MAKE YOUR FREE Employee Privacy Notice
What we'll cover
What is an Employee Privacy Notice?
An Employee Privacy Notice explains to staff the ‘what, how, where, why and when?’ of how a data controller (ie the employer) processes (eg collects and stores) staff personal data (eg contact details and medical information). In other words, Employee Privacy Notices are statements detailing how employers collect, use, retain and disclose staff personal information.
This document is GDPR compliant.
When should I use an Employee Privacy Notice?
Use this Employee Privacy Notice:
-
if you employ staff and are based in England, Wales or Scotland
-
to inform staff about your use of their personal data
-
to help comply with your duty to protect the security of staff personal data
Sample Employee Privacy Notice
The terms in your document will update based on the information you provide
About Employee Privacy Notices
Learn more about making your Employee Privacy Notice
-
How to make an Employee Privacy Notice
Making an Employee Privacy Notice online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Employee Privacy Notice you will need the following information:
Employer details
-
What is the name of the employer’s business?
-
What email address should employees contact about their data rights?
Data transfers
-
Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Data retention
-
Is information on how data is stored securely set out in:
-
Can a copy of the relevant policy be obtained from the employer (eg from the DPO or HR manager) and/or online? If the policy is available online, what is its URL?
-
-
Common terms in an Employee Privacy Notice
Employee Privacy Notices help employers comply with their legal obligation to inform staff about how they collect, use, retain and disclose staff personal data. To do this, the Privacy Notice template covers:
Statement and purpose of Notice
The start of the Notice sets out why the employer is adopting the Employee Privacy Notice and explains the employer’s commitment to transparency when processing staff personal data.
What information do we collect?
This section covers the types of personal data the employer collects. As various types of personal data may be collected, this section provides examples, including staff member names and addresses, bank account details and information about nationalities and entitlements to work in the UK.
This section also explains that these types of personal data may be collected and stored in various ways, providing examples.
Why do we process personal data?
This section explains the reasons for processing the personal data. The reasons are set out in a simple, easy-to-understand manner so that staff members can easily understand why their employer is processing their personal data.
Who has access to data?
This section explains that staff members’ personal data will be shared internally. It also details when personal data may be shared with and disclosed to third parties and why.
Choice
This section clarifies that the employer doesn’t currently share staff personal data with third parties other than service providers who act on the employer’s behalf. It also explains that, if the employer decides to share staff personal data with any other third parties, staff members will be given a choice regarding this disclosure. In other words, the employee can opt out of having their personal data shared with such third parties.
Transfers outside the United Kingdom and European Economic Area (EEA)
This section is only included in the Employee Privacy Notice if staff members’ personal data will be transferred outside the UK and EEA. If this is the case, this section sets out the safeguarding requirements that the employer must have in place and comply with for such international transfers.
How do we protect data?
This section explains that the employer takes the security of personal data seriously and details the relevant security measures (including data protection policies) that are in place. This also extends to how data security and protection are ensured when third parties are engaged to process personal data on the employer’s behalf.
For how long do we keep data?
This section sets out the time periods the employer will keep staff members’ personal data for. This will always be at least for the duration of their employment. For any post-employment data retention periods, this section encourages staff members to check the relevant data protection policies.
Your rights
This section details staff members’ data protection rights (ie the rights they have in relation to their personal data). It also provides the details of the person staff members should contact if they wish to exercise their data protection rights.
Complaint resolution
This section covers how staff members can raise a complaint about their employer’s processing of their personal data. While this includes complaining directly to the ICO, the Employee Privacy Notice encourages staff members to first attempt to resolve issues internally with the employer.
What if you do not provide personal data?
This section explains that staff members have to provide their employer with certain information under their Employment contract. It clarifies that without this information the employer won’t be able to properly manage and administer staff member engagements.
Changes to this Privacy Notice
This section explains that the Employee Privacy Notice can be changed by the employer whenever it is considered necessary. It also clarifies that staff members will be provided with an updated copy of the Employee Privacy Notice in due course.
If you want your Employee Privacy Notice to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Privacy Notice for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
Legal tips for making an Employee Privacy Notice
Ensure that you have a legal basis for processing personal data
Whenever you process personal data, you must have a legal ground for doing so. The Data Protection Act 2018 sets out specific legal bases for data processing. Examples include data processing in compliance with a legal obligation, data processing with the consent of the data subject (ie the person to whom the data relates, like a member of staff), or the employer having a legitimate interest in the processing.
