1. Will I handle the personal data of my employees?
Yes - personal data is widely defined under UK data protection laws. The UK GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal data that employers typically process about their employees includes:
name;
address;
date of birth;
sex;
education and qualifications;
work experience;
National Insurance number;
tax code;
emergency contact details;
employment history with the organisation; and
special category data such as health data.
2. What information do I need to give to employees about how their personal data is handled?
It is a requirement of UK data protection laws to provide individuals with certain information when you process their personal data. This is typically provided via a document known as a privacy notice.
UK data protection laws have strict requirements about the information that a privacy notice must set out, which include:
Controller details - the identity and the contact details of the controller (which will be the employer in the case of an employee privacy notice);
Data protection officer (DPO) - if the company has a DPO, the contact details of the DPO must be provided to employees via the privacy notice;
Purpose and lawful basis - the specific purposes of the processing as well as the lawful basis for the processing must be included (and where legitimate interests are relied upon as the lawful basis, details of the specific legitimate interests);
Data sharing - employees should be given details of the recipients or categories of recipients of the personal data, if any;
International transfers - where applicable, that you are transferring personal data to a third country (i.e. a country outside of the UK and EEA), including reference to the appropriate or suitable safeguards being used for the transfer;
Retention period - the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; and
Data subject rights - a privacy notice must tell data subjects what their rights are under data protection laws. This includes the right to request access to and rectification or erasure of personal data, the right to request the restriction of processing concerning the data subject or to object to processing, the right to data portability, the right to withdraw consent at any time and the right to lodge a complaint with the ICO.
You can include all of the matters listed above (plus more!) in Docue’s employee privacy notice template, to produce a legally compliant employee privacy notice.
3. Does my business need a data protection employee handbook?
A data protection employee handbook (also known as a data protection policy) is an internal policy that tells staff how to handle and use personal data in a manner that is compliant with UK data protection laws. Data protection law can be a complex area, so having a well-structured policy/handbook can be crucial to enable employees, and the business as a whole, to comply with data protection laws. For example, it will tell employees the rules that apply to responding to data subject requests and how to mitigate and manage data breaches.
Docue’s data protection employee handbook template can be easily customised to meet your business’s needs by just answering a series of simple questions.
4. What should a data protection employee handbook cover?
A data protection employee handbook will cover a range of data protection matters so that employees know how to use personal data in a secure and compliant manner. It will typically cover how the company processes personal data in a lawful, fair, and transparent manner, how the company keeps personal data safe, how the company shares personal data with others, how the company decides what data to delete and when it deletes it and what records the business keeps.
To find out more about what to include in your data protection employee handbook, read this guide.
5. Do I need to provide data protection training to employees?
Having a data protection employee handbook in place is a great starting point for achieving data protection compliance. However, a written policy alone is not enough. It is crucial that employees are provided with training on the contents of the data protection employee handbook to ensure that the principles that are set out in the policy are actually embedded into your business’s day-to-day activities and the actions of your employees. Training should be provided regularly to ensure that employees are up to date with the current version of the data protection employee handbook.
Sign up now to use Docue's data protection policy and other data protection templates.
Tags: data protection employee handbook, staff data protection policy, employee gdpr policy, staff gdpr policy
Related articles
Related legal templates
About Docue
Docue is trusted by so many growth companies – from sole traders to listed companies.