Can Managers Discuss Employees With Other Employees in the UK?

If you run a small business, it’s normal for workplace conversations to overlap with people management.

A team member asks why their colleague is off. Someone wants to know whether a new hire is “any good”. A supervisor vents (a little too loudly) about a performance issue. Before you know it, you’re dealing with gossip, resentment, and a potential data protection headache.

So, can managers discuss employees with other employees in the UK?

The short answer is: sometimes, but only when there’s a clear business reason and you handle information carefully. This is exactly where small businesses can get caught out - because the line between legitimate management communication and an inappropriate or unlawful disclosure isn’t always obvious in the moment.

Below, we’ll break down how to approach managers discussing employees with other employees in a practical, compliant way - with a focus on confidentiality, UK GDPR and keeping your workplace culture healthy.

When Is It OK For Managers To Discuss Employees With Other Employees?

As an employer, you can’t realistically run a business if managers never discuss employees with anyone else. People management often requires sharing some information:

• to allocate work and manage operational coverage
• to address team conflict and maintain standards
• to investigate misconduct or complaints
• to support training, supervision and performance management

The key is that any discussion should be:

• necessary for a legitimate business purpose
• limited to what the listener genuinely needs to know
• respectful, factual, and not speculative
• consistent with your internal policies and the expectations you set

Common Scenarios Where Limited Sharing May Be Justified

Here are some situations where managers discussing employees with other employees can be appropriate, provided you keep it tight and role-based:

• Shift planning / cover: “Sam is off today, please send customer queries to Alex.” (Avoid disclosing why.)
• Work allocation: “Jordan is leading this project now - route technical questions through them.”
• Supervision: A line manager briefing a team leader about what to monitor on a shift.
• Safety and risk: If someone is not authorised to do a task or must follow a specific process (say that, without sharing personal background).
• Investigation support: Asking witnesses what happened during a specific incident.

Scenarios That Are High-Risk (Or Usually Not OK)

These are the situations most likely to create legal risk and workplace fallout:

• Sharing health information (including mental health), even informally
• Explaining absence reasons beyond “they’re unavailable”
• Discussing disciplinary outcomes with people who aren’t involved
• Talking about performance issues as gossip or “warnings” to the team
• Sharing personal issues (family problems, financial problems, relationship issues)
• Speculating (“I think they’re faking it”, “they’re probably getting fired”)

A good rule of thumb: if the conversation would embarrass the employee if it got back to them, stop and rethink what you’re saying (and why you’re saying it).

What Are The GDPR And Data Protection Risks?

Even if your intention is “just keeping the team informed”, employee information is still personal data. That means the UK GDPR and the Data Protection Act 2018 can apply.

Personal data isn’t just names and addresses. In an employment context, it can include:

• performance notes
• disciplinary records
• attendance and lateness details
• complaints and grievances
• pay (and sometimes even pay ranges, depending on context)
• anything that identifies someone and says something about them

“Special Category Data” Needs Extra Care

Some information is especially sensitive under UK GDPR, including:

• health and medical information
• trade union membership
• racial or ethnic origin
• religion or beliefs
• sexual orientation

This sort of information should generally only be shared where there’s a clear need-to-know reason, it’s handled securely, and you’re confident you have an appropriate UK GDPR basis (and, where required, an additional condition) for processing and disclosure.

If you’re setting the foundations of your compliance, having a properly drafted Privacy Policy (and internal employee privacy information) is a sensible step so your team understands how personal data is handled in practice.

“Need To Know” Is The Operational Standard

When managers discuss employees with other employees, you should be able to justify:

• Why that employee’s information had to be shared
• What information was shared (and whether less would have done the job)
• Who it was shared with (and why they needed it)
• How it was shared (private chat vs open floor; email vs public channel)

It’s also worth remembering that “workplace gossip” isn’t only a culture issue - it can turn into a data breach issue if personal details are being circulated casually.

Monitoring And Evidence: Be Careful About The Tool, Too

Some businesses try to prevent gossip by monitoring internal communications or internet use. Monitoring can be lawful in the right circumstances, but in the UK it generally needs a clear purpose, to be necessary and proportionate, and to be done transparently (for example, through appropriate policies and privacy information).

For example, if you’re considering internet or device checks, your approach should align with your policies and data protection obligations - and you’ll want to understand the risks around internet monitoring before you roll anything out.

Similarly, if you use CCTV to manage security or behaviour issues, make sure you’ve thought through the compliance angles - especially around signage, access, retention, and proportionality - as workplace surveillance raises its own risks under CCTV at work.

What Counts As Confidential Workplace Information?

Not all employee-related information is confidential in the strict legal sense, but in day-to-day HR management, it’s safest to treat most employee information as confidential unless there’s a clear reason not to.

In a small business, confidentiality typically comes from a few places:

• Employment contracts (express confidentiality clauses)
• Workplace policies (confidentiality, data protection, disciplinary rules)
• Implied duties (employees generally owe duties of trust and confidence)
• Data protection law (personal data must be processed lawfully and fairly)

If you haven’t already formalised it, having a clear Confidentiality policy is one of the most practical ways to reduce confusion - especially where junior managers or supervisors are involved.

