Privacy Notice for Employees, Workers and Consultants

What is a Privacy Notice?

A privacy notice explains how your company collects, uses, stores, transfers, and secures personal data. It is an internal policy document directed at employees, workers and consultants employed or engaged by your company. It is typically referred to in the agreement engaging the employee, worker or consultant and provided via a link to the company’s website or intranet.

When should you use a Privacy notice?

Adopting a privacy notice is an important part of complying with the requirements of the UK General Data Protection Regulation (UK GDPR). The notice should outline what personal information you store (for example, name and other contact information), how you store it (duration and location), how you obtained it, and whether it is sent to any third parties or countries. It also needs to contain information about the individual’s rights, such as the right to data erasure and the right to access any data your company holds about them. 

As well as helping to ensure your company is legally compliant, a well-drafted privacy notice also:

1. puts your staff at ease by helping them understand how you use their data and who you will share it with (such as a third party HR provider); and

2. sets standards for how your company makes decisions about/processes data.

Why is a Privacy Notice important and why should you use it?

In the UK, companies must process personal data in compliance with privacy laws, including the UK GDPR. Almost all companies will process personal data as they will collect details such as names, addresses, national insurance numbers and contact details of employees, workers and contractors. 

There are large potential fines for failing to comply with the UK GDPR - the most serious violations can results in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75 million (whichever is greater). 

What are the common pitfalls of a Privacy Notice?

The notice should be drafted in plain English. Avoid legal jargon altogether and write text which is concise, accessible, and transparent. Companies and their employees mutually benefit from being on the same page in relation to data processing, as this means dealing with fewer questions about how rights can be exercised by individuals in relation to their data. The notice also serves as guidance for practical steps taken in relation to how your company handles data. For example, the notice can guide how data access requests ought to be handled. You should clearly disclose your company-specific data collection, storage and processing practices. 

You may only process data where it is necessary for a specific purpose. This requirement does not mean you must have a remarkable or otherwise out of the ordinary purpose for data, but any data processing purpose should be clearly defined and explained to the individuals concerned. This is linked to your legal obligations in clearly defining your so-called ‘legal basis’ for processing under the GDPR framework. A privacy notice clearly fulfils this purpose by publicising your legal basis for example, consent, performance of a contract, a legal requirement, etc.