UK Employee Data Sharing: Legal Requirements & Rights

Updated: June 2026

Employers can share personal information between employees in the UK, but only when there’s a lawful basis under UK data protection law. Every internal disclosure must be necessary, proportionate, and transparent to the affected individual. When sharing is permitted, what protections employees have, and how UK businesses stay compliant – this guide covers all three.

When can employers share personal information with other employees?

Sharing employee personal data is lawful when three conditions are met: there is a valid legal basis under the UK GDPR, the disclosure is necessary for that purpose, and the employee has been informed through a privacy notice. The same test applies whether you’re forwarding an email to a colleague or giving a manager access to performance records.

Under the UK GDPR and the Data Protection Act 2018, employers as data controllers must have a lawful basis before sharing any personal data. Four bases cover most employment situations:

•  It’s needed to fulfil the employment contract, such as payroll data sent to finance

•  A legal obligation requires it, such as reporting to HMRC or pension providers

•  The business’s legitimate interests outweigh the employee’s privacy rights

•  Vital interests are at risk, such as in a genuine life-threatening emergency

Consent is rarely the right basis in employment. The power imbalance between employer and employee means consent given in a workplace context is unlikely to be freely given. Most employers rely on legitimate interests or contractual necessity instead.

What UK laws govern employee data sharing?

The UK GDPR and the Data Protection Act 2018 set the legal framework for all employee data processing, including internal sharing. As a data controller, an employer is directly accountable to the Information Commissioner’s Office for every sharing decision made about employee personal data.

Employers as data controllers

When you collect employee data, you determine why and how it is processed, which makes you a data controller with direct ICO accountability. Core obligations include:

•  Processing data lawfully, fairly, and transparently

•  Collecting only what’s adequate, relevant, and necessary

•  Keeping records accurate and up to date

•  Retaining data no longer than required

•  Implementing appropriate security measures against data breaches

Special category data

Health information, trade union membership, religious beliefs, and ethnic origin are special category data under Article 9 of the UK GDPR. Sharing this type of information internally requires an additional condition – typically employment law compliance – on top of a standard Article 6 lawful basis. If an employee’s sickness absence relates to a medical condition, you cannot share details in a team email. Access must be restricted to those with a genuine need to know.

ICO guidance for employers

The ICO recognises that workplaces need data flows between HR departments, managers, and payroll providers. Employers are expected to document their lawful basis and communicate sharing practices through clear data protection policies and privacy notices.

What are the most common scenarios for internal employee data sharing?

Most internal sharing follows predictable patterns: disciplinary matters are passed to line managers, medical information is used for health and safety adjustments, contact details are used for business continuity, and performance records are used for promotion decisions. Each scenario has its own rules about what can be disclosed and to whom.

HR sharing disciplinary information with line managers

Where an employee faces disciplinary action, HR may lawfully share relevant information with the line manager when necessary for management or employment law purposes. Disclosure must be limited to what the manager needs to carry out their role. Circulating witness statements, medical details, or unproven allegations to uninvolved colleagues would breach the UK GDPR’s data minimisation and confidentiality requirements, particularly where special category data is involved.

Medical information for health and safety purposes

Occupational health assessments may need to reach managers to enable workplace adjustments. Share the recommendations, not the underlying medical conditions, unless specific details are genuinely required for safety.

Contact details for business continuity

Emergency rotas often require sharing mobile numbers or personal email addresses. Limit this to staff with an operational need and specify this use in your privacy notice.

Performance data for promotion committees

Internal transfers and promotions require access to performance history. Panels should work from standardised records, not informal observations or speculation about an employee’s personal life.

What employee information can be shared internally?

Basic professional information (work email addresses, job titles, reporting lines, work phone numbers, professional qualifications, and project involvement) can generally be shared internally, provided transparency requirements are met and the sharing is covered in your privacy notice.

Sharing in this category should still be documented in your records of processing activities. Employees must know their details appear in staff directories or shared calendars. Attendance patterns for scheduling and role-relevant training certifications fall into the same category: shareable for operational purposes, but documented and disclosed in advance.

What employee information cannot be shared without justification?

Higher-sensitivity information requires a documented lawful basis, demonstrated necessity, and, in most cases, restriction to named recipients. Sharing without proper justification creates liability for a personal data breach.

Categories that require careful handling:

•  Medical records and specific health conditions

•  Salary, bonuses, and compensation packages

•  Disciplinary actions, grievances, and HR file contents

•  Personal mobile numbers and home addresses

•  Trade union membership status

•  Family circumstances, relationship details, or caring responsibilities

Even within HR, only share what the recipient needs. A recruitment administrator does not need disciplinary records. A receptionist should not see salary details. Before sharing anything in this category, document two answers: can the goal be achieved without sharing? Would the employee reasonably expect this use?

What rights do employees have when their information is shared?

Employees have four concrete rights under UK data protection law: the right to be informed about who receives their data, the right to access copies of it, the right to object to sharing on legitimate-interest grounds, and the right to complain to the ICO if they believe sharing was unlawful.

