UK Employee Data Sharing: Legal Requirements & Rights

Employers can share personal information between employees in the UK, but only when there’s a lawful basis under UK data protection law. Every internal disclosure must be necessary, proportionate, and transparent to the affected individual.

This guide breaks down exactly when sharing is permitted, what protections employees have, and how UK businesses can stay compliant.

When Can Employers Share Personal Information with Other Employees?

Whether sharing employee data is lawful comes down to three questions: Is there a legal basis? Is it necessary? Has the employee been informed?

Under the UK GDPR and the Data Protection Act 2018, employers as data controllers must have a lawful basis before sharing any personal data. This applies whether you’re forwarding an email to a colleague or giving a manager access to performance records.

Data is usually shared lawfully when:

• It’s needed to fulfil the employment contract, such as payroll data sent to finance
• A legal obligation requires it, like reporting to HMRC or pension providers
• The business’s legitimate interests outweigh employee privacy rights
• Vital interests are at risk, such as in an emergency

Consent is rarely relied on, because the employment context makes it hard for employees to give freely. Most employers use legitimate interests or contractual necessity.

UK Legal Framework for Employee Data Sharing

This section explains the key laws and regulations that govern how employers can share personal information with other employees in the UK.

Employers as data controllers

When you collect employee data, you determine why and how that information is processed. This makes you a data controller with direct accountability to the Information Commissioner’s Office (ICO).

Your duties include:

• Processing data lawfully, fairly, and transparently
• Collecting only what’s adequate, relevant, and necessary
• Keeping records accurate and up to date
• Retaining data no longer than required
• Implementing security measures against data breaches

Special category data demands extra care

Health information, trade union membership, religious beliefs, and ethnic origin fall under special category data. Article 9 of the UK GDPR requires an additional condition, typically employment law compliance, before you can process or share this information internally.

If a particular employee’s sickness absence relates to a medical condition, you cannot share details in a team email. Access must be restricted to those with a genuine need to know.

ICO guidance for employers

The ICO provides sector-specific guidance recognising that workplaces require data flows between HR departments, managers, and payroll providers. The expectation is that employers document their lawful basis and communicate sharing practices through clear data protection policy documents.

Common Scenarios of Internal Employee Data Sharing

Most internal sharing falls into predictable patterns. Understanding these helps you assess whether your current practices meet legal requirements.

HR sharing disciplinary information with line managers

When an employee faces disciplinary action, HR may lawfully share relevant information with the employee’s line manager where this is necessary for management or employment law purposes. Any disclosure must be limited to what the manager needs to know to carry out their role. Circulating witness statements, medical details, or unproven allegations to uninvolved colleagues would normally breach the UK GDPR’s data minimisation and confidentiality requirements, particularly where special category data is involved.

Medical information for health and safety purposes

Occupational health assessments may need to be shared with managers to implement workplace adjustments. Share the recommendations, not the underlying medical conditions, unless specific details are genuinely required for safety.

Contact details for business continuity

Emergency rotas often require sharing mobile numbers or personal email addresses. Limit this to staff who need operational contact and specify this use in your privacy notice.

Performance data for promotion committees

Internal transfers and promotions require performance history. Panels should access standardised records, not informal gossip or speculation about an employee’s private life.

What Information Can Be Shared Internally

Some employee information flows relatively freely within organisations, provided transparency requirements are met.

Generally shareable:

• Work email addresses and office locations
• Job titles and reporting lines
• Work phone numbers and professional contact details
• Role-relevant qualifications and training certifications
• Attendance patterns for scheduling purposes
• Project involvement for collaboration needs

This sharing should still be documented in your processing activities and covered by your privacy notice. Employees must know that their basic details appear in staff directories or shared calendars.

What Information Cannot Be Shared Without Consent?

Certain categories carry higher sensitivity. Sharing without proper justification exposes you to liability for personal data breaches.

Typically restricted:

• Medical records and specific health conditions
• Salary, bonuses, and compensation packages
• Disciplinary actions, grievances, and HR file contents
• Personal mobile numbers and home addresses
• Trade union membership status
• Family circumstances, relationship details, or caring responsibilities

Even in HR, only share the data people need. A recruitment admin doesn’t need disciplinary records, and a receptionist shouldn’t see salary details.

If you think limited sharing is justified, do a documented check first: Can the goal be achieved without sharing? Would the employee expect this use?

Employee Rights When Information is Shared

Data protection laws give employees concrete rights regarding their personal data.

