MAKE YOUR FREE Employee Privacy Notice
What we'll cover
What is an Employee Privacy Notice?
An Employee Privacy Notice explains to staff the ‘what, how, where, why and when?’ of how a data controller (ie the employer) processes (eg collects and stores) staff personal data (eg contact details and medical information). In other words, Employee Privacy Notices are statements detailing how employers collect, use, retain and disclose staff personal information.
This document is GDPR compliant.
When should I use an Employee Privacy Notice?
Use this Employee Privacy Notice:
-
if you employ staff and are based in England, Wales or Scotland
-
to inform staff about your use of their personal data
-
to help comply with your duty to protect the security of staff personal data
Sample Employee Privacy Notice
The terms in your document will update based on the information you provide
Rocket Lawyer members have customised over 4.8M documents
Documents and communicates
Complies with relevant laws
Ask a lawyer questions about your document
EMPLOYEE PRIVACY NOTICE
Statement and Purpose of Notice
- collects and processes personal data relating to its employees in order to manage its relationship with them. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
What Information Do We Collect?
- We collect and process a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with us;
- information about your remuneration, including entitlement to benefits, such as pensions and insurance cover;
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals and the reasons for the leave;
- photographs or videos;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence; and
- information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.
- We may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
- In some cases, we may collect personal data about you from third parties, such as references supplied by former employers.
- Data will be stored in a range of different places, including in your electronic personnel file, in our HR management systems and in other IT systems (including our email system).
Why Do We Process Personal Data?
- We need to process your personal data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits, pension and insurance entitlements.
- In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
- In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:
- run recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of employee performance and related processes to confirm compliance with our internal policies and procedures, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensure effective general HR and business administration;
- provide references on request for current or former employees; and
- respond to and defend against legal claims.
- Some special categories of personal data, i.e. sensitive personal data, such as information about health or medical conditions, are processed by us where we have a legitimate interest to do so and to carry out employment law obligations (such as those in relation to employees with disabilities and to ensure the health and safety of all staff).
- We also collect information relating to your sickness records to maintain a record of your sickness absence and copies of any doctor's notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence and to inform reviewers for appraisal purposes of your sickness absence levels.
- Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of carrying out our legal obligations and exercising specific legal rights in relation to employment.
Who Has Access to Data?
- Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for the performance of their roles.
- We share your data with third parties in order to:
- obtain advice from professional advisers, including accountants, auditors, lawyers, insurers, bankers, and others;
- help third party service providers who provide products and services to us such as payroll, pension scheme and benefits administration, human resources, performance management, training, expense management, IT, etc; and
- facilitate the detection of crime or the collection of taxes or duties.
- We also share your data with third parties that process data on our behalf in connection with payroll and the provision of benefits.
- We may also disclose your personal data to third parties:
- when we determine that disclosure is required to protect our rights, property, or personal safety, or to respond to requests by public, regulatory, or law enforcement authorities, including to meet national security or law enforcement requirements; or
- if we sell some or all of our business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets, and if the transaction closes, then your personal data may be transferred to the buyer.
- If we transfer employee personal data to a third party vendor for processing (e.g. payroll services), we are responsible as the data controller for the processing of that data.
Choice
- We do not currently share your personal data with third parties other than our service providers who act on our behalf. However, if we decide to do so in the future, we will offer you the opportunity to choose (opt-out) before your personal data is disclosed to a third party controller (i.e. a non-service provider). Also, if we decide to use your data for purposes that are different from the purpose(s) for which it was originally collected or subsequently authorised by you, we will offer you the opportunity to choose (opt-out) before such use.
How Do We Protect Data?
- We take the protection of your data seriously. We have internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by our employees in the performance of their duties.
- Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, and such third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For How Long Do We Keep Data?
- We will hold your data for the duration of your employment. The periods for which your data will be held after the end of employment are set out in our available.
Your Rights
- As a data subject, you have a number of rights. You can:
- access and obtain a copy of your personal data on request;
- require us to change incorrect or incomplete personal data;
- require us to delete or stop processing your data in certain circumstances such as where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing, in certain circumstances; and
- ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
- If you would like to exercise any of these rights, please contact your line manager or a member of the HR Department.
Complaint Resolution
- If you believe that we have not complied with this Privacy Notice or your data protection rights, you have the right to file a complaint with the UK Information Commissioner’s Office (https://ico.org.uk/make-a-complaint/), however, we hope that you will attempt to resolve the complaint with us first.
