Make your Free Employee Privacy Notice

See that you meet your legal obligation to inform staff about how you collect, use, retain and disclose their personal data.

This document is GDPR compliant.

Recently reviewed by Lauren Delin, Solicitor. 

This employee privacy notice was last reviewed on 3 September 2021.

Use this employee privacy notice:

• if you employ staff and are based in England, Wales or Scotland

• to inform staff about your use of their personal data

• to help comply with your duty to protect the security of staff personal data

This employee privacy notice covers:

• employer details

• the types of staff personal data collected by the employer

• the purposes for processing the data 

• the uses the employer makes of staff personal data

• who has access to staff personal data

• transfer of data outside of the UK or European Economic Area (EEA)

• measures to protect the security of personal data

• data retention periods

• staff members’ rights relating to their personal data

An employee privacy notice is a document that explains to staff the ‘what, how, where, why and when?’ regarding how a data controller (ie the employer) processes (eg collects and stores) staff personal data (eg contact details and medical information). In other words, an employee privacy notice is a statement detailing how employers collect, use, retain and disclose staff personal information.

For more information, read Processing personal data.

The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to be transparent and open about the information they collect from staff. Employers should tell staff the types of data they might collect about them and what they do with it. An employee privacy notice can be used to do this.

For more information, read Data protection and employees.

By creating an employee privacy notice and making sure it is readily available for staff, it will be incorporated into your business. It should be readily available to staff to provide them with an overview of the personal data collected, used, retained and disclosed by their employer.

You can also include it in your employee handbook for staff to read.

The GDPR and DPA don’t set out minimum or maximum time limits for keeping staff data; however, employers should not keep personal data for longer than necessary. Therefore, staff personal data can generally be stored for the duration of employment. After employment ends, staff personal data should be retained for no longer than necessary, based on the individual circumstances of the situation.

Data retention periods should be set out by the employer in internal policies (eg a data retention policy or Information security policy). Ask a lawyer if you do not have such a policy in place.

The transfer of personal data to recipients outside the UK (known as 'third country') is prohibited under the law on data protection unless certain safeguards are put in place. The international transfer of personal data may be permitted:

• if the third country has an adequate level of data protection, as determined by the Information Commissioner's Office (ICO)

• on the basis of standard data protection clauses approved by the UK

For more information, read International transfers of personal data.

Staff members have certain rights relating to personal data held about them, including:

• the right to access their data and be informed about how their data is being processed

• the right to have their data rectified if it's inaccurate or incomplete

• the right to object to the processing

• the right to have their data erased in certain circumstances

For more information, read Data protection and privacy.