Skip to content

What is a Staff Privacy Notice?

Table of Contents

When you employ or engage any staff at your business and act as a data controller, you will need to tell staff how you use their personal data very clearly. This is a mandatory legal requirement under the UK General Data Protection Regulation (‘UK GDPR’) and Data Protection Act 2018. The most common way to address this requirement is to issue staff with a ‘Staff Privacy Notice’. In this article, we will explain what a Staff Privacy Notice is and some of the critical information it should cover.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

How Should Businesses Process a Staff Member’s Personal Data?

Whenever you are processing personal data about staff, you will need to be fully transparent about it. This means informing them about precisely how you will use their personal data. 

Transparency is one of the fundamental principles under the UK GDPR. This applies whether or not there is an employment relationship with the staff.

The most common and best way to provide this information is by giving all staff a ‘Staff Privacy Notice’ telling them how you will use their personal data.

You should note that this is not just a requirement for employers who hire employees. This applies to each member of staff who works for you in any capacity. For example, you should issue a Staff Privacy Notice to:

  • employees;
  • freelancers and contractors;
  • volunteers and interns; and
  • any other type of workers. 

This is because, for each of these members of staff, your organisation will collect and use certain types of personal data about them. For example, their:

  • name; 
  • date of birth; 
  • contact details; 
  • passport details;
  • national insurance numbers; 
  • information from DBS checks; 
  • bank details; and 
  • certain medical information. 

Because of the sensitivity of these types of information, it is vital staff understand how your organisation is using it.

What Should a Staff Privacy Notice Include? 

In simple terms, a Staff Privacy Notice tells individuals how and why their personal data is used. However, data protection laws are stringent, and there is a whole range of information that needs to be covered in the notice. 

The information you must provide must be tailored from business to business, depending on how personal data is used. Staff Privacy Notices should be bespoke, and it is highly risky to simply use a template document bought ‘off the shelf’. 

A Staff Privacy Notice should cover several data protection law compliance points. Here are some of the key points the document should include:

1. What Personal Data You Collect

You should outline all types of personal data the business collects. This might include:

  • contact details; 
  • bank account details; 
  • next of kin information; 
  • copies of identification documents; and 
  • CV data. 

However, the list will also need to include other information that some businesses may miss. For example, this might include:

  • information about CCTV data collected from staff; or 
  • photographs and performance and disciplinary information. 

2. Information About How And Why Personal Data Is Used

Organisations need a valid legal reason to process staff personal data. Under UK data protection law, there are different legal bases for processing personal data. For example, an employer will need to pay staff and may justify using staff bank details in this way because they need to comply with their legal obligations.

You must provide a legal justification for each type of personal data your business uses. This can often be quite complicated, and you should seek legal advice on this if you are unsure. 

Your Staff Privacy Notice should clearly set out which lawful basis you rely upon to process each type of staff personal data you hold.

3. Specify Whether You Will Share Staff Information With Third Parties

Staff must understand what happens with their personal data. In particular, they need to know who else will have access to their data.

The Staff Privacy Notice should clearly explain:

  • why the organisation shares personal data;
  • which third parties will have access to staff personal data, such as group companies or third-party service providers; and 
  • whether personal data of staff will be sent or accessed outside of the United Kingdom

In addition to the key points above, the Staff Privacy Notice should cover various other details. For example, it should include information about:

  • staff rights under the UK GDPR, such as the right to make a subject access request;
  • how long staff data is kept before and when it is deleted;
  • data security to safeguard staff personal data;
  • criminal convictions and ‘special category’ or sensitive data;
  • how staff personal data is collected;
  • whether the organisation makes any automated decision-making in connection with staff; and
  • who staff can contact about any questions, such as the Data Protection Officer or Data Privacy Manager.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

A Staff Privacy Notice is a vital document for UK GDPR compliance. The notice must be carefully drafted and tailored to your organisation. Staff Privacy Notices need to be very comprehensive. However, the document is essential for compliance. Further, issuing a well-drafted Staff Privacy Notice will give your staff comfort that you will safeguard their personal data and respect their data protection law rights. 

If you need clarification on a Staff Privacy Notice or how to prepare one, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards