Employee privacy and confidentiality laws: how to stay compliant

Learn more about complying with legislation, maintaining HR confidentiality, and understanding employee privacy rights in the UK with our guide

Our experts

We are a team of writers, experimenters and researchers providing you with the best advice with zero bias or partiality.
Written and reviewed by:
Robyn Summers-Emler Grow Online Editor

Startups.co.uk is reader supported – we may earn a commission from our recommendations, at no extra cost to you and without impacting our editorial impartiality.

If you employ members of staff (or are planning to hire some), then you’ll need to be compliant with employee privacy and confidentiality laws in the UK. As part of following the necessary legislation, you’ll need to ensure that employee privacy is respected, and understand how this vital aspect of HR works.

Plus, with protecting employee data becoming even more important since GDPR (General Data Protection Regulation) was introduced in 2018, there’s lots you need to understand.

We understand that this aspect of running a business can be intimidating, and that many small business owners simply don’t have the time or expertise to be constantly monitoring this vital, yet time-consuming aspect of business operations.

We’ve also put together this handy guide to help you learn more about employee privacy rights, whether you manage HR by yourself, or you already have in-house HR resources.

HR software is a great way to ensure you are staying compliant with employee security and privacy laws. The right software provider can give you access to expert advice and knowledge, while also giving you greater control over your HR functions at a lower cost. To find out more, read our comprehensive guide to the best HR software for small businesses.

Employee privacy and confidentiality laws in the UK

Here, we highlight some of the key employee privacy and confidentiality laws that UK employers need to know about.

The Data Protection Act 2018

The Data Protection Act 2018 is the law which governs how personal information is used, and is the UK’s fulfilment of the General Data Protection Regulation (GDPR).

This law outlines the data protection principles which must be followed when you’re responsible for personal data. Some of the principles include ensuring that the data is used for fair and lawful purposes that are clear and specific. The personal data should also only be used and stored for as long as is necessary. It should be secure, and updated if and when relevant.

There are even stronger protections in place for managing sensitive data. This includes data about biometrics (if used for identification purposes), ethnic background, genetics, health, political opinions, race, religious beliefs, trade union membership, and sex life or orientation.

The law also gives people the right to know what information is stored about them, including how it’s being used, as well as the ability to access their personal data.

Do I need permission to store employees’ data?

There are some types of personal data that an employer can keep about employees without their permission. This includes names, addresses, birth dates, and more.

However, some types of sensitive data (such as those outlined in the previous section) require you to have your employees’ permission to keep it, and must be stored in a more secure way than the other types.

Your employees have the right to know which records are stored about them and their use, along with how confidentially they’re kept. They’re also entitled to know the connection between storing this information and how it assists with training and development requirements in the workplace.

As an employer, you have 30 days to give your staff a copy of the data you have about them, should they request it.

Human rights laws

These refer to the rights and freedoms that everyone has, such as being treated fairly, equally, and with respect.

If you’re an employer in the public sector, then you must follow human rights laws, e.g. The Human Rights Act 1998. However, if you’re an employer in the private sector, human rights principles are factored into employment law, such as the Equality Act 2010.

Human rights laws include people’s rights to have private lives, as well as to have freedom of thought, belief, and religion. People are also entitled to freedom of assembly and association (e.g. to be a part of a trade union), and the right to not be discriminated against based on these and other factors.

If an employee thinks that you have broken human rights laws, they might raise the issue with you in the first instance, then consider taking out an internal grievance, or eventually begin legal action.

Freedom of Information

The Freedom of Information Act 2000 permits anyone in the world to ask for information that’s held by a public authority in the UK, without giving a reason for doing so.

Public authorities in England, Wales, and Northern Ireland are covered by the above Act, as well as those that are based in Scotland but operate across the UK. Public authorities that are only based in Scotland must comply with the Freedom of Information Act (Scotland) 2002.

However, if you run an organisation that gets public funding, the Act might not apply. For instance, this is the case for certain charities that receive grants, and some private sector organisations that do public work.

If the Act is applicable to your organisation, note that requests should be in writing, and in general must be replied to within 20 working days.

Some organisations might not charge for Freedom of Information (FOI) requests.  However, if it would cost the public authority £450+ to grant the request, then it can be refused.

Employee confidentiality statements

While there isn’t one particular employee confidentiality law that governs keeping certain company information confidential, there are a number of previous cases that have influenced how this area of business should be conducted.