Examples Of “Confidential” Employee Information

In practice, these are common categories you should treat as confidential and only share on a strict need-to-know basis:

• Disciplinary issues: warnings, investigations, allegations, outcomes
• Performance concerns: capability issues, errors, supervision notes
• Grievances and complaints: who complained, what was said, witness statements
• Pay and benefits: individual salary, bonus decisions, deductions
• Medical and wellbeing information: fit notes, diagnoses, adjustments
• Family and personal circumstances: childcare emergencies, relationship breakdowns

“But The Team Wants To Know” Isn’t A Legal Basis

This is where many employers get stuck. Your team might feel it’s “only fair” to know why a colleague is off sick, why someone’s suddenly on different duties, or whether someone is being disciplined.

Even if the curiosity is understandable, it rarely creates a lawful or appropriate reason to disclose the details.

Instead, aim for simple, consistent messaging like:

• “They’re away from work at the moment. We’ll let you know if there are any operational changes.”
• “We can’t comment on personal matters, but we’ve made a plan for coverage.”
• “That’s being handled through the appropriate process.”

How Can You Reduce Gossip And Stay Legally Compliant?

The goal isn’t to make your workplace silent or robotic. It’s to stop casual information-sharing from turning into a legal risk and a culture problem.

Here are practical steps you can put in place from day one (or as soon as you can).

1) Set Clear “Manager Communication” Rules

Most confidentiality breaches happen because managers aren’t sure what they can say - so they say too much, too quickly.

Consider training managers on:

• what counts as personal data
• how to handle questions about sickness absence
• how to speak about performance issues professionally
• how to avoid “off the record” chats that aren’t actually off the record

2) Use A Proper Process For Performance And Capability Issues

When performance is slipping, a manager might feel pressure to “warn the team” or justify decisions by sharing private details.

This is where a structured process protects you. If you need a formal plan, a Performance Improvement Plan can help keep conversations contained, consistent, and fair - rather than turning into corridor commentary.

3) Tighten Up Access To HR Information

In small businesses, HR records can be scattered: shared inboxes, spreadsheets, open folders, WhatsApp messages, and personal phones.

To reduce risk:

• limit HR record access to specific roles (not “everyone who’s a supervisor”)
• use separate folders with permissions for disciplinary/grievance material
• avoid sending sensitive details in group chats
• keep meeting notes factual and professional

4) Be Consistent With Workplace Surveillance And Monitoring

If you investigate gossip or leaks, you might be tempted to check messages, emails, browsing history, or CCTV.

You can’t do this safely without clear rules and transparency. In many businesses, this sits within an acceptable use policy and privacy information, so your team understands what is (and isn’t) monitored.

It can feel awkward to implement, but it’s much easier than trying to justify ad hoc monitoring after a complaint has already landed on your desk.

What Should You Do If A Confidentiality Breach Or Gossip Complaint Happens?

Even with strong policies, issues still happen - especially during stressful periods like restructures, long-term sickness, or performance management.

If you think a manager has shared too much, or an employee complains about being discussed, you’ll usually want to act quickly but calmly.

Step-By-Step: A Practical Response Plan

1. Contain the issue: ask the manager to stop discussing the matter and avoid further messages or emails about it.
2. Record what you know: who said what, to whom, where, and when. Stick to facts.
3. Assess whether it’s a data breach: was personal data disclosed unnecessarily? Was special category data involved?
4. Speak to relevant witnesses: keep questions neutral, avoid leading questions, and don’t spread the information further.
5. Consider employee impact: reputational harm, distress, team relationships, and any knock-on wellbeing concerns.
6. Take proportionate action: training, management instruction, policy refresh, or (where serious) formal disciplinary steps.

Don’t Forget Subject Access Request (SAR) Risk

When workplace gossip involves written messages (email, Slack/Teams, texts), employees sometimes respond by making a Subject Access Request to see what’s been said about them.

This can be time-consuming if your data is messy - and it can expose informal comments that you wouldn’t want a tribunal (or your whole team) reading later.

It’s worth ensuring you know your obligations around a Subject access request and have a workable process in place before you need it in a hurry.

Be Alive To Wider Employment Law Risks

Workplace gossip and oversharing isn’t just a GDPR issue. It can spill into:

• grievances (bullying, harassment, unfair treatment)
• discrimination claims (particularly if health, pregnancy, religion, disability or other protected characteristics are discussed)
• constructive dismissal risk (if an employee feels trust and confidence has broken down)
• unfair dismissal risk (if you act inconsistently or without a fair process)

Also, if someone accidentally shares confidential information (for example, forwarding an email chain or copying in the wrong person), treat it seriously and respond consistently - these incidents can escalate quickly if not managed well. A useful reality check is how outcomes can play out when someone shares confidential material at work, including in cases like sending confidential info.

Key Takeaways

• In the UK, managers can discuss employees with other employees when there is a clear operational reason and the disclosure is limited to what’s necessary.
• Employee information is often personal data, and sharing it casually can trigger UK GDPR and Data Protection Act 2018 risks - especially for health information and other special category data.
• A “need-to-know” approach is usually the safest standard: share the minimum required, with the fewest people required, for the shortest time required.
• Confidentiality should be reinforced through clear policies and training, particularly for supervisors and first-time managers.
• Using structured HR processes (like a Performance Improvement Plan) helps prevent private matters becoming public conversations.
• If gossip or oversharing happens, move quickly to contain it, document facts, assess data protection impact, and handle it through a fair and consistent process.

If you’d like help putting the right policies, contracts, and processes in place to protect your business from day one, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.