Table of Contents
When you employ or engage any staff at your business and act as a data controller, you will need to tell staff how you use their personal data very clearly. This is a mandatory legal requirement under the UK General Data Protection Regulation (‘UK GDPR’) and Data Protection Act 2018. The most common way to address this requirement is to issue staff with a ‘Staff Privacy Notice’. In this article, we will explain what a Staff Privacy Notice is and some of the critical information it should cover.
This factsheet sets out how your business can become GDPR compliant.
How Should Businesses Process a Staff Member’s Personal Data?
Whenever you are processing personal data about staff, you will need to be fully transparent about it. This means informing them about precisely how you will use their personal data.
Transparency is one of the fundamental principles under the UK GDPR. This applies whether or not there is an employment relationship with the staff.
The most common and best way to provide this information is by giving all staff a ‘Staff Privacy Notice’ telling them how you will use their personal data.
You should note that this is not just a requirement for employers who hire employees. This applies to each member of staff who works for you in any capacity. For example, you should issue a Staff Privacy Notice to:
- employees;
- freelancers and contractors;
- volunteers and interns; and
- any other type of workers.
This is because, for each of these members of staff, your organisation will collect and use certain types of personal data about them. For example, their:
- name;
- date of birth;
- contact details;
- passport details;
- national insurance numbers;
- information from DBS checks;
- bank details; and
- certain medical information.
Because of the sensitivity of these types of information, it is vital staff understand how your organisation is using it.
What Should a Staff Privacy Notice Include?
In simple terms, a Staff Privacy Notice tells individuals how and why their personal data is used. However, data protection laws are stringent, and there is a whole range of information that needs to be covered in the notice.
The information you must provide must be tailored from business to business, depending on how personal data is used. Staff Privacy Notices should be bespoke, and it is highly risky to simply use a template document bought ‘off the shelf’.
A Staff Privacy Notice should cover several data protection law compliance points. Here are some of the key points the document should include:
1. What Personal Data You Collect
You should outline all types of personal data the business collects. This might include:
- contact details;
- bank account details;
- next of kin information;
- copies of identification documents; and
- CV data.
However, the list will also need to include other information that some businesses may miss. For example, this might include:
- information about CCTV data collected from staff; or
- photographs and performance and disciplinary information.
2. Information About How And Why Personal Data Is Used
Organisations need a valid legal reason to process staff personal data. Under UK data protection law, there are different legal bases for processing personal data. For example, an employer will need to pay staff and may justify using staff bank details in this way because they need to comply with their legal obligations.
You must provide a legal justification for each type of personal data your business uses. This can often be quite complicated, and you should seek legal advice on this if you are unsure.
3. Specify Whether You Will Share Staff Information With Third Parties
Staff must understand what happens with their personal data. In particular, they need to know who else will have access to their data.
The Staff Privacy Notice should clearly explain:
- why the organisation shares personal data;
- which third parties will have access to staff personal data, such as group companies or third-party service providers; and
- whether personal data of staff will be sent or accessed outside of the United Kingdom.
In addition to the key points above, the Staff Privacy Notice should cover various other details. For example, it should include information about:
- staff rights under the UK GDPR, such as the right to make a subject access request;
- how long staff data is kept before and when it is deleted;
- data security to safeguard staff personal data;
- criminal convictions and ‘special category’ or sensitive data;
- how staff personal data is collected;
- whether the organisation makes any automated decision-making in connection with staff; and
- who staff can contact about any questions, such as the Data Protection Officer or Data Privacy Manager.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Key Takeaways
A Staff Privacy Notice is a vital document for UK GDPR compliance. The notice must be carefully drafted and tailored to your organisation. Staff Privacy Notices need to be very comprehensive. However, the document is essential for compliance. Further, issuing a well-drafted Staff Privacy Notice will give your staff comfort that you will safeguard their personal data and respect their data protection law rights.
If you need clarification on a Staff Privacy Notice or how to prepare one, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.