Skip to main content
Book a call — £89
Menu

Data Protection Employment Policy UK: Employer Guide

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Employment Law Guide for Employers (2025)

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Every UK employer handles personal data about the people who work for them. Names, addresses, bank details, next of kin, sickness records, performance notes, disciplinary files, right-to-work evidence: all of it sits within the scope of UK data protection law. A Data Protection Employment Policy is the internal document that sets out how your organisation meets those duties in practice, from recruitment right through to when someone leaves. Written well, it protects your staff, reduces the risk of complaints to the Information Commissioner's Office, and gives managers a clear framework to follow. This guide, written for business owners, HR leads and operations managers, walks through what such a policy should cover and why each section matters under the UK GDPR and the Data Protection Act 2018.

What this document is

A Data Protection Employment Policy is an internal rulebook that explains how your organisation collects, stores, uses and eventually disposes of personal data about its workforce. It sits alongside your privacy notice (which is outward-facing and tells staff what happens to their information) and your wider data protection and information security policies.

The employment policy focuses specifically on the HR context: job applications, employment contracts, payroll, pensions, monitoring, training records, occupational health, references and post-employment retention. In law, your organisation is almost always the data controller for employee information, which means you carry the legal responsibility for how it is handled.

A well-drafted policy sets out the lawful bases you rely on, the categories of data you hold, the rights your staff have, the security measures you apply, and what managers and employees must do day to day. It also gives you something credible to point to if the ICO, a tribunal or an individual ever asks how you approach personal data in the employment relationship.

How to use this document

  1. Set the scope and define your terms. Start by making clear who the policy covers (employees, workers, contractors, job applicants, former staff) and what kinds of personal data fall within it. Define terms like controller, processor, personal data, special category data and processing so that everyone reading the policy, including line managers with no legal background, works from the same shared understanding.
  2. Map the data protection principles to your HR practice. Translate the UK GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability) into plain language commitments your organisation will follow. Give practical examples so managers can see how each principle applies to things like reference checks, appraisals or exit interviews.
  3. Identify your lawful bases for each activity. Go through your main HR processing activities and record the lawful basis you rely on, whether that is performance of the employment contract, compliance with a legal obligation, legitimate interests, or consent. For special category data such as health or trade union membership, you also need to identify a separate condition under Article 9. Document this reasoning.
  4. Explain staff rights and how to exercise them. Set out the rights individuals have over their data, including access, rectification, erasure (where it applies), restriction, objection and portability. Give a named contact or inbox for requests, explain internal timescales, and describe how the organisation will verify identity and respond. This section helps reduce confusion when a subject access request lands.
  5. Cover security, retention, breaches and training. Describe the technical and organisational measures you use to protect staff data, how long different categories are kept, and when records are deleted or archived. Set out how employees must report a suspected data breach, how the organisation assesses whether to notify the ICO, and how staff are trained on their responsibilities at induction and refresher points.

Common questions

If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Common questions

Q Is a Data Protection Employment Policy a legal requirement in the UK?
There is no single provision that forces every employer to have a named employment data protection policy. However, the UK GDPR's accountability principle requires you to demonstrate compliance, and the ICO expects organisations to have clear, documented policies covering how personal data is handled. In practice, having a dedicated employment-focused policy is one of the most straightforward ways to show that you take your duties seriously.
Q How is this different from a privacy notice for staff?
A staff privacy notice is written for the employee and explains, in transparent terms, what data you hold about them, why, and what their rights are. A Data Protection Employment Policy is an internal document aimed at the organisation itself: managers, HR and anyone who touches personal data. The two work together. The privacy notice tells people what happens; the policy tells the business how to make sure it actually happens that way.
Q Can we rely on employee consent as our lawful basis?
Usually not, and this catches employers out. Because of the imbalance of power between employer and employee, the ICO takes the view that consent is rarely freely given in the employment context. For most HR processing, you will rely on performance of the contract, a legal obligation, or legitimate interests instead. Consent tends to be reserved for genuinely optional activities, such as using a photo in marketing.
Q How long should we keep employee records after someone leaves?
Retention periods vary depending on the type of record and the legal or business reason for holding it. Tax and payroll records, for example, have their own statutory retention requirements. Your policy should set out specific periods for each category and explain why, then be reviewed periodically. Keeping everything forever is not a safe default and is likely to breach the storage limitation principle.
Q What should we do if there is a data breach involving employee information?
Your policy should set out an internal reporting route so that any suspected breach reaches the right person quickly. The organisation then needs to assess the risk to individuals. Where there is a risk to people's rights and freedoms, the ICO must generally be notified within 72 hours of becoming aware of it, and affected staff may also need to be told. Acting quickly and documenting decisions is essential.
Q Does the policy need to cover monitoring of staff?
If you monitor email, internet use, CCTV, vehicle trackers or productivity tools, this should be addressed. The ICO has published detailed guidance on monitoring workers, and expects employers to be transparent, to carry out a data protection impact assessment where appropriate, and to be able to justify the monitoring against a lawful basis. A good policy sets the framework and points staff to more detailed monitoring notices.
Q Who should own and review the policy inside the business?
Ownership usually sits with HR, often jointly with a data protection officer or nominated data protection lead. The policy should be reviewed at least annually and whenever there is a significant change, such as new HR systems, a restructure, or updated ICO guidance. Version control and a clear review date on the document itself help demonstrate that the policy is a living one and not just a tick-box exercise.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.