The short answer to this question is if you are a UK-based business and have employees or workers within your organisation then yes, you need an employee/ worker privacy notice (or a policy which covers how you handle employee data). Lets work through what's needed.
What is an employee privacy notice?
Essentially, an employee privacy notice is a document which outlines how you will handle or 'process' employee data or 'personal data'. The policy should outline what constitutes employee data and how you will go about using it as an employer.
Why do I need one?
The General Data Protection Regulations (GDPR) make it mandatory for employers, and businesses in general, to provide certain information about how they process data to their staff. It's also really important that your process HR data in a fair and transparent way. So to make sure you're doing the right thing to comply with GDPR, it's really important you have a privacy notice.
What happens if I don't have a privacy notice?
If the Information Commissioner's Office (ICO) decide to do a spot check on your business, not having privacy statements won't go in your favour. You could potentially be subject to a fine for not complying with GDPR.
What does the term 'processing' mean when we're talking about GDPR?
Processing is a bit of a catch-all term which covers storing, collecting, gathering, updating, checking and deleting personal data. When it comes to HR data, as an employer you'll process lots of data when you do things like capture a job applicants details, create an employee file, hold an employees data and generally use the data you hold on an employees file in any way.
What should it include?
The identity and contact details of the employer;
A description of the personal data that is collected and what personal data is;
The purposes for processing the data;
The legal basis on which the processing will take place;
Who the personal data is shared with;
Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data;
How long the personal data will be kept for; and
Details about the rights that employees have in relation to that personal data
Does a privacy notice have to be set out a certain way?
Nope, but it's important that you ensure it's clear and easy to understand. You need to ensure that you are transparent and open about the way you use data so try not to use any confusing language within your privacy statement. It's also important that the notice is 'meaningful' so it makes sense for your business and the way you work.
When should it be issued?
Privacy notices should be issued at the point that data is collected. So in most cases the first time you collect data on an employee will be when they apply for a new job with you. We'd recommend that you have a job applicant privacy notice available via your website if you're taking online applications. We'd also suggest that you issue privacy notices every time you take on a new employee, you can provide them with the document alongside their terms and conditions/ contract of employment. It's also important that you make sure notices are issued to your existing staff if they haven't had them already.
Can't I cover this within a contract of employment?
A privacy notice should be issued at the point that you start processing data. In most cases you'll have started processing someone's data when they apply for a job with you so a notice should be available at this point. You can then issue another notice when you take the person on board, because once they join your company you'll be using their data differently, and normally you can send this alongside their contract of employment. It makes sense to have a separate document on privacy, just because it's not something that is part of the contract of employment but is related to your GDPR obligations as an organisation.
Can employees get access to the personal data that I hold on them?
The short answer again is yes, they can put in what's called a 'data subject access request' where they outline what data you hold on them that they would like to see and you'll be obliged to provide this to them within a reasonable timescale.
What resources can I use to create a privacy notice?
If you're a member of the FSB they make template privacy notices available to all their members. The templates are written by employment lawyers and require minimal editing to make sure you've got what you need. Just make sure that you remember it's important that the notice is meaningful for you and how you do business so if you're using the FSB template make sure it's fit for purpose in terms of how you do business.
The ICO also provides a template that businesses can use to create a privacy notice, you can access the template and more information about privacy notices in general here https://ico.org.uk/for-organisations/sme-web-hub/make-your-own-privacy-notice/
I want some HR Help from Tap HR
We can provide you with guidance on employee privacy notices, employee contracts and all the relevant HR policies and procedures you need within your business, get in contact for more details!
✅ Free consultations- if you'd like a free consultation with one of our consultants you can sign up here; https://www.taphr.co.uk/book-online-hr-services
✅ Our Services- you can see all our services here, but we also provide bespoke custom-built offerings for our customers; https://www.taphr.co.uk/
✅Our Packages- we offer packages for business which you can see here; https://www.taphr.co.uk/hr-packages
✅ Our Pricing- We're transparent with our charges because, well as a customer we think it's important you have an understanding of costs, you can see our charge rates here; https://www.taphr.co.uk/book-online-hr-services
How do I get in contact?
Feel free to email us at hithere@taphr.co.uk or book a free consultation here; https://www.taphr.co.uk/book-online-hr-services
Follow us on our social media platforms!
Disclaimer
All information within this post is provided for guidance only, always seek your own legal advice
The information with this post was correct at the time of publishing, December 2022 but may be subject to change
Comments