Read our guidance for PCS branches as the General Data Protection Regulation (GDPR) replaced the Data Protection Act on 25 May 2018.
There are some important changes which include clearer rights for the citizen.
PCS strongly supports the GDPR and work has been taking place to ensure we are fully compliant when the new regulation comes into force. Some of our systems and processes are undergoing change which will improve our data security and extend the ability of members to check and amend their membership record. The changes will also build on our existing organising capability and make new facilities available to our representatives in the workplace.
While the main processing operations within PCS are undertaken by PCS staff. Group, branch and local representatives, who represent our members and access and use information from our membership database, also process our data.
Our members have a right to expect that PCS at every level will process their personal information with the required level of security and that we will do so effectively to strengthen the union and to improve communications. These guidelines are intended to help branch and local representatives in doing this.
What you need to do now
Ensure that all reps are aware of our guidance and make data protection an agenda item at your BEC to check compliance with the guidelines as soon as possible and not later than 25 May paying particular attention to these questions:
- Are PCS files password protected?
- Do they need to be removed from shared drives?
- Are there agreed measures to ensure secure deletion/destruction?
- Is email used securely so that no lists are visible?
Handling PCS data at branch and local level
Where we hold data at branch or local level it must be proportionate to our needs and stored securely.
Always take particular care when dealing with membership reports and other lists. Only print these if absolutely necessary, store them securely in a locked drawer, and dispose of them properly, such as using the employers secure destruction facility. Always password protect your files and use encryption where available.
Take particular care with the use of email. If emails are sent to groups of recipients, they will be visible to all the recipients unless the blind copy option is used.
Distribution lists must always be stored securely and cannot be made available or visible to anyone except PCS staff and the appropriate branch and local representatives.
PCS representatives are not permitted to transfer PCS data to another data controller under any circumstances. For this reason software tools such as Survey Monkey or Mail Chimp may not be used unless specifically authorised by the PCS Data Protection Officer (DPO).
PCS remains the data controller for PCS data wherever it may be stored. Many of the employers we deal with provide our representatives with facilities at work. Where this includes use of the desktop computer or laptop never file information on a drive that has shared access. Do not leave emails containing PCS data in your in-box if it has shared access rights.
Data subject access requests (SARs)
Reps may be asked by individuals (as data subjects) about their rights under data protection law.
There is a specific process to be followed when PCS receives such a request so that:
- the request is acknowledged;
- the request is validated;
- all requested data can be identified;
- data exempt from disclosure is removed;
- data is provided in an appropriate and secure format;
- an auditable record is kept.
All data subject access requests must be made directly to the PCS DPO. The contact details are given below.
Further information and advice
Specific questions should be directed to the union’s data protection officer, Martin John, at PCS, 3rd Floor, Towncentre House, Merrion Centre, Leeds, LS2 8LY or by email email@example.com