We have saved a total of for our clients

Staff and Contractor Data Privacy Notice

Our Staff and Contractor Data Privacy Notice template :

  • drafted by a GDPR-specialist solicitor
  • simple to use
  • get GDPR compliant now
  • money-back guarantee
Money Back Guarantee

How Does It Work?

  • 1. Download
  • 2. Edit
  • 3. Print
  • 4. Sign

Our Staff and Contractor Data Privacy Notice template is for use as part of your HR procedures.

Using a Staff and Contractor Data Privacy Notice

This is the notice you need to give out to all of your (a) employees and (b) contractors, so they know how you process their personal data in accordance with the law. This has been drafted to be compliant with the latest laws on data protection – the GDPR and the Data Protection Act 2018.

If you are looking for something to cover the recruitment stage – i.e. before you have given them the job – then have a look at our Candidate Privacy Notice template instead. Below you can preview the guide that accompanies the template when you buy it.

Guide to our Staff and Contractor Data Privacy Notice

This guide takes you through completing the template Staff and Contractor Data Privacy Notice, which is required under the GDPR. Employees and independent contractors that are taken on by your business are ‘data subjects’ for the purpose of GDPR and, as a result, it is a legal requirement under GDPR to (a) provide them with certain information relating to the collection and processing of their data, including what their rights are as a data subject under GDPR, and (b) obtain their informed consent to such collection and processing.

The remainder of this guide will take you through editing and completing the template.

Clauses in this Staff and Contractor Data Privacy Notice – Numbered clauses

1. Purpose

This clause explains the purpose of the document and you will need to add in the name of your business and then delete the square brackets.

2. Data Protection & GDPR Principles

This clause sets out the data protection principles that the business must adhere to when collecting and processing data relating to an employee or contractor.

3. The Type of Information We Hold

This clause in the data privacy notice sets out the type of data that the business will collect and hold in respect of its employees and contractors. The list should cover most businesses but if your business collects any data that is not listed then add a note of that data. Some businesses will carry out criminal records checks but others will not. If your business does not, then simply delete that bit from clause 3.

4. How We Collect Your Data

In this clause the process for collecting personal data is described.

5. How We Use Your Personal Data

This clause sets out how the business uses the information collected from employees and contractors. Most businesses will find that the standard list set out in this clause covers all of the ways that the business uses information. However, if your businesses use the data for any purpose not listed then add that in.

6. How We Use Special Category Personal Data

Some categories of data are ‘special categories’ and this includes health data and data such as ethnic origin. At sub-clause 3 of the data privacy notice you will need to consider whether you should delete the information relating to pension schemes that is contained within the square brackets.

7. Information Pertaining to Criminal Records and Convictions

This section will require the most editing of all of the sections in this template. Consider the wording within the square brackets and how the wording relates to how your business uses criminal record checks and information in relation to its employees and contractors. Be careful to note where you have multiple options. So where you see the word ‘OR’ within the wording inside the square brackets, you will have one or more options that may apply to your business. Also at the end of the clause is a section which, if relevant to your business, requires you to state any legal obligation to collect criminal offences data. For example, a childcare agency is legally required to undertake criminal record background checks on all of its employees.

8. Automated Decision-Making and Personal Data

This clause covers your business where you use technology to take decisions on employees or contractors. Alter it if you do use technology for this purpose.

9. Data Sharing

This clause explains that the business may need to share data with selected third parties. It is very common for a business to outsource matters, such as payroll and HR support, and, if this is the case, it will be necessary to pass information relating to staff and contractors to such third parties. In turn, you have to inform your staff and contractors about what you and the third parties are doing with their data.

10. Data Security

This clause in the data privacy notice explains that your business will take all reasonable measures to protect the confidentiality and security of the data that you collect from staff and contractors. so you will need to add into the section with the square brackets the name of the person within your business who employees and contractors should contact if they have any questions relating to data security.

11. Data Retention

This clause sets out the policy for how long you store personal data. This will vary for different businesses, so the clause sets out a generic statement which will apply to all businesses. So adapt it to suit your business.

12. Rights of Access, Erasure, Correction and Restriction

This clause notifies staff and contractors of their legal rights under GDPR. It is a requirement of GDPR that all data subjects are provided with this information. So you will need to train staff keeping the data records on what to do in the event that a data subject uses such rights.

13. Right to Withdraw Consent

This clause advises employees and contracts that, where your collecting and processing of their data requires their consent, they have the right to withdraw consent.

14. Data Protection [Officer] [Manager]

All businesses should appoint someone who takes internal responsibility for data protection. Some businesses are required to appoint an official data protection officer who must be registered with the Information Commissioner’s Office. If you do not have a data protection officer, then you would appoint a data protection manager. So you will need to edit or delete the wording within the square brackets, depending on what applies to you.

15. Privacy Notice Changes

This clause in the data privacy notice advises your employees and contractors that your business may have to update the policy from time to time.

Lastly, the policy confirms who the employee or contractor should contact if they have questions relating to the policy. This should be the name of the person that you appointed as the business’s data protection officer or manager, as applicable.