In a TUPE situation is the transferor required to obtain its employees' consent before passing on information about them to the transferee?

No, the transferor is not required to obtain its employees' consent to disclose information about them in the context of a TUPE transfer, although it must ensure that it has a legal basis for passing on the information under the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR).

Wherever practicable, the transferor should ensure that information about employees is anonymised before it is passed to the transferee. Provided that individual employees cannot be identified, the UK GDPR will not apply.

Under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246), the transferor has a legal obligation to disclose certain "employee liability information" to the transferee prior to completion of the transfer, including the identity of the transferring employees. As there is a legal obligation to provide this information, data protection rules will not prevent the employer passing it on without anonymisation.

To the extent that the transferor provides information over and above the employee liability information, that is not anonymised, it must ensure that it has an alternative legal basis under the UK GDPR to process the data. The most relevant basis in this context is likely to be that processing is necessary for the purposes of the legitimate interests pursued by the data controller (in this case the transferor) or by a third party (the transferee). The transferor should obtain formal assurances from the prospective transferee with regard to the use and safekeeping of the information and its return or destruction if the transfer does not proceed.

The employer should provide the employees with a privacy notice informing them that it is transferring their personal data to the transferee (unless the data is anonymised).