- In addition, if you have any inquiries or complaints about the handling of your personal data, or about our privacy practices generally, please contact us at: and we will respond to your inquiry promptly.
What If You Do Not Provide Personal Data?
- You have some obligations under your employment contract to provide us with certain personal data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
- Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Changes To This Privacy Notice
- We reserve the right to change this Notice at any time as we may deem necessary from time to time or as may be required by law. We will provide you with a new Privacy Notice when we make any substantial changes. We may also notify you in other ways from time to time about the processing of your personal data.
Attribution
- This Privacy Notice was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).
About Employee Privacy Notices
Learn more about making your Employee Privacy Notice
-
How to make an Employee Privacy Notice
Making an Employee Privacy Notice online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Employee Privacy Notice you will need the following information:
Employer details
-
What is the name of the employer’s business?
-
What email address should employees contact about their data rights?
Data transfers
-
Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Data retention
-
Is information on how data is stored securely set out in:
-
Can a copy of the relevant policy be obtained from the employer (eg from the DPO or HR manager) and/or online? If the policy is available online, what is its URL?
-
-
Common terms in an Employee Privacy Notice
Employee Privacy Notices help employers comply with their legal obligation to inform staff about how they collect, use, retain and disclose staff personal data. To do this, the Privacy Notice template covers:
Statement and purpose of Notice
The start of the Notice sets out why the employer is adopting the Employee Privacy Notice and explains the employer’s commitment to transparency when processing staff personal data.
What information do we collect?
This section covers the types of personal data the employer collects. As various types of personal data may be collected, this section provides examples, including staff member names and addresses, bank account details and information about nationalities and entitlements to work in the UK.
This section also explains that these types of personal data may be collected and stored in various ways, providing examples.
Why do we process personal data?
This section explains the reasons for processing the personal data. The reasons are set out in a simple, easy-to-understand manner so that staff members can easily understand why their employer is processing their personal data.
Who has access to data?
This section explains that staff members’ personal data will be shared internally. It also details when personal data may be shared with and disclosed to third parties and why.
Choice
This section clarifies that the employer doesn’t currently share staff personal data with third parties other than service providers who act on the employer’s behalf. It also explains that, if the employer decides to share staff personal data with any other third parties, staff members will be given a choice regarding this disclosure. In other words, the employee can opt out of having their personal data shared with such third parties.
Transfers outside the United Kingdom and European Economic Area (EEA)
This section is only included in the Employee Privacy Notice if staff members’ personal data will be transferred outside the UK and EEA. If this is the case, this section sets out the safeguarding requirements that the employer must have in place and comply with for such international transfers.
How do we protect data?
This section explains that the employer takes the security of personal data seriously and details the relevant security measures (including data protection policies) that are in place. This also extends to how data security and protection are ensured when third parties are engaged to process personal data on the employer’s behalf.
For how long do we keep data?
This section sets out the time periods the employer will keep staff members’ personal data for. This will always be at least for the duration of their employment. For any post-employment data retention periods, this section encourages staff members to check the relevant data protection policies.
Your rights
This section details staff members’ data protection rights (ie the rights they have in relation to their personal data). It also provides the details of the person staff members should contact if they wish to exercise their data protection rights.
Complaint resolution
This section covers how staff members can raise a complaint about their employer’s processing of their personal data. While this includes complaining directly to the ICO, the Employee Privacy Notice encourages staff members to first attempt to resolve issues internally with the employer.
What if you do not provide personal data?
This section explains that staff members have to provide their employer with certain information under their Employment contract. It clarifies that without this information the employer won’t be able to properly manage and administer staff member engagements.
Changes to this Privacy Notice
This section explains that the Employee Privacy Notice can be changed by the employer whenever it is considered necessary. It also clarifies that staff members will be provided with an updated copy of the Employee Privacy Notice in due course.
If you want your Employee Privacy Notice to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Privacy Notice for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
Legal tips for making an Employee Privacy Notice
Ensure that you have a legal basis for processing personal data
Whenever you process personal data, you must have a legal ground for doing so. The Data Protection Act 2018 sets out specific legal bases for data processing. Examples include data processing in compliance with a legal obligation, data processing with the consent of the data subject (ie the person to whom the data relates, like a member of staff), or the employer having a legitimate interest in the processing.
