An Employee Privacy Notice is a formal transparency document that employers in England and Wales are required to provide to their employees, workers, and job applicants under Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Unlike a general website privacy policy, an Employee Privacy Notice is specifically tailored to the personal data processed in the context of the employment relationship — covering everything from payroll and National Insurance records to occupational health information, performance appraisals, disciplinary records, and CCTV footage captured on company premises.

The UK GDPR is the version of the EU General Data Protection Regulation that was retained in UK domestic law following the United Kingdom's exit from the European Union, by virtue of the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. It applies to any organisation established in the UK that processes personal data, and — in the employment context — imposes specific obligations on employers as data controllers. The Data Protection Act 2018 supplements the UK GDPR with additional provisions specific to the United Kingdom, including the Schedule 1 conditions for processing special category data in the employment context.

Article 13 of the UK GDPR applies where personal data is collected directly from the data subject — in the employment context, this means data collected directly from the employee through an application form, onboarding documentation, or information the employee provides during employment. Article 14 applies where personal data is obtained from a third party, such as a previous employer providing a reference, a background screening company, or an occupational health provider. In both cases, the required information must be provided at the time of data collection (Article 13) or within a reasonable period not exceeding one month (Article 14).

The ICO's Employment Practices Code provides supplementary guidance for employers on how to handle personal data lawfully and fairly throughout the employment lifecycle, from recruitment and selection through to termination and beyond. While the Code does not have direct statutory force, it represents the ICO's authoritative view of best practice and is regularly referenced in enforcement decisions and Employment Tribunal proceedings. A well-drafted Employee Privacy Notice that reflects the requirements of the Code, Articles 13 and 14 of the UK GDPR, and the relevant provisions of the Data Protection Act 2018 provides employers with a strong foundation for demonstrating accountability under Article 5(2) of the UK GDPR.

An Employee Privacy Notice is needed at the start of every employment relationship — it should be provided to each new employee on or before their first day of work, alongside their employment contract and other onboarding documentation. Under Article 13 of the UK GDPR, the required transparency information must be provided at the time personal data is collected; since employers collect significant quantities of personal data from the very beginning of the recruitment process, an Employee Privacy Notice should ideally be provided to job applicants at the point of application as well as to successful candidates on commencement of employment.

A new or updated Employee Privacy Notice is also required whenever there is a material change to the employer's data processing activities. Common triggers include the introduction of new monitoring technologies (such as a new CCTV system, a GPS vehicle tracking system, or monitoring software for remote workers), the engagement of new third-party service providers who will process employee data (such as a new payroll provider or HR platform), a change in the employer's retention periods, or a change in the lawful basis relied upon for processing. The ICO recommends that employers review their Employee Privacy Notice at least annually to ensure it remains accurate and up to date.

An updated Employee Privacy Notice should also be provided when employees return from prolonged absences — such as maternity leave, shared parental leave, long-term sick leave, or a career break — because processing activities and policies may have changed during the absence. Similarly, where an employer is acquired by or merges with another organisation, employees should receive a new or updated notice explaining any changes to the data controller and the processing activities.

In practice, many employers incorporate the Employee Privacy Notice into their new starter documentation pack, alongside the employment contract, the Employee Handbook, and any role-specific confidentiality obligations. Including an acknowledgment receipt — confirming that the employee has read and understood the Notice — provides evidence that the employer has fulfilled its Article 13 transparency obligations, which can be important in the context of ICO investigations, Employment Tribunal claims, or data subject access requests.

A legally compliant Employee Privacy Notice for England and Wales must contain all of the information specified in UK GDPR Articles 13(1), 13(2), 14(1), and 14(2), as supplemented by the ICO's Employment Practices Code and accompanying guidance.

Identity and Contact Details of the Data Controller — The notice must identify the employer by its full legal name, registered address, and Companies House registration number. Where the employer belongs to a group of companies and personal data is shared between group entities, each entity acting as a controller should ideally be identified, or the group structure should be described clearly.

Data Protection Officer Contact Details — Where the employer has appointed a DPO under Article 37 (mandatory for public authorities and organisations carrying out large-scale systematic monitoring of individuals or large-scale processing of special category data), the DPO's name and contact details must be provided. Even where a DPO is not mandatory, the ICO's Employment Practices Code recommends designating a named data protection contact.

Categories of Personal Data Collected — The notice must specify all categories of employee personal data processed, from basic contact and payroll data to health records, performance information, disciplinary records, CCTV footage, and IT usage logs. The ICO expects employers to be specific rather than generic in describing data categories.

Purposes of Processing — Each processing purpose must be clearly described. Common employment purposes include payroll administration, compliance with PAYE obligations, management of absence and sickness, performance management, health and safety management, IT system security monitoring, and business continuity planning.

Lawful Basis for Processing — The specific UK GDPR Article 6 lawful basis relied upon for each processing activity must be stated. In the employment context, the most common bases are contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), and legitimate interests (Article 6(1)(f)). Where legitimate interests are relied upon, the specific interests must be identified and a Legitimate Interests Assessment should have been conducted.

Special Category Data — Where the employer processes special category data (most commonly health data, trade union membership, or disability information), the notice must additionally identify the applicable condition under Article 9(2) of the UK GDPR and, where relevant, the applicable condition under Schedule 1 of the Data Protection Act 2018.

Data Sharing and Third-Party Recipients — The notice must identify the categories of third-party recipients of employee personal data, including payroll providers, pension trustees, occupational health providers, IT service providers, HMRC, and any group companies.

International Transfer Safeguards — Where employee data is transferred outside the UK, the applicable transfer mechanism must be stated (UK adequacy regulations, UK International Data Transfer Agreement, or binding corporate rules).

Retention Periods — The notice must state how long different categories of employee data are retained, or the criteria used to determine retention periods. Retention schedules should reflect applicable legal obligations under the Income Tax (Earnings and Pensions) Act 2003, the Limitation Act 1980, and other relevant legislation.

Employee Rights — The notice must set out all applicable data subject rights under UK GDPR Articles 15 to 22, including the right of access (Subject Access Request), rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making. The mechanism for exercising rights and the applicable response timeframe (one calendar month under Article 12) must be specified.

Right to Lodge a Complaint with the ICO — Under Article 13(2)(d), the notice must inform employees of their right to complain to the ICO if they believe their data has been processed unlawfully.