There is a common law for duty of confidentiality in the UK. Essentially, this refers to how people should keep information to themselves if it’s not already publicly available, and would be unfair if it were shared more widely.

While this is implied, it’s also wise for employers to have confidentiality or non-disclosure agreements in place as part of employment contracts, to further restrict which company information can be shared, when, and by whom.

employee privacy rights uk

Employee privacy and confidentiality rights

Employers can monitor employees at work in a number of ways, including:

  • Listening to/recording phone conversations
  • Email and internet usage
  • CCTV surveillance
  • Drug testing
  • Bag checks
  • Searches

Certain aspects of monitoring, such as storing data, images, and drug testing, are also covered by data protection law (see the previous section for more details).

If you plan on monitoring employees, you should understand why you plan to do so, and be able to justify it. As well as this, you should conduct an impact assessment, in which you examine the potential negative consequences that monitoring might have on your team members, according to Citizens Advice.

You should also think about whether other less invasive options could work, and then decide if monitoring is reasonable based on all of this information.

Once you’ve done this and have decided to proceed with monitoring, you’ll need to let your employees know (although if an impact assessment has been conducted correctly, you generally won’t require each employee’s consent), as well as have policies in writing.

These policies should be included in employment contracts or staff handbooks, which should also detail the extent of monitoring that will take place, and why. Overall, monitoring should be fair, explainable, and used for specific work purposes.

Charlotte Geesin, head of employment law and business immigration at Howarths, comments: “The foundations for the successful maintenance of privacy and confidentiality rights lies in the implementation and upkeep of robust and accurate employment documentation. Privacy notices, consent forms (where applicable), and policies on Data Protection, Employee Monitoring and Discipline should all be regularly reviewed – at least annually – and updated where necessary.

“Employees’ attention should be drawn directly to any policy documentation which employers have in place and ideally, employees should be asked to confirm their understanding and acceptance of the provisions. Employees who refuse to give consent where it would be needed by an employer to carry out their desired activities must be allowed not to consent and the employer must respond accordingly.”

Bag checks

You’ll need to have a policy that lets staff know that their bags could be searched, along with the work reasons for doing so. An example of this type of monitoring would be checking employees’ bags as they’re leaving your premises.

CCTV surveillance

If you do use CCTV on your premises, you have to let your staff know that CCTV monitoring will take place and why, along with clearly signposting that CCTV is in use.

You’re not allowed to monitor employees at all times (e.g. in staff toilets), as you still need to comply with human rights and data protection laws.

Drug testing

You’ll need your employees’ consent if you wish to conduct drug testing. In general, drug testing happens when there’s a complete contractual health and safety policy, which should be included in employees’ handbooks or contracts.

Drug testing should be restricted to only the necessary employees, such as those in safety-critical roles or jobs that require high levels of concentration.

It should also be randomised, and you can only select a certain employee for a drug test if it is justified based on their work (e.g. driving, operating machinery, caring for vulnerable people, or working in the medical profession).

Although you can’t make an employee take a drug test, you can enforce disciplinary action if they say no. Of course, this is provided you have good grounds for requesting it, such as health and safety concerns.

Email and internet usage

This type of monitoring includes tracking the websites your employees look at, as well as monitoring their email and internet usage.

You’ll need to outline if/what monitoring will take place, as well as the amount of personal emails/internet use that’s acceptable, or if it’s not permitted at all.

Listening to/recording phone conversations

Phone monitoring is permitted, as long as it’s for work purposes, you’re monitoring equipment that’s used in part or entirely for business use, and you’ve taken reasonable action to let your employees know about it.

You can check the call history or recordings of phone conversations, although you’ll also have to comply with data protection laws.

You don’t need consent from your employees to monitor their phone calls, so long as the monitoring is being used for one of the following reasons:

  • Checking that work-related facts, processes, or standards are being upheld
  • For the prevention or detection of crime
  • Ascertaining any unauthorised use
  • Ensuring that the electronic systems are working correctly
  • Verifying if a communication that’s sent to your employee is related to the business, e.g. opening emails or listening to voicemails (but not call recording)
  • Checking calls to confidential helplines (you can listen to these, but can’t record them)
  • For national security purposes

The above information also applies for other types of electronic communication, including email, internet, and fax.

Your staff handbook should detail what the policy is for staff when making calls on business phones, as well as if personal phone calls are permitted.