Right to be informed

Your privacy notice must explain which roles or departments within the organisation receive employee data and why. Vague statements such as “relevant personnel” do not satisfy the UK GDPR’s transparency requirements.

Subject access requests

Employees can request copies of their personal data, including internal emails discussing them and access logs showing who viewed their records. Employers have one calendar month to respond, with an extension of up to two months for complex requests.

Right to object

Where sharing relies on legitimate interests, an employee can object. To continue processing, you must demonstrate compelling grounds that override the employee’s interests, particularly where the processing affects their wellbeing.

ICO complaints

Employees who believe their information was shared unlawfully can complain to the Information Commissioner’s Office. The ICO investigates, issues enforcement notices, and can impose financial penalties.

What lawful bases apply to sharing employee information internally?

Article 6 of the UK GDPR sets six lawful bases. Four apply in most employment situations: legitimate interests, legal obligation, performance of the employment contract, and vital interests. The correct basis depends on the purpose of the sharing and the nature of the information involved.

Legitimate interests

The most flexible basis, but it requires a three-part test:

1. Identify a legitimate purpose (efficient team management, security)

2. Demonstrate that sharing is necessary to achieve it

3. Balance the business need against the employee’s privacy rights

Document this assessment for each category of sharing.

Legal obligation

Statutory requirements take precedence. Sharing data for HMRC compliance, health and safety reporting, or employment tribunal proceedings falls under this basis.

Performance of the employment contract

Where sharing is necessary to fulfil contractual duties (processing wages, arranging benefits), this basis applies directly.

Vital interests

In genuine life-threatening emergencies, sharing personal information is permitted. A colleague’s heart attack justifies informing emergency contacts. Routine business continuity planning does not meet this threshold. Use work contact details where possible.

How should employers manage employee data sharing in practice?

Written policies, staff training, comprehensive privacy notices, documented lawful bases, technical access controls, and regular audits – these are the practical requirements of a compliant employee data sharing programme. Each element addresses a different failure mode.

Create explicit data sharing policies

Employee handbooks should detail what information managers can access and under what circumstances. Left to individual judgment, sharing practices become inconsistent and legally exposed.

Train all staff handling data

Annual training for anyone with access to employee records reduces the risk of accidental breaches. Cover confidentiality obligations, secure communication methods, and how to handle requests for information.

Use comprehensive privacy notices

Issue these at the start of employment and update them when practices change. Specify internal recipients, retention periods, and employee rights.

Document every lawful basis

For each internal sharing category, record the legal basis and reasoning. This documentation protects you during ICO investigations and subject access requests.

Implement technical controls

Role-based access means HR systems show only what each user needs. Audit trails track who viewed which records. Encryption protects data in transit.

Review regularly

Annual audits identify gaps between documented policies and actual practice. New systems or restructures require a fresh assessment.

What are the consequences of unlawful employee data sharing?

Unlawful sharing exposes employers to ICO fines of up to £17.5 million or 4% of global annual turnover, internal disciplinary proceedings against the individuals responsible, reputational damage, and potential employment tribunal claims for breach of the implied duty of trust and confidence.

ICO enforcement

The ICO’s maximum fine is £17.5 million or 4% of global annual turnover, whichever is higher. Smaller organisations face proportionate penalties plus the cost of investigation and remediation.

Disciplinary action against staff

Employees who improperly share colleagues’ data may face internal disciplinary procedures. This includes sharing salary details or forwarding sensitive information without authorisation.

Reputational harm

Data breaches damage business reputation and workplace culture. Employees who know their personal information is not handled carefully are less likely to trust their employer.

Breach of implied duty of trust and confidence

Sharing confidential employee information may breach the implied contractual duty of trust and confidence. This can support a constructive dismissal claim in employment tribunal proceedings.

When should you seek professional guidance on employee data sharing?

Get specialist input when multiple departments or systems are involved, when sharing serves legally sensitive purposes, or when processing is likely to result in high risk to individuals. Internal policies and general guidance are not enough for complex or high-stakes arrangements.

Complex sharing arrangements

Where multiple departments interact, or where sharing serves purposes outside standard HR operations, take legal advice before implementation.

Data Protection Officer support

Large employers or those processing sensitive data at scale should appoint a data protection officer. Smaller employers benefit from designated compliance responsibility, whether in-house or outsourced.

High-risk processing

Data protection impact assessments are mandatory for processing that is likely to result in a high risk to individuals. Systematic employee monitoring or large-scale processing of special category data typically triggers this requirement.

Frequently Asked Questions

Can HR discuss disciplinary matters with other managers?

Only those directly involved in managing the process or the individual. A grievance against one manager should not be shared with peers for general discussion. The need-to-know principle applies strictly.

Are WhatsApp groups considered secure for employee information?

WhatsApp uses end-to-end encryption, but group chats create uncontrolled distribution. Personal data shared in group messages can be screenshot, forwarded, or remain on devices belonging to people who have left the group. Use controlled internal systems for sensitive data.

Can employers share personal phone numbers in emergencies?

If vital interests are engaged (a genuine emergency threatening someone’s life), sharing contact details with emergency services or key personnel is permitted. Routine business continuity planning does not meet this threshold. Use work contact information where possible.