Follows all relevant data protection obligations and procedures
Informing your staff members how you will be processing their personal data using an Employee Privacy Notice is just one part of meeting your data protection obligations as an employer and as a business. Not only do you need to make sure that you actually implement your Employee Privacy Notice and comply with the information set out in it, you also need to consider what further steps you need to take. This may involve adopting further policies or procedures (more on this below) and making sure they are implemented and followed, or changing internal processes within your business.
For more information, read Data protection, Data protection for businesses and Data protection and employees. If you need help with data protection compliance, seek GDPR compliance advice.
Determine which additional data protection documents you should adopt
Data protection compliance is a crucial aspect of running a business. To ensure that you comply with all relevant data protection laws, you should consider adopting various further documents to bolster data protection compliance. Examples include:
-
Data protection and data security policies - to notify staff and clients about how you process their personal data and otherwise comply with data protection obligations. Employee Privacy Notices act as simplified versions of data protection policies
-
Consultant privacy notices - these are similar to Employee Privacy Notices but apply consultants instead of employees and workers
-
Privacy policies - used to inform website users about the types of personal data website owners collect, the reasons for collection and how such data can be accessed
-
Data protection impact assessments (DPIAs) - DPIAs must be carried out whenever any personal data processing is likely to result in a high risk to individuals’ rights and freedoms
-
Data processing agreements (DPAs) - if data controllers (ie the parties who control how data is processed) transfer personal data to third parties (ie data processors) for them to process the data on behalf of the data controllers (eg cloud storage service providers)
Follow our How to make a business GDPR-compliant checklist to ensure your business meets its data protection obligations and read Data protection for businesses for more information.
Understand when to seek advice from a lawyer
Ask a lawyer for:
-
advice on the use of covert monitoring in the workplace
-
advice when the employer's use of staff data may infringe on staff members’ rights to privacy or relates to information about what staff members do outside work
-
help changing an existing Employee Privacy Notice
-
assistance if this document doesn’t meet your needs
-
Employee Privacy Notice FAQs
-
What is included in an Employee Privacy Notice?
This Employee Privacy Notice template covers:
-
employer details
-
the types of staff personal data collected by the employer
-
the purposes for processing the personal data
-
the uses the employer makes of staff personal data
-
who has access to staff personal data
-
transfers of data outside of the UK or European Economic Area (EEA)
-
measures to protect the security of personal data
-
staff members’ rights relating to their personal data
-
-
Why do I need an Employee Privacy Notice?
The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to be transparent and open about the information they collect from staff. Employers should tell staff the types of data they might collect about them and what they do with it. An Employee Privacy Notice can be used to do this. For more information, read Data protection and employees.
-
How do I implement an Employee Privacy Notice?
Creating an Employee Privacy Notice and making sure it is readily available for staff will enable the Notice to be incorporated into your business. It should be readily available to staff to provide them with an overview of the personal data collected, used, retained and disclosed by their employer.
You can also include it in your Employee handbook for staff to read.
It is also crucial that your staff members know to whom to address any questions or concerns about personal data processing. This person (eg a data protection officer (DPO)) should be clearly identified in your Employee Privacy Notice.
-
How long can staff personal data be stored?
The GDPR and DPA don’t set out minimum or maximum time limits for keeping staff data; however, employers should not keep personal data for longer than necessary. Staff personal data can generally be stored for the duration of employment. After employment ends, staff personal data should be retained for no longer than necessary, based on the individual circumstances of the situation.
Data retention periods should be set out by the employer in internal policies (eg a data retention policy). Ask a lawyer if you do not have such a policy in place.
For more information, read Data protection principles.
-
Can data be transferred outside of the UK or European Economic Area (EEA)?
The transfer of personal data to recipients outside of the UK (ie recipients in 'third countries') is prohibited under the law on data protection unless certain safeguards are in place. An international transfer of personal data may, for example, be permitted:
-
if the third country the recipient is in has an adequate level of data protection, as determined by the Information Commissioner's Office (ICO). This includes the EEA
-
on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
-
-
What rights do staff members have in relation to their personal data?
Staff members have certain rights relating to personal data held about them, including:
-
the right to access their data and be informed about how their data is being processed
-
the right to have their data rectified if it's inaccurate or incomplete
-
the right to object to the processing
-
the right to have their data erased in certain circumstances
For more information, read Data protection requests and Data protection and privacy.
-
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.