Employee Privacy Policy

This document can be used by an employer in the United Kingdom to create a privacy statement (also known as a privacy notice) in order to notify its workforce of its data processing procedures.

Grounds for processing data

Employers must ensure that data of their employees is processed lawfully on the basis of one or a combination of the following grounds:

• it is necessary for entering into or performing a contract with the employee;
• it is necessary to enable the employer to comply with a legal obligation;
• it is necessary to protect the vital interests of the employee or another person (i.e to preserve life);
• it is necessary for the protection of public interest or an official authority of the employee; or
• it is necessary for the purposes of legitimate interests of the employer or a third party (unless these are overridden by the interests of rights of the employee).

(Article 6 UK GDPR)

Historically, many employers have relied upon an employees' consent for the processing of their personal data by the employer. However, there have been difficulties in the reliance upon consent given the nature of the relationship between the employer and the employee. Reliance upon consent as a lawful basis for processing employees' data is therefore no longer advisable.

Sensitive data

Sometimes, an employer may need to process "sensitive data" (also known as "special category data"). Sensitive data is personal information which relates to:

• an individual's genetic data
• an individual's biometric data
• an individual's ethnic origin
• an individual's political opinions
• an individual's religious or philosophical beliefs
• information regarding an individual's connection to a trade union
• information regarding an individual's physical or mental health or condition
• information regarding an individual's sexual life.

Employers must have a further, more specific, lawful basis for processing any sensitive data (in addition to those set out above), which will be included within this document where required.

Criminal data

Employers may also sometimes need to process data relating to any criminal offences of its employees (for example, to meet regulatory requirements). Criminal offence data also falls into its own category and must also be justified under specific grounds. Typically, an employee will rely upon this being justified in order to:

• prevent or detect unlawful acts
• protect the public against dishonesty
• meet regulatory requirements specific to employees' roles

Other restrictions and requirements

There are additional restrictions and requirements which may apply to employers in other circumstances. For example, where employees' personal information is transferred outside of the United Kingdom, or where decisions are made using an employee's personal information via an automated process. These can be addressed and detailed within this document.

Importance of the privacy statement

Of key importance to an employer's obligation under UK GDPR is the duty of 'transparency' in relation to the employee (Article 5 (1) (a) UK GDPR).

Encapsulated within this duty is the duty of the employer to communicate properly information to employees regarding the use and processing of their data. Specifically, this must be communicated in concise, transparent, intelligible and easily accessible form. The information should ordinarily be in writing, or an electronic written format.

The best way for an employer to ensure that these obligations are met is to issue a privacy statement to employees to ensure that the above requirements are met. This can be achieved through use of this document.

How to Use this Document

This document should be completed by inserting the relevant information and answering all questions carefully. The employer should then ensure employees are provided with a copy of the document. Many employers will do this in conjunction with the signing of the employment contract.

The policy also must be published or kept in a location where it can be accessed easily and the employees must be made aware of this location.

It is not essential, but is best practice, to ensure that the employer signs the notice and that all employees also sign the same.

The employer's privacy notice should be as clear and concise as possible (Article 12 UK GDPR), setting out the required information regarding the processing of their personal data together with the purpose and legal basis for this. In order to keep the document clear and in order to cover only the relevant information, the employer will usually refer to its additional comprehensive policies within the document, such as:

• its general data protection policy (which may set out, for example: comprehensive guidance for employees when handling personal data during their employment including the employee's duties to report etc.); and/or
• its social media policy; and/or
• its internet use policy; and/or
• its monitoring policy; and/or
• its criminal data policy or sensitive information processing policy. Where criminal data or sensitive data is being processed, it is usually obligatory to have a separate policy document.

Any applicable law

As of 1 January 2021, the law relating to data protection in the UK is governed by:

• The Data Protection Act 2018
• The retained EU General Data Protection Regulation 2016/679 (UK GDPR).
• The governing/supervisory body for upholding data protection rights is the Information Commissioners Office (the ICO).

Help from a lawyer

You can choose to consult a lawyer if you need help.

The lawyer can answer your questions or help you through the process. You will be offered this option when you complete the document.

How to modify the template

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.