The act applies to anyone who handles, or has access to, information about individuals. It also gives rights to the people the information is about.
Data protection applies at all levels in PCS. Wherever data is held, whether it is branch records, e-mails or local membership records, the rights of the individual to privacy and access apply.
We are all individually responsible for complying with the data protection legislation when we are using personal data.
If we do not comply the information commissioner can take enforcement action against PCS and/or the individual.
It is important to recognise that the data protection principles apply at all levels within the union.
Wherever data is held, whether it is branch records, e-mails or local membership records, the rights of the individual are the same, and this includes access. So be aware of the possible pitfalls and consider in the first instance if there is a need to retain information.
We must all seek to raise the level of awareness across the whole union and you are encouraged to discuss and consider the act within your own group.
Special attention should be made to what you would do given that a member requests any information you hold on that member.
Pay particular attention to personal cases and records ensuring that any information held, in whatever medium, is secure and only available to authorised individuals.
Also that when they are no longer required they are disposed of in a secure manner.
In an election, information on members’ names and addresses, which are covered by the Data Protection Act, must not be used without the specific authority of the union and consent of the individual.
We are all individually responsible for complying with the data protection legislation when we are using personal data. If we do not comply the information commissioner can take enforcement action against PCS and/or the individual.
If you have any queries please contact the data protection officer - Andrew Simpson on 020 7801 2727 or email firstname.lastname@example.org
It is a law that protects personal privacy and upholds individuals' rights.
Yes. The Data Protection Act 1998 applies to anyone who handles, or has access, to information about individuals.
The act also gives rights to the people the information is about. By law, everyone in the workplace must follow the rules set out in the act and help to protect individuals' rights.
The act helps to make sure that the information held on computers and in some paperbased systems is managed properly.
You must protect personal information by following the eight principles of good practice.
Anyone who handles personal information as part of their job must follow the Act. The Act applies to employers and employees.
To understand the principles of the act, you need to know what the main terms mean.
The act is based on eight data protection principles, or rules for 'good information handling'.
In summary the data must be:
The following explains these principles in more detail:
Personal data must be processed fairly and legally.
'Processing' applies to all uses of data from collecting and storing data, to retrieving, organising and destroying it.
There are two main conditions of this first principle. Either the data subject must give their permission, or the processing is necessary for legal or contractual reasons.
For data to be processed 'fairly' the data subject should know who the data controller is, why the data is being processed and any other necessary information, such as the likely consequences of the processing. Individuals must not be deceived or misled as to why the information is needed.
For data to be processed 'legally' it must not lead to any kind of discrimination, and should not go against other laws such as the Human Rights Act 1998.
Personal data must only be obtained for specified and legal purposes, and must only be processed in a way that is consistent with the specified purpose.
Data controllers and data users must not collect and use data unless there is a specific and valid reason for doing so.
The data subject must be told what the information will be used for; personal data collected for one reason must not be used for any other, unrelated, purpose.
Personal data must be adequate, relevant and not excessive for the purpose for which it is processed.
Only data needed for the specific purpose should be asked for or recorded. Information that is not relevant for the purpose must not be collected simply because it might be useful in the future.
For example, job application forms should not require details that only successful applicants need to give, such as National Insurance numbers.
Likewise, when filling in forms about members, staff, customers, patients or other data subjects, you should only record relevant information, not personal remarks. These comments would have to be disclosed if somebody asks to see their personal information.
Personal data must be accurate and, where necessary, kept up to date.
Incorrect and misleading data is 'inaccurate'. Data users should record data accurately and take reasonable steps to check the accuracy of information they receive from data subjects or anybody else.
Data controllers should 'spring-clean' all storage systems to destroy inaccurate and out of-date information, and correct inaccurate records.
Personal data processed for any purpose must not be kept for longer than is necessary to fulfil that purpose.Organisations will need to keep some data on current and past employees in order to respond to enquiries from a new employer or from the Inland Revenue. Other types of personal data may not be relevant for future purposes and should not be kept for longer than is necessary.
An example of out-of-date personal data would be recruitment records of unsuccessful candidates that are kept for more than four months after a post has been filled.
Personal data must be processed in line with the data subject's rights.
The rights of individuals are central to this principle. These rights include the following:
Exceptions: There may be situations in which these rights do not apply. For example, individuals do not have the right of subject access if it affects the way crimes are detected or taxes are assessed.
Appropriate security measures must be taken to protect against unauthorised or illegal data processing.
Data controllers must make sure that security controls are in place and are followed. These may be technical (for example, relating to computer systems), or organisational (for example, management structures and physical layout of workplaces). Only employees who need to use personal data to carry out their work should have access to that data.
Transferring personal data outside the European Economic Area (EEA) is restricted unless the rights and freedom of data subjects are protected. Some countries outside Europe do not have the same legal requirements to protect information.
The eighth principle means your employer or data controller must take steps to make sure personal data that is transferred outside the EEA is secure.
Data security within PCS means guaranteeing the confidentiality, integrity and availability of data.
Security requirements within PCS are being identified and we will establish procedures for good working practice. Measures which you can take now include:
Yes, provided they are relevant and obtained for specified and legal purposes. Branch records would come under this category.
Only data needed for the specific purpose should be collected and recorded. Data cannot be collected for a possible future use.
It is essential that all information, including computer records, are only available to those who need access to carry out their work. Files should be locked away when not in use and computer records secured by means of a password-accessed screen saver.
Not unless the member has given permission to do so.
Yes, a member is entitled to request to see any personal details held.
No, a member is entitled to see all records kept of their personal information, providing they are reasonably accessible and do not contain personal details of another individual. This can
include such things as personal details, employment details or even any emails held on the system.
Yes, membership lists will still be available; however greater care must be taken to ensure that any use of the list complies with the Act.
No, this information is not considered ‘sensitive personal data’ so should be available from employers.
Personal cases are legitimate business of the union instigated by the member. However, where there is a necessity to disclose personal information to a third party as a result of the case, permission must be given by the member.
Formal retention policies for the various types of data will be issued shortly. Once the retention period has expired it must be destroyed or depersonalised.
PCS is not responsible for the content of external websites
Please rate how useful you found this page, 1 star for not very useful and 5 for very useful.