Use this template to create a data protection policy for employee data.

---

Data Protection Policy

[Company Name]

Policy Owner: [Data Protection Lead/HR Director] Last Reviewed: [Date] Next Review: [Date]

---

1. Introduction

1.1 Purpose

This policy sets out how [Company Name] handles personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.2 Scope

This policy applies to:

• All employees, workers, and contractors
• All personal data processed by the Company
• Data held electronically and in paper form

---

2. Data Protection Principles

We will ensure personal data is:

Principle	What This Means
Lawful, fair and transparent	Processed with a valid legal basis and openness
Purpose limitation	Collected for specified purposes only
Data minimisation	Adequate, relevant, and limited to what's necessary
Accuracy	Kept accurate and up to date
Storage limitation	Kept no longer than necessary
Integrity and confidentiality	Processed securely
Accountability	We can demonstrate compliance

---

3. Personal Data We Process

3.1 Employee Data

Category	Examples
Identity	Name, date of birth, NI number, photo
Contact	Address, phone, email, emergency contacts
Employment	Job title, contract, performance, disciplinary
Financial	Bank details, salary, pension, tax
Attendance	Working hours, absence, holiday
Recruitment	CV, interview notes, references

3.2 Special Category Data

We may process special category data including:

• Health information (sickness records, fit notes)
• Trade union membership
• [Others as applicable]

This requires additional safeguards and is only processed where legally permitted.

---

4. Lawful Bases for Processing

4.1 Employment Data

We process employee data primarily on the following bases:

Basis	Examples
Contract	Processing payroll, administering benefits
Legal obligation	Tax, pension, right to work checks
Legitimate interests	Performance management, security
Consent	Where specifically obtained

4.2 Special Category Data

Special category data is processed under:

• Employment law obligations (e.g., health and safety, equality)
• Explicit consent (where applicable)

---

5. Data Security

5.1 Technical Measures

We implement:

• Password protection and access controls
• Encryption of sensitive data
• Secure networks and firewalls
• Regular security updates
• Secure data backup

5.2 Organisational Measures

We implement:

• Access on a need-to-know basis
• Confidentiality agreements
• Staff training on data protection
• Clear desk policy
• Secure disposal of documents

5.3 Reporting Breaches

Any suspected data breach must be reported immediately to [Data Protection Lead/contact]. We will:

• Assess and contain the breach
• Notify the ICO within 72 hours if required
• Notify affected individuals where required
• Document the breach and our response

---

6. Data Retention

6.1 Retention Periods

Record Type	Retention Period
General personnel records	6 years after termination
Payroll and tax records	6 years from end of tax year
Pension records	Indefinitely
Right to work documents	2 years after termination
Unsuccessful applications	6-12 months
Training records	6 years after termination
Health and safety records	40 years for some

6.2 Disposal

When retention periods expire, data will be securely destroyed.

---

7. Individual Rights

Employees have the right to:

Right	Description
Access	Request a copy of their personal data
Rectification	Have inaccurate data corrected
Erasure	Have data deleted in certain circumstances
Restrict processing	Limit how data is used
Data portability	Receive data in portable format
Object	Object to certain processing

7.1 Subject Access Requests

To make a request, contact [Data Protection Lead/HR] in writing.

We will:

• Verify your identity
• Respond within one month
• Provide data in an accessible format
• Explain any exemptions applied

---

8. Third Party Sharing

We may share employee data with:

Third Party	Purpose
HMRC	Tax obligations
Pension provider	Pension administration
Payroll provider	Processing pay
Insurance providers	Employee benefits
Occupational health	Health assessments
Regulators	Legal compliance

We have data processing agreements with third-party processors to ensure data is protected.

---

9. International Transfers

If we transfer data outside the UK, we ensure adequate safeguards are in place as required by law.

---

10. Employee Responsibilities

All employees must:

• Only access data needed for their role
• Keep personal data secure
• Report suspected breaches immediately
• Complete data protection training
• Follow Company policies on data handling

Breach of this policy is a disciplinary matter.

---

11. Training

All employees receive data protection training at induction and regular refresher training.

---

12. Monitoring and Review

This policy is reviewed annually. Compliance is monitored through:

• Regular audits
• Incident reviews
• Training completion tracking

---

13. Contact

Data Protection Lead: [Name] Email: [Email] Phone: [Number]

ICO (Information Commissioner's Office): Website: ico.org.uk Phone: 0303 123 1113

---

14. Related Documents

• Privacy Notice for Employees
• IT Acceptable Use Policy
• CCTV Policy (if applicable)
• Subject Access Request Form
• Data Retention Schedule

---

Document Control

Version	Date	Author	Changes
1.0	[Date]	[Name]	Initial version