Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Privacy Policy and Code of Conduct is a combined organizational policy document that establishes two complementary governance frameworks in a single reference: how the business collects, uses, stores, and protects personal data, and what behavioral and ethical standards apply to every employee, contractor, and representative acting on behalf of the organization. Rather than maintaining two separate policy documents that employees track inconsistently, combining them creates a unified source of truth that is easier to distribute, acknowledge, and enforce. The document typically covers data collection disclosures, retention schedules, workplace conduct standards, anti-harassment provisions, conflict-of-interest rules, confidentiality obligations, and a disciplinary process β all grounded in a statement of the company's core values.
Operating without a documented privacy policy and code of conduct exposes a business on multiple fronts simultaneously. Regulators in the EU, California, Canada, and dozens of other jurisdictions require organizations that handle personal data to publish clear disclosure of their data practices β and the absence of a policy is itself a compliance violation, independent of any actual data misuse. On the conduct side, without written standards and a documented disciplinary process, enforcing behavioral expectations becomes a credibility contest that courts and employment tribunals consistently resolve in the employee's favor. Enterprise clients, government contracts, and many grant programs require a documented policy as a condition of engagement, making the absence of one a direct revenue barrier. This template gives you the complete structural framework β from data inventory disclosures to disciplinary procedures β so you can deploy a compliant, enforceable policy in hours rather than weeks.
| If your situation is⦠| Use this template |
|---|---|
| Publishing a standalone data privacy notice on a consumer-facing website | Website Privacy Policy |
| Setting behavioral expectations solely for employees and contractors | Employee Code of Conduct |
| Defining ethical standards for board members and executives | Code of Ethics |
| Governing third-party vendor access to company data | Data Processing Agreement |
| Outlining remote work behavior and data security expectations | Remote Work Policy |
| Documenting acceptable use of company IT systems and devices | Acceptable Use Policy |
| Establishing a full internal policy manual for a growing company | Employee Handbook |
Why it matters: Another company's policy reflects their data practices, jurisdiction, and legal counsel β not yours. Using it exposes you to misrepresentation claims if the stated practices don't match your actual operations.
Fix: Use a template as a structural starting point, then customize every data category, retention period, and conduct standard to reflect what your organization actually does.
Why it matters: A policy employees never formally acknowledged is nearly impossible to enforce. In disputes, employees routinely claim they were never informed of a rule.
Fix: Require a signed or electronic acknowledgment at hire and after every material policy update, and retain those records in the employee's file for the duration of employment plus the applicable records-retention period.
Why it matters: Payroll records, health data, tax filings, and customer purchase history each have different statutory minimums in most jurisdictions β a single blanket period will violate at least one of them.
Fix: Create a retention schedule organized by data category, with the applicable law or regulation cited for each period.
Why it matters: Without explicit protection for reporters, employees stay silent about misconduct β and the company faces far larger legal exposure when problems escalate.
Fix: Add a clear, standalone non-retaliation statement in both the anti-harassment and disciplinary sections, and include it in the acknowledgment employees sign.
Why it matters: Privacy laws, employment regulations, and business practices change. A policy that was accurate in 2021 may misrepresent current practices or fail to meet current legal requirements.
Fix: Schedule an annual policy review β calendar it as a recurring task β and trigger an immediate review whenever you adopt new data-collection technology, expand to a new jurisdiction, or experience a data incident.
Why it matters: Phrases like 'appropriate action will be taken' give managers no guidance and expose the company to inconsistent enforcement claims and wrongful-termination challenges.
Fix: Spell out each stage of the disciplinary process with enough specificity that any manager could apply it consistently β including the circumstances that justify skipping steps and going straight to termination.
List every group covered by the policy β full-time employees, part-time employees, contractors, consultants, board members, and any vendors with access to company data or premises. Insert this list into the scope section.
π‘ If a class of worker is not explicitly named in the scope, a court or regulator may find the policy does not apply to them β name everyone.
Map every data category you hold: employee records, customer contact data, payment information, website analytics, and any health or biometric data. Enter each category with its source and stated purpose into the data collection section.
π‘ A simple spreadsheet with columns for data type, source, purpose, and retention period makes this step much faster and doubles as a data inventory for future audits.
Research the statutory minimums for each data type in your jurisdiction β payroll records, tax records, and employment files each carry different requirements. Enter the specific period and deletion method for each category.
π‘ When in doubt, match your retention period to the applicable statute of limitations for employment or contract claims in your jurisdiction β this protects you from both over-retention and premature deletion.
Adapt the default conduct language to reflect your actual work environment β remote-first, in-office, or hybrid. Add any industry-specific rules (e.g., client interaction protocols, social media restrictions for regulated industries).
π‘ If your team works across time zones, add a specific clause about communication response-time expectations β this prevents a common source of conduct disputes in distributed teams.
Include every characteristic protected under the employment laws of your jurisdiction β race, gender, age, religion, disability, sexual orientation, national origin, and any others required locally. Insert the specific reporting contact or channel.
π‘ Name a backup reporting contact in case the primary contact is the subject of the complaint β this is required in several jurisdictions and is simply good practice everywhere.
Specify the form or written method for disclosing conflicts, the role who receives disclosures, and the timeframe for review and response. Insert these details into the conflict-of-interest section.
π‘ Require annual re-disclosure β not just disclosure at hire β because conflicts develop over time as employees take on outside work or personal relationships change.
Insert your specific security requirements: password standards, multi-factor authentication requirements, encryption standards for devices and file sharing, and the breach-reporting timeline.
π‘ Reference your IT acceptable-use policy or security handbook by name rather than duplicating all technical requirements here β it keeps the conduct policy readable and avoids conflicts when technical standards change.
