The General Data Protection Regulation (GDPR) which was published last year comes into effect on 25 May. There are some important changes which include clearer rights for the citizen. It is the biggest change in data law for twenty years and its aims are to cope with the huge changes in technology that are taking place and to make it easier for individuals to understand and control what data is held about them.
Under the GDPR organisations face much bigger fines for data breaches with fines of up to 4% of turnover for the most serious breaches.
PCS strongly supports the GDPR and work has been taking place to ensure we are fully compliant when the new regulation comes into force. Some of our systems and processes are undergoing change which will improve our data security and extend the ability of members to check and amend their membership record. The changes will also build on our existing organising capability and make new facilities available to our representatives in the workplace.
Whilst the main processing operations within PCS are undertaken by PCS staff, all group, branch and local representatives who represent our members and access and use information from our membership database are also processors.
Our members have a right to expect that PCS at every level will process their personal information with the required level of security and that we will do so effectively to strengthen the union and to improve communications at a time when we are focusing on getting ballot ready to mount our pay campaign. These guidelines are intended to assist branch and local representatives in doing this.
I hope you will find these guidelines of use in making sure we work on behalf of members in ways that meet the legal requirement to safeguard their personal information. They will be updated as our processes change to reflect improved digital capability. Applying the guidelines consistently will help ensure that we maintain compliance whilst actively recruiting new members and building our organisation.
Action by branches
Please ensure that all reps are aware of this branch briefing and make data protection an agenda item at your BEC to check compliance with the guidelines as soon as possible and not later than 25th May paying particular attention to these questions:
- Are PCS files password protected?
- Do they need to be removed from shared drives?
- Are there agreed measures to ensure secure deletion/destruction?
- Is e-mail used securely so that no lists are visible?
GDPR Guidelines for Branches
The principles of existing data protection law continue under GDPR. The most important changes relate to clearer roles and responsibilities within and between organisations so that compliance is embedded in the way organisations work. PCS is a Data Controller, registered with the Information Commissioners Office (ICO) holding data about its members in order to carry out its functions, provide information and services, and comply with statutory obligations.
Data Protection Law and the rights of data subjects
The core principles of GDPR must be understood by all those processing personal data, which is defined as any information relating to a living individual who can be identified from that data. The principles stipulate that data will be:
- Processed lawfully and in a transparent manner
- Collected for specified explicit and legitimate purposes
- Adequate relevant and limited to what is necessary
- Accurate relevant and where necessary kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security.
Basis of lawful processing
PCS processes personal information as required to undertake the legitimate activities of a trade union and to provide the benefits of membership. This will include information falling within the specified special categories of data under GDPR and therefore requiring a high standard of security and governance.
Roles and responsibilities
PCS is responsible for the actions of its employees and for representatives, who act as agents for the union, so it is important that everyone understands their responsibilities in relation to the processing of PCS data.
Handling PCS data at branch and local level
Where we hold data at branch or local level it must be proportionate to our needs and stored securely. Please see the Data Protection section of the Personal Case guidance available on the PCS website for guidance on handling personal case files.
Always take particular care when dealing with membership reports and other lists. Only print these if absolutely necessary, store them securely in a locked drawer, and dispose of them properly, e.g. using the employers secure destruction facility. Always password protect your files and use encryption where available.
Please take particular care with the use of e-mail. If e-mails are sent to groups of recipients, they will be visible to all the recipients unless the blind copy option is used. This may not be an issue for communication between representatives, e.g. within a Branch Executive Committee, but the visibility of a list of members is likely to be a data protection breach. This is because trade union membership is special data category in data protection law.
For this reason distribution lists must always be stored securely and cannot be made available or visible to anyone except PCS staff and the appropriate branch and local representatives.
PCS representatives are not permitted to transfer PCS data to another data controller under any circumstances. For this reason software tools such as Survey Monkey or Mail Chimp may not be used unless specifically authorised by the PCS Data Protection Officer (DPO).
PCS remains the Data Controller for PCS data wherever it may be stored. Many of the employers we deal with provide our representatives with facilities at work. Where this includes use of the desktop computer or laptop always file information which may include PCS data in the h drive. Do not leave e-mails containing PCS data in your in-box if it has shared access rights.
Data Subject Access Requests (SARs)
You may be asked by individuals (as data subjects) about their rights under Data Protection law. In many cases the required response will simply be refer to the Privacy Notice on the PCS website or explain how their individual membership record can be viewed but, where an individual asserts the right of access to data which is not available in this way, they may be making a Data Subject Access Request (commonly abbreviated SAR or DSAR). If in doubt check with the DPO.
There is a specific process to be followed when PCS receives such a request so that:
- the request is acknowledged;
- the request is validated;
- all requested data can be identified;
- data exempt from disclosure is removed;
- data is provided in an appropriate and secure format;
- an auditable record is kept.
This means that all Data Subject Access Requests must be made directly to the PCS DPO. The contact details are given below.
Retention of data
It is important in order to process data lawfully that all personally identifiable data including papers and printed reports are kept securely and disposed of in line with our data retention policy. This aspect of PCS policy is under review but until notified otherwise it is that PCS retains records in the membership database for seven years to enable:
- access to post-membership benefits (e.g. associate membership)
- exercise of legal claims.
For advice about retention or destruction of documents contact Membership Services or the Personal Case Handling Unit as appropriate.
Further Information and Advice