advance), the non-provision of certain documents to the public, or even the court sitting in private. But there should be no such wholesale and general redaction of personal data as has taken place here.”

As set out above, the UK GDPR and the DPA 2018 contains wide exemptions for the use of personal data in legal proceedings, thereby enabling an employer to pursue or defend a legal claim. A party who argues that they are precluded from disclosing certain documents in unredacted form as part of the disclosure process due to their obligations under the UK GDPR is therefore mistaken.

Circling back to the hypothetical scenario above, a Respondent in an equal pay and sex discrimination claim will invariably have to disclose confidential information regarding their employees if the Respondent seeks to deploy a series of evidential comparators to show that their remuneration practices are not tainted by sex discrimination. Although such documents may very well contain personal data regarding the employer’s data subjects, it is not permissible to apply redactions if the information is relevant to the issues in dispute. As set out above, a party is only able to redact parts of documents where the information either relates to privileged material or information which is irrelevant and confidential.

Understandably, this might cause concern for some employers, particularly where they are very reluctant to have confidential information or personal data disclosed (which isn’t otherwise covered by legal professional privilege). The solution, however, isn’t for the employer to unilaterally apply redactions over confidential information or personal data. Rather, the correct approach would be for: (i) the employer to disclose the documents in question, unredacted; and (ii) make an application under rule 49 of the ET Rules 2024 or an application under CPR 39.2(2) or (4) (if the claim is in the High Court) to ensure that the court or tribunal imposes certain privacy measures.

Examples of orders which a party may seek under rule 49 of the ET Rules / CPR 39.2 include:

• An order for confidential data in documents to be redacted in the hearing bundle (as suggested in Frewer);
• An order for the identity of a person to be anonymised;
• An order for a restricted reporting order; and
• An order for the hearing, or any part of it, to be held in private.

As such, making an application under rule 49 of the ET Rules / CPR 39.2 is advisable in circumstances where an employer expresses significant reluctance in being required to disclose documents containing employee’s personal data or confidential information (whilst having full regard to the principles of open justice).

Lucas Nacif is an employment and business disputes barrister at 42BR Barristers. Lucas welcomes instructions on issues regarding disclosure, privilege and privacy / anonymity in the Employment Tribunal and the Business & Property Courts. Please contact Lucas’ clerks at 42BR Barristers ([email protected] or [email protected])  should you wish to instruct him.

26th Jun 2025

Lucas Nacif

Call 2021