See that you meet your legal obligation to inform staff about how you collect, use, retain and disclose their personal data.
This document is GDPR compliant.
Recently reviewed by Lauren Delin, Solicitor.
This employee privacy notice was last reviewed on 3 September 2021.
Use this employee privacy notice:
if you employ staff and are based in England, Wales or Scotland
to inform staff about your use of their personal data
to help comply with your duty to protect the security of staff personal data
This employee privacy notice covers:
employer details
the types of staff personal data collected by the employer
the purposes for processing the data
the uses the employer makes of staff personal data
who has access to staff personal data
transfer of data outside of the UK or European Economic Area (EEA)
measures to protect the security of personal data
data retention periods
staff members’ rights relating to their personal data
An employee privacy notice is a document that explains to staff the ‘what, how, where, why and when?’ regarding how a data controller (ie the employer) processes (eg collects and stores) staff personal data (eg contact details and medical information). In other words, an employee privacy notice is a statement detailing how employers collect, use, retain and disclose staff personal information.
For more information, read Processing personal data.
The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to be transparent and open about the information they collect from staff. Employers should tell staff the types of data they might collect about them and what they do with it. An employee privacy notice can be used to do this.
For more information, read Data protection and employees.
By creating an employee privacy notice and making sure it is readily available for staff, it will be incorporated into your business. It should be readily available to staff to provide them with an overview of the personal data collected, used, retained and disclosed by their employer.
You can also include it in your employee handbook for staff to read.
The GDPR and DPA don’t set out minimum or maximum time limits for keeping staff data; however, employers should not keep personal data for longer than necessary. Therefore, staff personal data can generally be stored for the duration of employment. After employment ends, staff personal data should be retained for no longer than necessary, based on the individual circumstances of the situation.
Data retention periods should be set out by the employer in internal policies (eg a data retention policy or information security policy). Ask a lawyer if you do not have such a policy in place.
The transfer of personal data to recipients outside the UK (known as 'third country') is prohibited under the law on data protection unless certain safeguards are put in place. The international transfer of personal data may be permitted:
if the third country has an adequate level of data protection, as determined by the Information Commissioner's Office (ICO)
on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
Staff members have certain rights relating to personal data held about them, including:
the right to access their data and be informed about how their data is being processed
the right to have their data rectified if it's inaccurate or incomplete
the right to object to the processing
the right to have their data erased in certain circumstances
For more information, read Data protection and privacy.
Ask a lawyer for:
advice on the use of covert monitoring in the workplace
issues where employer's use of staff data may infringe their right to privacy or relates to information about what they do outside work
changing an existing employee privacy notice
This employee privacy notice is governed by the law of England and Wales or the law of Scotland.
Answer a few simple questions to make your Employee privacy notice in minutes
Make document