If you do allow minimal personal calls, and also use call recording, then you have to let your employees know that their private phone calls may be recorded as well.

This type of monitoring is covered by The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.


You should ensure that searches are respectful of employees’ privacy. Searches should also be conducted by someone of the same sex, and take place with a witness present.

HR confidentiality UK explained

HR is required to maintain certain levels of confidentiality. For example, the keeping and storing of employees’ personal data and commercial information should comply with GDPR.

Sensitive personal data (such as that outlined in the data protection law section above) must be kept confidential – that is, on secure computers that can only be accessed by team members who require use of this data to carry out their jobs.

Other employee data, like that relating to bank accounts, home addresses, medical records, and payroll, is also shared with HR confidentially.

In addition, employee confidentiality rights also include ensuring that information which belongs to them (e.g. a presentation or a document) won’t be shared with or used by others, unless they give their permission.

HR confidentiality is also beneficial for you as an employer. For example, if your business is making redundancies, going through a merger, or launching a new product, then HR is expected to keep this information confidential.

Overall, HR confidentiality is important for running your business ethically, as well as upholding your company’s reputation, and avoiding any possible legal consequences.

While we’ve focused on HR confidentiality in this section specifically, see our page on ‘what is HR?’ for a broader overview of the different HR functions.

When is HR allowed to break confidentiality?

HR could break confidentiality if:

  • There’s a high risk of someone hurting themselves or another person
  • They need to in order to comply with the law, and to avoid being complicit through association
  • In certain whistleblowing scenarios, depending on the severity of the issue, and if it’s in the public interest to know about it

It’s useful for HR to outline in writing which circumstances could require such breaches of confidentiality, or for data to be shared. Some examples include sexual harassment cases and possible criminal investigations.

Sharron Bhandal, senior associate in the employment team at Blaser Mills Law, adds: “As HR representatives are not legally bound by a duty of confidentiality with regard to privileged communication in the way that those within the legal and medical professions are, a HR professional must weigh up their responsibilities to employees, management, and the law to judge whether to disclose information.

“Employees’ personal data must generally remain confidential. However, HR’s primary role is to protect the interests of the organisation, meaning HR representatives must sometimes disclose information that employees would prefer to remain confidential.”

It can be difficult to know which information can and can’t be disclosed, and when. This is where HR support can step in, providing you with the necessary expertise so that you know your business is compliant. It only takes a minute to complete the form at the top of the page to compare quotes for HR support. Then, we can match you with the HR support that’s best suited to your business needs.

How can HR services or software support me with employee privacy law as an employer?

HR services and software could help your business in a number of ways. These include:

  • Having the appropriate software/systems to securely store employees’ personal data
  • Advising on best practice for staff monitoring procedures
  • Preparing staff handbooks and employment contracts
  • Ensuring compliance with employment laws


If you employ staff, or intend to, then it’s essential to comply with employment law, including that for employee privacy and confidentiality. This covers everything from meeting GDPR requirements for storing personal data to protecting employees’ human rights, and ensuring that confidentiality is maintained when necessary.

Monitoring employees’ phone and internet usage, as well as operating CCTV and conducting bag checks, drug testing, and searches, are all possible as long as they’re done in accordance with the relevant laws, including respecting employees’ rights to privacy.

An HR department is able to implement and uphold these policies, as well as employer/employee confidentiality. However, it’s important to be aware that there are circustmances in which HR might have to breach confidentiality, such as if criminal behaviour is suspected.

Don’t forget that HR support is available to help you navigate the complexities of complying with employment law, and HR consultants can offer you one-off or ongoing advice based on your business needs.

Simply provide a few details about your company to compare quotes for HR support providers and software. Not only could this help you to save time and money, but it could also take away the stress of managing this area of your business, and avoid the possibility of not complying with the relevant guidance, laws, and regulations.

Or, for more detailed information on outsourcing HR, visit our pages on:

Startups.co.uk is reader-supported. If you make a purchase through the links on our site, we may earn a commission from the retailers of the products we have reviewed. This helps Startups.co.uk to provide free reviews for our readers. It has no additional cost to you, and never affects the editorial independence of our reviews.

Written by:
Scarlett writes for the energy and HR sections of the site, as well as managing the Just Started profiles. Scarlett is passionate about championing equality and sustainability in business.
Back to Top