Data Protection: Guidelines for Branches
Important changes have been made to data protection law. The Data Protection Act 2018 incorporates the EU General Data Protection Regulation (GDPR) which is certain to remain a part of UK law. Roles and responsibilities within and between organisations are more clearly defined so that compliance is embedded in the way organisations work.
PCS holds data about its members in order to carry out its functions, provide information and services, and comply with statutory obligations. PCS is a Data Controller, registered with the Information Commissioners Office (ICO) and PCS remains the Data Controller for its data wherever it may be stored including within employer systems.
Data Protection Law and the rights of data subjects
The core principles of data protection must be understood by all those processing personal data, which is defined as any information relating to a living individual who can be identified from that data. The principles stipulate that data will be:
- Processed lawfully and in a transparent manner
- Collected for specified explicit and legitimate purposes
- Adequate relevant and limited to what is necessary
- Accurate relevant and where necessary kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security.
Basis of lawful processing
PCS processes personal information as required to undertake the legitimate activities of a trade union and to provide the benefits of membership. This will include information falling within the specified special categories of data and therefore requiring a high standard of security and governance.
Roles and responsibilities
PCS is responsible for the actions of its employees and for representatives, who act as agents for the union, so it is important that everyone understands their responsibilities in relation to the processing of PCS data. Everyone processing PCS data does so under the direction of PCS as the Data Controller. Queries about roles and responsibilities should be addressed to the PCS Data Protection Officer (DPO).
PCS data stored in employer systems
We need to ensure that where PCS data is stored in the employer’s systems it is only available to those who have a legitimate reason to access it. Groups and branches must make sure that:
- access controls are agreed with the system administrator
- data is not stored where it may be subject to unauthorised access
- files are password protected
- encryption is used where available.
Handling PCS data at branch and local level
Where we hold data locally it must be proportionate to our needs and stored securely. Please see the Data Protection section of the Personal Case guidance available on the PCS website for guidance on handling personal case files. Always take particular care when dealing with membership reports and other lists. Only print these if absolutely necessary, store them securely in a locked drawer, and dispose of them properly, e.g. using the employer’s secure destruction facility. This requirement also applies to workplace maps and branch contact cards which should be destroyed after use (i.e. after second contact has been made) and cannot be retained.
Please take particular care with the use of e-mail. If e-mails are sent to groups of recipients they will be visible unless the blind copy option is used. This may not be an issue for communication between representatives, e.g. within a Branch Executive Committee, but the visibility of a list of members is likely to be a personal data breach. Note that trade union membership is special data category in data protection law. Distribution lists must always be stored securely and cannot be made available or visible to anyone except PCS staff and the appropriate lay representatives. PCS representatives are not permitted to transfer PCS data to another data controller under any circumstances. For this reason software tools such as Survey Monkey or Mail Chimp may not be used unless specifically authorised by the PCS Data Protection Officer (DPO).
Use of e-mail
Data breaches can arise from the careless use of e-mail. Remember these two important tips:
- make sure the address autofill function is switched off
- always use the blind copy address box when sending to multiple recipients.
Personal Data Breaches
A personal data breach is defined as a security incident which has affected the confidentiality, integrity or availability of personal data. This will include all instances where personal data is lost destroyed, corrupted or disclosed to anyone not entitled to it. If you become aware of a personal data breach you must contact the DPO immediately.
PCS is investing in better organising capability and this will also improve our information security an example being the use of the new branch App. Whilst we are running new and legacy processes in parallel it is important to think ahead and review where membership data is currently held so that it can be securely deleted at the proper time.
Data Subject Access Requests (SARs)
You may be asked by individuals (as data subjects) about their rights under Data Protection law. In many cases the required response will simply be refer to the Privacy Notice on the PCS website or explain how their individual membership record can be viewed but, where an individual asserts the right of access to data which is not available in this way, they may be making a Data Subject Access Request (commonly abbreviated SAR or DSAR). If in doubt check with the DPO.
There is a specific process to be followed when PCS receives such a request so that:
- the request is acknowledged;
- the request is validated;
- all requested data can be identified;
- data exempt from disclosure is removed;
- data is provided in an appropriate and secure format;
- an auditable record is kept.
This means that all Data Subject Access Requests must be made directly to the PCS DPO. The contact details are given below.
Retention of data
It is important in order to process data lawfully that all personally identifiable data including papers and printed reports are kept securely and only disposed of in line with our data retention policy. This aspect of PCS policy is under review but until notified otherwise it is that PCS retains records in the membership database for seven years to enable:
- access to post-membership benefits (e.g. associate membership)
- exercise of legal claims.
For advice about retention or destruction of documents contact Membership Services or the Personal Case Handling Unit as appropriate.
Further Information and Advice