Share the finalized document with all covered parties and collect a signed or electronic acknowledgment confirming they have read and understood it. Store acknowledgments in each employee's file.
π‘ Re-distribute and collect fresh acknowledgments every time you make a substantive policy change β an outdated acknowledgment on file provides no protection if the employee claims they were unaware of the current version.
A privacy policy and code of conduct is a combined operational policy document that addresses two related governance needs: how the organization collects, uses, and protects personal data, and what behavioral and ethical standards apply to everyone who works for or with the organization. Combining them in one document is common for small and mid-sized businesses that want a single reference point for employees and a single disclosure for regulators or clients.
In many jurisdictions, yes. Businesses that collect personal data from consumers or employees are typically required to publish a privacy policy under laws such as GDPR (EU), CCPA (California), PIPEDA (Canada), and sector-specific rules in healthcare and financial services. The specific requirements β what must be disclosed, how prominently, and in what language β vary by jurisdiction and the volume and type of data collected. Even where not strictly required, a documented privacy policy is considered baseline practice for any organization handling third-party data.
Signing is not universally required by law, but obtaining a written or electronic acknowledgment is strongly recommended. A signed acknowledgment creates evidence that the employee received and understood the policy, which is critical when enforcing disciplinary action or defending an employment claim. Most employment lawyers advise collecting acknowledgments at hire and after every material update to the document.
A code of conduct sets specific, operational rules for behavior β what employees may and may not do in defined situations. A code of ethics states the broader values and principles that guide decision-making when no specific rule applies. In practice, many organizations use the terms interchangeably or combine both into a single document. When they are separate, the code of ethics typically applies to all stakeholders while the code of conduct is addressed specifically to employees and contractors.
At minimum, review the document annually and update it whenever you adopt new data-collection technology, expand operations to a new jurisdiction, experience a data breach, or change your business model in ways that affect how you handle personal data. Privacy laws in particular change rapidly β a policy that was compliant in 2022 may be materially deficient today. Each update should be communicated to all covered parties with a fresh acknowledgment collected.
Yes, and it is a practical approach for most small and mid-sized organizations. Combining both in one document reduces the number of policies employees must track, ensures consistency between data-handling obligations and conduct expectations, and simplifies distribution and acknowledgment collection. Larger organizations with complex regulatory environments may prefer to maintain separate documents so each can be updated independently without triggering a full re-acknowledgment of the other.
At minimum: a statement of company values, workplace conduct standards, anti-harassment and non-discrimination provisions with a reporting mechanism, conflict-of-interest disclosure requirements, confidentiality obligations, acceptable-use rules for company systems, and a disciplinary procedure with a non-retaliation clause. Industry-specific rules β financial trading restrictions, patient confidentiality, export controls β should be added as applicable.
The disciplinary section of the policy governs the response. A well-drafted policy uses a progressive discipline model β verbal warning, written warning, suspension, termination β with provisions for skipping steps in cases of serious misconduct such as fraud, harassment, or data theft. Consistent enforcement is essential: applying the policy differently to different employees for similar violations creates wrongful-termination and discrimination exposure.
Yes, if the policy's scope section names them β and it should. Contractors and freelancers who access company data, interact with clients, or represent the brand create the same compliance, reputational, and data-security risks as employees. Include them explicitly in the scope, require them to acknowledge the policy at the start of each engagement, and incorporate the obligation by reference in their service agreements.
An employee handbook is a comprehensive reference document covering all HR policies β onboarding, benefits, leave, performance management, and more. A privacy policy and code of conduct is a focused subset covering data practices and behavioral standards. Most organizations embed the code of conduct within the handbook but maintain the privacy policy as a standalone document for regulatory disclosure purposes.
An NDA is a bilateral legal contract creating enforceable confidentiality obligations between specific named parties. A code of conduct's confidentiality section sets a general internal policy standard but is not a substitute for a signed NDA when protecting specific sensitive information shared with a contractor, partner, or potential investor.
An employment contract establishes the binding legal terms of the individual employment relationship β compensation, IP assignment, termination, and non-compete. A code of conduct sets organization-wide behavioral standards that apply to all staff. Both are needed: the contract governs the individual relationship; the code governs collective conduct. They should reference each other but not duplicate provisions.
An acceptable use policy focuses specifically on how employees may use company-owned technology systems, devices, and networks. A privacy policy and code of conduct is broader β it covers data practices, workplace behavior, harassment, conflicts of interest, and ethics. The acceptable use policy is typically incorporated by reference into the code of conduct rather than maintained as a completely separate standalone document.
Data handling disclosures must cover product telemetry, user analytics, and third-party API integrations in addition to standard HR data; acceptable-use provisions frequently address AI-tool usage and source-code confidentiality.
HIPAA-aligned data handling obligations, patient data access restrictions, and mandatory breach-notification timelines must be explicitly incorporated alongside standard conduct provisions.
Conflict-of-interest and personal trading restrictions are heavily regulated; the policy must address insider information handling, client data confidentiality, and anti-bribery obligations under applicable financial regulations.
Client confidentiality provisions are central; conflict-of-interest rules must address simultaneous client engagements, and acceptable-use policies should cover client-facing communication and document-handling standards.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small businesses, startups, and teams under 50 people that collect standard business and HR data in a single jurisdiction | Free | 2β4 hours |
| Template + professional review | Companies operating in multiple jurisdictions, handling sensitive data categories, or subject to industry-specific regulations such as HIPAA or FINRA | $300β$800 for a compliance consultant or employment lawyer review | 3β5 business days |
| Custom drafted | Enterprises with complex data flows, regulated industries, or international operations requiring jurisdiction-specific policy variants | $1,500β$5,000+ | 2β4 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