Follows all relevant data protection obligations and procedures
Informing your staff members how you will be processing their personal data using an Employee Privacy Notice is just one part of meeting your data protection obligations as an employer and as a business. Not only do you need to make sure that you actually implement your Employee Privacy Notice and comply with the information set out in it, you also need to consider what further steps you need to take. This may involve adopting further policies or procedures (more on this below) and making sure they are implemented and followed, or changing internal processes within your business.
For more information, read Data protection, Data protection for businesses and Data protection and employees. If you need help with data protection compliance, seek GDPR compliance advice.
Determine which additional data protection documents you should adopt
Data protection compliance is a crucial aspect of running a business. To ensure that you comply with all relevant data protection laws, you should consider adopting various further documents to bolster data protection compliance. Examples include:
-
Data protection and data security policies - to notify staff and clients about how you process their personal data and otherwise comply with data protection obligations. Employee Privacy Notices act as simplified versions of data protection policies
-
Consultant privacy notices - these are similar to Employee Privacy Notices but apply consultants instead of employees and workers
-
Privacy policies - used to inform website users about the types of personal data website owners collect, the reasons for collection and how such data can be accessed
-
Data protection impact assessments (DPIAs) - DPIAs must be carried out whenever any personal data processing is likely to result in a high risk to individuals’ rights and freedoms
-
Data processing agreements (DPAs) - if data controllers (ie the parties who control how data is processed) transfer personal data to third parties (ie data processors) for them to process the data on behalf of the data controllers (eg cloud storage service providers)
Follow our How to make a business GDPR-compliant checklist to ensure your business meets its data protection obligations and read Data protection for businesses for more information.
Understand when to seek advice from a lawyer
Ask a lawyer for:
-
advice on the use of covert monitoring in the workplace
-
advice when the employer's use of staff data may infringe on staff members’ rights to privacy or relates to information about what staff members do outside work
-
help changing an existing Employee Privacy Notice
-
assistance if this document doesn’t meet your needs
-
Employee Privacy Notice FAQs
-
What is included in an Employee Privacy Notice?
This Employee Privacy Notice template covers:
-
employer details
-
the types of staff personal data collected by the employer
-
the purposes for processing the personal data
-
the uses the employer makes of staff personal data
-
who has access to staff personal data
-
transfers of data outside of the UK or European Economic Area (EEA)
-
measures to protect the security of personal data
-
staff members’ rights relating to their personal data
-
-
Why do I need an Employee Privacy Notice?
The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to be transparent and open about the information they collect from staff. Employers should tell staff the types of data they might collect about them and what they do with it. An Employee Privacy Notice can be used to do this. For more information, read Data protection and employees.
-
How do I implement an Employee Privacy Notice?
Creating an Employee Privacy Notice and making sure it is readily available for staff will enable the Notice to be incorporated into your business. It should be readily available to staff to provide them with an overview of the personal data collected, used, retained and disclosed by their employer.
You can also include it in your Employee handbook for staff to read.
It is also crucial that your staff members know to whom to address any questions or concerns about personal data processing. This person (eg a data protection officer (DPO)) should be clearly identified in your Employee Privacy Notice.
-
How long can staff personal data be stored?
The GDPR and DPA don’t set out minimum or maximum time limits for keeping staff data; however, employers should not keep personal data for longer than necessary. Staff personal data can generally be stored for the duration of employment. After employment ends, staff personal data should be retained for no longer than necessary, based on the individual circumstances of the situation.
Data retention periods should be set out by the employer in internal policies (eg a data retention policy). Ask a lawyer if you do not have such a policy in place.
For more information, read Data protection principles.
-
Can data be transferred outside of the UK or European Economic Area (EEA)?
The transfer of personal data to recipients outside of the UK (ie recipients in 'third countries') is prohibited under the law on data protection unless certain safeguards are in place. An international transfer of personal data may, for example, be permitted:
-
if the third country the recipient is in has an adequate level of data protection, as determined by the Information Commissioner's Office (ICO). This includes the EEA
-
on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
-
-
What rights do staff members have in relation to their personal data?
Staff members have certain rights relating to personal data held about them, including:
-
the right to access their data and be informed about how their data is being processed
-
the right to have their data rectified if it's inaccurate or incomplete
-
the right to object to the processing
-
the right to have their data erased in certain circumstances
For more information, read Data protection requests and Data protection and privacy.
-
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.
