To see all content you need to log in or Subscribe now 

Just to let you know... If you are an existing user before 18th September, you may notice the model documents have changed. This is to coincide with our website relaunch: we wanted to refresh the content too. Don't worry, these are not legally required changes so you can continue to use the previous version you have saved or downloaded. (We have kept the previous date as well to make it easy to reference.)

Don't show this again

Send to a friend
Model documents and policies

Downloadable and customisable documents relating to data protection. For more information see the employment law pages on Data protection.

 

Note: The General Data Protection Regulation (GDPR), which applies to all EU member states, will come in to force in the UK on 25 May 2018. A new Data Protection Bill to replace the existing Data Protection Act and enact GDPR is still subject to parliamentary debate. The Information Commissioner's Office (ICO) is also still working on definitive guidance on how the regulation will apply in the UK. We have published model documents in line with current ICO guidance on GDPR and these may be reviewed in accordance with any ICO guidance changes. Please note the finalised Data Protection Bill and a full set of ICO guidance has not yet been published, including that on how to properly obtain consent.

Form

Data Protection Act consent form
Data Protection Act consent form
Last Modified
Previously modified
The Data Protection Act consent form aims to ensure that any personal or sensitive data that an organisation holds about an individual is used appropriately. It explains the context within which the data will be used to enable the employee to give informed consent. This form can continue to be used until the GDPR takes effect from 25 May 2018.
Medical report consent form
Medical report consent form
Last Modified
Previously modified

This model medical report consent form explains rights relating to a request for a medical report from the employee's GP, including the specifics of the request for information, the employee's rights under the Access to Medical Reports Act 1988, the employee's right to see the report, and implications in relation to the Data Protection Act 1998 and code of Practice Provisions.

Subject access request form (GDPR compliant)
Subject access request form (GDPR compliant)
Last Modified

This form can be used by an employee to make a subject access request under the GDPR.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Personal data subject access request form
Personal data subject access request form
Last Modified
Previously modified

Give this form to an employee who wishes to make a request under the Data Protection Act 1998 to receive a copy of the personal data held by their employer. The form allows the employee to state the particular documents or files they have requested as well as outlining the identity of those who you believe hold the personal data you have requested. This form can continue to be used until the GDPR takes effect from 25 May 2018.

HR data audit form (GDPR compliant)
HR Data audit form (GDPR compliant)
Last Modified

You can use this form to complete your HR data audit in preparation for GDPR. It enables you to review the life cycle of data that you process including the types of data, the reason for the processing, and the security measures you take.

Confidentiality agreement (GDPR compliant)
This agreement outlines that an employee agrees to keep secret and not at any time either during their employment or after its termination, use, communicate or reveal to any person for the employee’s or any other person’s benefit, any trade secret or confidential information concerning the business, finances or organisation of the Company or any Associated Company, their systems, techniques or know how of their suppliers or customers. The agreement also clarifies the type of information which is considered
Last Modified

This agreement outlines that an employee agrees to keep secret and not at any time either during their employment or after its termination, use, communicate or reveal to any person for the employee’s or any other person’s benefit, any trade secret or confidential information concerning the business, finances or organisation of the Company or any Associated Company, their systems, techniques or know how of their suppliers or customers. The agreement clarifies the type of information which is considered to be secret and confidential. It also requires the individual to familiarise themselves with the provisions of data protection rules under GDPR.

HR data record (GDPR compliant)
HR data record (GDPR compliant)
Last Modified

You should use this form to keep an ongoing record of the HR data you process and the lawful basis on which it is processed. You should regularly review the information on this record and ensure it is fully up to date.

Employee privacy notice (GDPR compliant)
Employee privacy notice (GDPR compliant)
Last Modified

A privacy notice can be used as part of a data protection compliance system and explains how you use data. This version is to be used for your employees; a separate version exists for job applicants.

Job applicant privacy notice (GDPR compliant)
Job applicant privacy notice (GDPR compliant)
Last Modified

A privacy notice can be used as part of a data protection compliance system and explains how you use data. This version is to be used for your job applicants; a separate version exists for employees.

