Table of Contents
In Short
- Employers must tell staff who they share personal data with and why, usually via a privacy notice.
- Contracts with data processors must meet strict UK GDPR requirements to reduce legal and reputational risk.
- Extra safeguards apply when transferring staff data overseas and staff must be told about these too.
Tips for Businesses
Make sure your privacy notice is up to date and includes all relevant third parties. Have contracts in place with service providers that clearly outline data protection responsibilities. If you’re unsure whether someone is a processor or a joint controller, get legal advice before sharing any staff data.
You will likely handle many staff members’ personal data as an employer. This may include contact details, payroll information, or records of absences due to sickness. You may need to share certain personal information with various external third parties who act as data processors, such as payroll providers or IT service firms that support your staff. If those service providers process data on your behalf (i.e. follow your instructions only), they will be processors, and you must follow strict rules under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA 2018). These rules apply to all employers, regardless of size.
This article explores why data protection compliance matters for employers, why staff must understand who you share their data with, and why contracts with processors are critical to protect your business from risk. While these are some key considerations, various other data protection issues also apply when sharing staff data, and you should seek legal advice if you need help understanding your full responsibilities.
Why is Data Protection Important for Your Business as an Employer?
As an employer, you are likely to collect and use personal data about staff for many purposes. These include recruitment, managing performance, and running payroll. When your business processes staff data, you must comply with strict UK GDPR and DPA 2018 requirements.
If you break these rules, the Information Commissioner’s Office (ICO) can fine you and take various other enforcement actions, and staff may bring legal claims. You could also lose your staff’s trust and damage your business reputation. To stay compliant and avoid risk, you should implement strong policies and transparent processes to protect personal data.
Data protection law requires essential steps when sharing data with a third party. These include informing staff about the sharing and ensuring that the third-party processors handle staff data safely and in accordance with your instructions.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Do You Need to Tell Staff About Data Sharing With Third Parties?
You must tell staff how you collect and share their personal data, including what data you share, who receives it, and why. Most employers meet this obligation by giving staff a privacy notice. This notice should explain various issues, such as what data you collect from staff, why you need it, who you share it with, how long you keep it, and how staff can exercise their data protection law rights.
Your privacy notice should explain that service providers must keep staff data secure, act only on your instructions and not use the data for their own purposes.
If you send staff data overseas, for example, to IT suppliers abroad, you must explain this too and confirm the basis and safeguards for sharing data outside of the UK. You should also make it easy for staff to seek more information, for example, by contacting HR or your data protection officer.
Continue reading this article below the formDo You Need a Contract With Third-Party Processors?
If a third party processes personal data on your behalf, you must enter into a written contract that complies with Article 28 of the UK GDPR. That contract must state that the processor will only act on your documented instructions, safeguard staff data and notify you of data breaches. There are several key mandatory terms your contract will need to include. These legal duties apply to all businesses, including small employers. If you fail to include the required terms, you will breach the UK GDPR.
Suppose you share data with an organisation that decides how and why to use it, not just acting on your instructions, that organisation may be a joint controller. In that case, you must agree on a straightforward arrangement that outlines each party’s legal duties. This is often called a data-sharing agreement and requires different considerations than a data-processing agreement.
You should seek legal advice if you are unsure whether a third party is a controller or processor and which agreement you need when sharing staff data.
What if You Transfer Staff Data Overseas?
Your business may need to send staff data abroad – for example, to international suppliers in other countries. If you transfer data outside the UK, you must comply with strict UK GDPR rules regarding international data transfers.
You must ensure that the recipient country offers adequate protection or implements safeguards, such as the UK IDTA. You must also inform staff about the transfer and the measures you use to protect their data.
Key Takeaways
You must comply with data protection laws when sharing staff data with third parties. For transparency, you must inform the staff clearly about data sharing. You must also have a contract with data processors that meets Article 28 of the UK GDPR rules. While these are some of the key rules to consider when sharing staff data, various additional rules apply, and you should get legal advice from a data protection solicitor if you are unsure.
If you need help reviewing your UK GDPR compliance as an employer, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Yes. If the third party processes staff data for your business, you must have a contract that meets Article 28 of the UK GDPR, which sets out various provisions, including security and confidentiality obligations.
Employers must follow the UK GDPR and DPA 2018 if they collect, store or use personal data about staff. This applies to all staff, including workers and contractors, not just employees.
We appreciate your feedback – your submission has been successfully received.
