All templates
Data & PrivacyPolicyRequired · UK

Privacy Notice for Employees template

A privacy notice for employees — sometimes called a staff or workforce privacy notice — tells the people who work for you what personal data you hold about them, why you process it, who sees it, how long you keep it, and what rights they have. UK GDPR's transparency duty applies to your workforce just as it applies to your customers.

Free to use
UK-focused
Updated 11 July 2026

Staff data is some of the most sensitive information a small business holds: pay, bank details, health and absence records, disciplinary files. Plenty of employers have a polished customer privacy policy and nothing at all for the people whose data they hold most of.

This template gives you a complete notice covering the full employment lifecycle: recruitment records, pay and tax, absence and health, performance and monitoring, sharing with payroll and pension providers, retention, and staff rights.

The template

Full text, ready to adapt.

Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.

Privacy Notice for Employees

Policy · Data & Privacy

1. Purpose and scope

This notice explains how {{org.name}} uses the personal data of the people who work for us — employees, workers, contractors, and volunteers — and of job applicants. It is for information: it is not part of your contract of employment and does not need your agreement to apply.

2. Who we are

{{org.name}} is the data controller for the information described here. Questions about this notice or your data go to [name/role, e.g. data protection lead or office manager] at [email address].

3. The information we hold about you

  • Recruitment records: your application, CV, interview notes, references, and right-to-work documents.
  • Contract and identity details: name, address, contact details, date of birth, National Insurance number, and emergency contact.
  • Pay and benefits: salary, bank details, tax codes, pension enrolment, and [benefits scheme] records.
  • Working time and absence: rotas, timesheets, holiday, sickness absence, and fit notes.
  • Performance and conduct: reviews, training records, and any disciplinary or grievance files.
  • Health information where needed for workplace adjustments, statutory pay, or health and safety. [Describe occupational health arrangements if used.]
  • Monitoring data: CCTV at [locations] and system access logs on [systems]. [Delete or describe what you actually monitor.]

4. Why we use it

  • To run your employment — pay, leave, pension, performance — because it is necessary for your contract with us.
  • To meet legal obligations: tax and National Insurance reporting, right-to-work checks, statutory leave and pay, and health and safety duties.
  • To run and protect the business — training records, security, workforce planning — under our legitimate interests, balanced against your rights.
  • With your consent in the few cases where a genuine free choice exists, such as using your photo in marketing. You can say no without consequence.
  • Special category data, such as health information, is used only with an additional safeguard in place and access restricted to [roles].

5. Who we share it with

  • Our payroll provider [name], pension provider [name], and [benefits/insurance providers].
  • HMRC and other authorities where the law requires.
  • Our [IT systems/HR software] providers, who process data on our instructions under contract.
  • Professional advisers — accountants, solicitors, insurers — where needed.
  • Future employers seeking references, in line with [our reference approach].
  • We never sell staff data.

6. How long we keep it

We keep staff records during employment and for [period] after you leave, and unsuccessful applicant records for [period] after the decision, in line with our data retention policy. Some records, such as payroll and tax, are kept for periods set by legislation — the retention schedule lists each period and its source.

7. Your rights

  • Ask for a copy of the data we hold about you — a subject access request, answered within one calendar month.
  • Have inaccurate records corrected.
  • Ask for deletion, restriction, or object to particular uses in certain circumstances.
  • Withdraw consent at any time where consent is the basis we rely on.
  • Raise concerns with [name/role] first; you also have the right to complain to the Information Commissioner's Office (ICO).

8. Changes and review

We will update this notice when what we collect, the systems we use, or our providers change, and tell you about material changes. This notice is reviewed [frequency, e.g. annually]. Owner: [name/role]. Last updated: [date].

Make it yours

How to adapt this template.

1

List what you actually hold before editing — open the HR folder, the payroll system, and the filing cabinet, and describe those.

2

Delete monitoring lines that do not apply and describe precisely any that do; vague monitoring statements cause more grievances than honest specific ones.

3

Name your real payroll, pension, and software providers in the sharing section.

4

Align the retention section with your data retention schedule rather than inventing periods here.

5

Give the notice to candidates at application stage and to new starters on or before day one, alongside the written statement of particulars.

6

Keep a record of when each staff member received it.

A document is not a system

Turn this template into trained, proven behaviour

A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.

Privacy Notice for Employees template FAQs

Is an employee privacy notice a legal requirement in the UK?

In effect, yes. UK GDPR's transparency duty requires you to tell people how you use their data, and it applies to your workforce as much as to customers. A written notice given to staff and applicants is the standard way to meet it.

Do employees have to sign or consent to the privacy notice?

No — it is information, not a consent form, and it applies whether or not anyone signs it. Getting staff to acknowledge receipt is still good practice as evidence you provided it. Consent is rarely the right lawful basis in employment anyway, because it is hard for it to be freely given.

When should we give the notice to staff?

Give applicants privacy information when they apply, and give the full notice to new starters on or before day one — conveniently alongside the written statement of employment particulars, which is itself due on or before day one. Reissue it when it materially changes.

Can employees make subject access requests?

Yes — current and former staff have exactly the same right of access as customers, and workplace SARs are common, especially around disputes. The one-calendar-month deadline applies, and the response can include emails and notes that mention the person, not just their HR file.

How should we handle health information about staff?

Health data is special category data: collect only what the purpose needs — an adjustment, statutory pay, a safety duty — hold it with an additional safeguard in place, and restrict access to the few roles that genuinely need it. A fit note does not need to be visible to the whole management team.