Practice Note: Staff Privacy Notices

Practice Note: Staff Privacy Notices

Introduction

1.1 Individuals have the right to be informed about the collection and use of their personal data. This requirement is set out in the data processing principles found within Article 5 of the UK General Data Protection Regulation (UK GDPR); specifically, Principle 1, which requires processing to be lawful, fair and transparent). Articles 13 & 14
requires data controllers to provide individuals with the information attached at Annex A.

1.2 The information provided to individuals is otherwise referred to as ‘privacy information’: it includes; the purpose for which the personal data is being processed, the lawful basis for the processing, details of the retention periods ascribed to the personal data and details of any data sharing i.e. with a third party.

1.3 ‘Privacy information’ is often presented in the form of a ‘Privacy Notice’ (also known as a ‘Privacy Policy’, ‘Privacy Statement’, or ‘Fair Processing Notice’). Privacy Notices meet the transparency requitements of Principle 1 insofar as they let people know in advance what a data controller intends doing with their personal data. They also help to build trust, inspire confidence and avoid confusion.

Staff Privacy Notices

2.1 Specific processing activities should be covered by a separate, bespoke Privacy Notice. For instance, staff (i.e. employees, agency staff, volunteers, contractors, secondees, trustees and non-executive directors etc.) must be provided with privacy information at the time their personal data is first collected or within one month, if the employer obtains their personal data from another source (i.e. not directly from the member of staff).

2.2 Staff Privacy Notices should identify the employer as being the data controller for all information being processed that relates to staff unless specifically stated otherwise. The information an employer processes about individual members of staff will vary depending on a person’s role, responsibilities and personal circumstances.

2.3 Staff Privacy Notices should be read in conjunction with other internal privacy notices (as applicable) and relevant corporate policies and procedures. Where appropriate, employers should provide further ‘just in time’ privacy notices to cover any additional processing activities not already mentioned in the Staff

Purpose

3.1 ‘Staff privacy’ is a critical consideration in a world where information is being constantly shared, and technology permeates every aspect of modern working life. Employers need to establish trust and confidence by being transparent about workplace practices so as to foster a more positive working environment.

3.2 In the modern era, employers routinely handle significant amounts of personal data, special category personal data and criminal offence information. Accordingly, employers are obliged under the UK GDPR, to share privacy information with their staff.

3.3 Since the introduction of the EU GDPR in 2018, it has become custom and practice for privacy information to be presented to staff in a clearly written, intelligible and bespoke Staff Privacy Notice that outlines how an organisation collects, processes, and safeguards the personal data of its staff.

3.4 Employers need to be totally transparent about their data processing activities and embrace the fact that their Staff Privacy Notice is likely to be closely examined and scrutinised by staff members who are becoming increasingly aware of their data subject rights under the UK GDPR.

Legal compliance and ethical responsibility

4.1 Staff Privacy Notices need to be simple to read and easy for people to access. The content is drawn from Articles 13 &14 (see Annex A). The level of privacy information shared with staff and how the information is made available is a matter for individual employers: however, using a Staff Privacy Notice is the recommended medium.

4.2 Staff Privacy Notices ensure employers comply with relevant data protection legislation i.e. the UK GDPR, and provide relevant information about the collection, use and sharing of staff data, thereby demonstrating an ethical commitment on the part of the employer to respect an individual’s privacy rights. Additionally, Staff Privacy Notices help to minimise legal risks and build a culture of trust between employers and employees.

Building trust and transparency

5.1 Investing time and effort into providing staff with privacy information i.e. in the form of a clear and accessible Staff Privacy Notice, is not just a legal obligation; it’s a strategic move towards fostering a culture of trust and respect within the organisation.

5.2 Transparency is the cornerstone of any healthy employer-employee relationship and Staff Privacy Notices are one way in which an employer can communicate to staff how their personal information will be handled, stored, and used by the organisation.

5.3 Being transparent fosters a sense of trust and reassures staff that their privacy is a priority and respected by their employer. The employer-employee bond is strengthened when staff feel confident that their personal information is being handled responsibly.

5.4 Unique organisational facets should be considered when drafting a Staff Privacy Notice to ensure a more tailored and effective approach.

Clarifying data usage

6.1 Staff Privacy Notices provide staff with a clear indication of how personal data is handled by their employer by defining information such as the purpose of the data processing, the categories of data collected and details of with whom the data may be shared. Providing this level of clarity helps staff make informed decisions about the information they share with their employer and allows them to have a better understanding of what is happening to their personal data once its provided to their employer.

Enhancing cybersecurity awareness

7.1 Staff Privacy Notices are not solely about the protection of personal information or achieving compliance with relevant data protection legislation. They also play a role in enhancing cybersecurity awareness insofar as the inclusion of the relevant data security measures put in place by the employer, educates staff about the importance of maintaining security practices. Sharing such information reduces the risk of personal data breaches and strengthens the overall cybersecurity posture of the organisation.

Remote and hybrid working

8.1 With the rise of remote and hybrid working practices, the need for Staff Privacy Notices has become even more pronounced. Remote working often involves the use of personal devices and utilising non-corporate communication channels (NCCC) e.g. WhatsApp.

8.2 Clear, well written privacy notices help staff understand how their personal information is handled in diverse work settings and provide assurance that privacy remains a priority regardless of physical and geographical location of staff members.

Creating a Staff Privacy Notice

9.1 A well thought-out, well-structured Staff Privacy Notice ensures transparency, builds trust, and supports legal compliance within an organisation whereas a poorly thought-out Staff Privacy Notice can erode trust and negatively impact the employer-employee relationship, resulting in potential legal challenges and costly litigation.

9.2 Attached at Annex B are examples of two Staff Privacy Notices that offer insights into the data processing activities of two public bodies namely the ICO and ITV.

9.3 Tips on how to draft a Staff Privacy Notice are attached at Annex A. Alternatively, employers can use the ICO’s Privacy notice generator – for staff or volunteers | ICO.

Summary

10.1 Transparency is a key consideration for all employers that collect and use personal data. Staff Privacy Notices meet the legal requirement placed on data controllers to inform staff about the processing of their personal information and facilitates their right to be informed. They are a component of an open, ethical and responsible workplace.

DOWNLOAD AND READ OUR FULL PRACTICE NOTE HERE