Confidentiality agreement
Confidentiality agreement
Last Modified
Previously modified
This agreement outlines that an employee agrees to keep secret and not at any time either during their employment or after its termination, use, communicate or reveal to any person for the employee’s or any other person’s benefit, any trade secret or confidential information concerning the business, finances or organisation of the Company or any Associated Company, their systems, techniques or know how of their suppliers or customers. The agreement also clarifies the type of information which is considered to be secret and confidential.
Consent form for existing employees (GDPR compliant)
Consent form for existing employees (GDPR compliant)
Last Modified

This form can be used when refreshing consent already obtained from employees  before the implementation of GDPR, where no other lawful basis applies. You must include the specific reasons for different data processing activities. This form may be subject to review before GDPR implementation.  

Consent form for new employees (GDPR compliant)
Consent form for new employees (GDPR compliant)
Last Modified

This form can be used to obtain consent for processing data from new employees, where no other lawful basis applies, once GDPR has been implemented. You must include the specific reasons for different data processing activities. This form may be subject to review before GDPR implementation.  

Consent form for employees who leave (GDPR compliant)
Consent form for employees who leave (GDPR compliant)
Last Modified

This consent form can be used to obtain consent from employees who leave your organisation for any data you wish to continue to process which does not fall under a separate lawful basis. This form may be subject to review before GDPR implementation.

Consent form for unsuccessful job applicants (GDPR compliant)
Consent form for unsuccessful job applicants (GDPR compliant)
Last Modified

This consent form can be used to obtain consent from unsuccessful job applicant whose data you may wish to keep on file in case other suitable job vacancies arise. This form may be subject to review before GDPR implementation.

Data deletion request form (GDPR compliant)
Data deletion request form (GDPR compliant)
Last Modified

Data subjects have the right to have their data deleted in certain situations. This form can be used by a data subject to request deletion. It requires the data subject to include their reason for the request

Data restriction request form (GDPR compliant)
Data restriction request form (GDPR compliant)
Last Modified

Data subjects have the right to have the processing of their data restricted in certain situations. This form can be used by a data subject to request restriction. It requires the data subject to include their reason for the request.

Data rectification request form (GDPR compliant)
Data rectification request form (GDPR compliant)
Last Modified

Data subjects have the right to have their data rectified if it is inaccurate or incomplete. This form can be used by a data subject to request that data be rectified.

Policy

Subject access request policy (GDPR compliant)
Subject access request policy (GDPR compliant)
Last Modified

This policy gives details about how the organisation will handle a subject access request under the GDPR.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Data transfer security policy (GDPR compliant)
Data transfer security policy (GDPR compliant)
Last Modified

This policy, containing relevant references to GDPR, covers definitions, the law, transferring data, memory sticks, action to be taken if data goes missing and negligent transfer of data.

Monitoring policy (GDPR compliant)
Monitoring policy (GDPR compliant)
Last Modified

This policy, containing references to GDPR, outlines the Company's approach to monitoring in the workplace, including CCTV, email, internet, telephone and related data protection issues. The policy outlines the extent of monitoring in the workplace and states that the Company may use information gathered through employee monitoring as the basis for disciplinary action against employees. It also allows for identification of the Company's Data Protection Officer.

Data protection policy (GDPR compliant)
Data protection policy (GDPR compliant)
Last Modified

This policy outlines the Company's approach to protecting data in the workplace in accordance with GDPR, including data protection procedures, access to data,  disclosures and security of data, how the Company will notify a breach, training and the identification of officers responsible for data protection.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Data transfer security policy
Data transfer security policy
Last Modified
Previously modified
This policy covers definitions, the law, transferring data, memory sticks, action to be taken if data goes missing and negligent transfer of data.
Employee data policy
Employee data policy
Last Modified
Previously modified
This policy gives details about the type of information that the organisation keeps about its employees and the purposes for which it keeps them. This policy can continue to be used until the GDPR takes effect from 25 May 2018.
Freedom of Information Act compliance policy
Freedom of Information Act compliance policy
Last Modified
Previously modified

The Freedom of Information Act gives a legal right for any person to ask an organisation within the public sector for access to information that it holds. This policy outlines the procedure to be followed when someone asks for information under the Act.