Right to be informed

Your privacy notice must explain who within the organisation receives employee data and why. Vague statements like “relevant personnel” don’t satisfy transparency requirements.

Subject access requests

Employees can submit subject access requests asking for copies of their personal data, including internal emails discussing them and logs showing who accessed their records. You have one month to respond, with an extension of up to two months for complex requests.

Right to object

Where sharing relies on legitimate interests, employees can object. You’ll need to demonstrate compelling grounds to continue, particularly where processing affects the data subject’s wellbeing.

ICO complaints

If employees believe their information was shared unlawfully, they can complain to the Information Commissioner’s Office. The ICO investigates, issues guidance, and can impose enforcement action.

Lawful Bases for Sharing Employee Information Internally

Article 6 of the UK GDPR sets out six lawful bases. In the employment context, four typically apply:

Legitimate interests

The most flexible basis, but it requires a three-part test:

1. Identify a legitimate purpose (efficient team management, security)
2. Demonstrate that sharing is necessary to achieve it
3. Balance business needs against employee privacy rights

Document this assessment for each type of sharing.

Legal obligation

Statutory requirements trump privacy concerns. Sharing data for HMRC compliance, health and safety reporting, or tribunal proceedings falls here.

Performance of the employment contract

If sharing is necessary to fulfil contractual duties, such as processing wages, arranging benefits, this basis applies directly.

Vital interests

In genuine emergencies threatening life, employees can share personal information with other employees in the UK. A colleague’s heart attack justifies informing emergency contacts. Curiosity about their medical conditions does not.

Best Practices for Employers

Compliance requires active management, not just good intentions.

Create explicit data sharing policies

Employee handbooks should detail what information managers can access and under what circumstances. Don’t leave interpretation to individual judgment.

Train all staff handling data

Annual training for anyone with access to employee records reduces the risk of accidental breaches. Cover confidentiality obligations, secure communication methods, and how to handle requests for information.

Use comprehensive privacy notices

Issue these at the start of employment and update when practices change. Specify internal recipients, retention periods, and employee rights.

Document every lawful basis

For each internal sharing category, record your legal basis and reasoning. This protects you during ICO investigations and subject access requests.

Implement technical controls

Role-based access means HR systems only show what each user needs. Audit trails track who viewed which records. Encryption protects data in transit.

Review regularly

Annual audits identify drift between documented policies and actual practice. New systems or restructures require fresh assessment.

Consequences of Unlawful Information Sharing

The risks of non-compliance are substantial.

ICO enforcement

Fines can reach £17.5 million or 4% of global annual turnover, whichever is higher. Even a small business faces proportionate penalties plus the cost of remediation.

Disciplinary action

Employees who improperly share colleagues’ data may face disciplinary procedures. This includes gossiping about salary details or forwarding sensitive information without authorisation.

Reputational harm

Data breaches damage business reputation and workplace culture. Trust, once lost, is difficult to rebuild.

Breach of confidentiality

Beyond data protection, sharing confidential employee information may breach the implied duty of trust and confidence in employment contracts. This can support constructive dismissal claims.

When to Seek Professional Guidance

Some situations require specialist input.

Complex sharing arrangements

Where multiple departments or systems interact, or where sharing serves unusual purposes, seek legal advice before implementation.

Data Protection Officer support

Large employers or those processing sensitive data at scale should appoint a data protection officer. Even small employers benefit from designated responsibility for compliance.

High-risk processing

Data protection impact assessments become mandatory for processing likely to result in high risk to individuals. Systematic monitoring or large-scale processing of special category data typically triggers this requirement.

Conclusion

Employers can share personal information with other employees in the UK only if there’s a legal basis, it’s necessary, and employees are informed. Follow UK GDPR and the Data Protection Act, limit access, document decisions, and maintain clear policies to protect rights, stay compliant, and avoid fines or legal issues.

Frequently Asked Questions

Can HR discuss disciplinary matters with other managers?

Only those directly involved in the process or supervision. A grievance against one manager shouldn’t be shared with their peers for casual discussion. Need-to-know applies strictly.

Are WhatsApp groups considered secure for employee information?

WhatsApp provides end-to-end encryption, but group chats create uncontrolled distribution. Personal data in group messages can be screenshot, forwarded, or retained on departed members’ devices. Use controlled internal systems for sensitive data.

Can employers share personal phone numbers in emergencies?

If vital interests are engaged, a genuine emergency threatening life, sharing contact details with emergency services or key personnel is permitted. Routine business continuity doesn’t qualify; use work contact information where possible.