Monitoring policy
Monitoring policy
Last Modified
Previously modified
This policy outlines the Company's approach to monitoring in the workplace, including CCTV, email, internet, telephone and related data protection issues. The policy outlines the extent of monitoring in the workplace and states that the Company may use information gathered through employee monitoring as the basis for disciplinary action against employees.
Data breach notification policy (GDPR compliant)
Data breach notification policy
Last Modified

This policy includes the definition of a breach, allows for the inclusion of data breach detection methods, and sets out the circumstances where notification is needed, both to the supervisory authority and the individuals whose data was subject to a breach.

Policy on data subject rights (GDPR compliant)
Policy on data subject rights (GDPR compliant)
Last Modified

Under the GDPR, data subjects have many rights in relation to their data. This policy sets out those rights, and the criteria attached to exercising them.

Letter

Letter asking an employee to pay a fee relating to subject access
Letter asking an employee to pay a fee relating to subject access
Last Modified
Previously modified

Use this letter to request the payment of an administrative fee before a request to access personal data will be carried out. Please note the maximum prescribed fee is £10.

This letter can continue to be used until the GDPR takes effect from 25 May 2018.

Letter asking an employee to provide proof of identity relating to subject access
Letter asking an employee to provide proof of identity relating to subject access
Last Modified
Previously modified

Use this letter to ask an employee to provide proof of identity before access can be granted to personal data held by the company.

This letter can continue to be used until the GDPR takes effect from 25 May 2018.

Letter in response to a subject access request
Letter in response to a subject access request
Last Modified
Previously modified

Use this letter to acknowledge an employee’s request to see a copy of the personal data held by their employer and enclose a copy and description of the data held, for what purposes it has been used, who has seen it, and how it was obtained. There are also options to explain why data has been retained.

This letter can continue to be used until the GDPR takes effect from 25 May 2018.

Letter to the doctor of an employee requesting medical report
Letter to the doctor of an employee requesting medical report
Last Modified
Previously modified

This letter requests a medical report from an employee's doctor or consultant on an employee's current state of health and a prognosis of future health for a specified period. It must be accompanied by a signed medical consent form and by a copy of the employee’s job description.

Letter asking an employee to pay a fee relating to subject access (GDPR compliant)
Letter asking an employee to pay a fee relating to subject access (GDPR compliant)
Last Modified

Use this letter to request the payment of a fee on receipt of a subject access request. Please note under the GDPR a reasonable fee can only be requested where the request is manifestly unfounded, excessive, repetitive or further requests of the same information are made.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Letter asking an employee to provide proof of identity relating to subject access request (GDPR compliant)
Letter asking an employee to provide proof of identity relating to subject access request (GDPR compliant)
Last Modified

Use this letter to ask an employee to provide proof of identity before access can be granted to personal data held by the company.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Letter in response to a subject access request (GDPR compliant)
Letter in response to a subject access request (GDPR compliant)
Last Modified

Use this letter to acknowledge an employee’s request to see a copy of the personal data held by their employer and enclose a copy and description of the data held, for what purposes it has been used, who has seen it, how it was obtained, how long it will be kept for, and the employee's rights in relation to the data. There are also options to explain why data has been withheld.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.

Letter informing of extension of time to comply with subject access request (GDPR compliant)
Letter informing of extension of time to comply with subject access request (GDPR compliant)
Last Modified

Use this letter to inform the employee of the reason why the time to comply with the subject access request has been extended. Please note under the GDPR the time to comply can only be extended to three months from the date of receipt of the request.

This document may be subject to review when the Data Protection Bill 2017-19 is finalised.