The Data Protection Act 1998 is the law that protects personal privacy and upholds individuals' rights.
The act applies to anyone who handles, or has access to, information about individuals. It also gives rights to the people the information is about.
Data protection applies at all levels in PCS. Wherever data is held, whether it is branch records, e-mails or local membership records, the rights of the individual to privacy and access apply.
We are all individually responsible for complying with the data protection legislation when we are using personal data.
If we do not comply the information commissioner can take enforcement action against PCS and/or the individual.
It is important to recognise that the data protection principles apply at all levels within the union.
Wherever data is held, whether it is branch records, e-mails or local membership records, the rights of the individual are the same, and this includes access. So be aware of the possible pitfalls and consider in the first instance if there is a need to retain information.
We must all seek to raise the level of awareness across the whole union and you are encouraged to discuss and consider the act within your own group.
Special attention should be made to what you would do given that a member requests any information you hold on that member.
Pay particular attention to personal cases and records ensuring that any information held, in whatever medium, is secure and only available to authorised individuals.
Also that when they are no longer required they are disposed of in a secure manner.
In an election, information on members’ names and addresses, which are covered by the Data Protection Act, must not be used without the specific authority of the union and consent of the individual.
We are all individually responsible for complying with the data protection legislation when we are using personal data. If we do not comply the information commissioner can take enforcement action against PCS and/or the individual.
If you have any queries please contact the data protection officer - Martin John on 0113 200 5300 or email firstname.lastname@example.org
A guide to the Data Protection Act 1998
What is the Data Protection Act?
It is a law that protects personal privacy and upholds individuals' rights.
Does the act affect me?
Yes. The Data Protection Act 1998 applies to anyone who handles, or has access, to information about individuals.
The act also gives rights to the people the information is about. By law, everyone in the workplace must follow the rules set out in the act and help to protect individuals' rights.
What are your responsibilities?
The act helps to make sure that the information held on computers and in some paperbased systems is managed properly.
You must protect personal information by following the eight principles of good practice.
Why do you need to know about it?
Anyone who handles personal information as part of their job must follow the Act. The Act applies to employers and employees.
Data Protection Act - some definitions
To understand the principles of the act, you need to know what the main terms mean.
Here are some definitions:
- Data: is recorded information, whether stored electronically on computer or in paperbased filing systems.
- Personal: means that the information is about an identifiable living individual.
- Personal data can be factual, such as a name, address or date of birth, or it can be an opinion, such as how a manager thinks an employee has performed at an appraisal. It can even include a simple email address.
- Processing: is any activity that involves the data. This includes collecting, recording or retrieving the data, or doing work on the data such as organising, adapting, changing, erasing or destroying it.
- Sensitive personal data: includes information about someone's racial or ethnic origin, political opinions, and religious or other beliefs, trade-union membership, health, sexuality, or criminal proceedings or convictions. Sensitive personal data can only be processed under strict conditions. In most cases, this means getting permission from the person the information is about. They decide how and why the information is used. As data controllers, employers have a responsibility to establish workplace practices and policies that are in line with the act.
- Data users: include employees whose work involves processing personal information. As a data user, you have a legal duty to protect the information you handle. You must follow your employer’s data protection and security policies at all times.
- Data subjects: are the people the information is about. Within the workplace, they may be current employees, people applying for jobs or former employees. Data subjects might also be customers, suppliers, clients, patients or other people about whom information is held. All data subjects have certain legal rights in relation to their personal information.
- Data processors: may be separate organisations who process information on behalf of data controllers. They must also follow the act and make sure information is handled properly.
The eight principles
The act is based on eight data protection principles, or rules for 'good information handling'.
In summary the data must be:
- processed fairly and legally;
- processed for limited purposes and in an appropriate way;
- relevant and sufficient for the purpose;
- kept for as long as is necessary and no longer;
- processed in line with individuals' rights;
- secure, and
- only transferred to other countries that have suitable data protection controls
The following explains these principles in more detail:
Personal data must be processed fairly and legally.
'Processing' applies to all uses of data from collecting and storing data, to retrieving, organising and destroying it.
There are two main conditions of this first principle. Either the data subject must give their permission, or the processing is necessary for legal or contractual reasons.
For data to be processed 'fairly' the data subject should know who the data controller is, why the data is being processed and any other necessary information, such as the likely consequences of the processing. Individuals must not be deceived or misled as to why the information is needed.
For data to be processed 'legally' it must not lead to any kind of discrimination, and should not go against other laws such as the Human Rights Act 1998.
Personal data must only be obtained for specified and legal purposes, and must only be processed in a way that is consistent with the specified purpose.
Data controllers and data users must not collect and use data unless there is a specific and valid reason for doing so.
The data subject must be told what the information will be used for; personal data collected for one reason must not be used for any other, unrelated, purpose.
Personal data must be adequate, relevant and not excessive for the purpose for which it is processed.
Only data needed for the specific purpose should be asked for or recorded. Information that is not relevant for the purpose must not be collected simply because it might be useful in the future.
For example, job application forms should not require details that only successful applicants need to give, such as National Insurance numbers.
Likewise, when filling in forms about members, staff, customers, patients or other data subjects, you should only record relevant information, not personal remarks. These comments would have to be disclosed if somebody asks to see their personal information.
Personal data must be accurate and, where necessary, kept up to date.
Incorrect and misleading data is 'inaccurate'. Data users should record data accurately and take reasonable steps to check the accuracy of information they receive from data subjects or anybody else.
Data controllers should 'spring-clean' all storage systems to destroy inaccurate and out of-date information, and correct inaccurate records.
Personal data processed for any purpose must not be kept for longer than is necessary to fulfil that purpose.Organisations will need to keep some data on current and past employees in order to respond to enquiries from a new employer or from the Inland Revenue. Other types of personal data may not be relevant for future purposes and should not be kept for longer than is necessary.
An example of out-of-date personal data would be recruitment records of unsuccessful candidates that are kept for more than four months after a post has been filled.
Personal data must be processed in line with the data subject's rights.
The rights of individuals are central to this principle. These rights include the following:
- The right of subject access lets individuals find out what information is held about them.
- Data subjects have a right to prevent processing that is likely to cause damage or distress to themselves or anyone else. They also have the right to claim compensation for damage and distress caused by someone breaking the conditions of the Act.
- Rights in relation to automated decision-making means that significant decisions should not be made about individuals using automatic processing alone. Examples of automated decision-making would be job-selection procedures such as psychometric testing and CV scanning.
- Individuals have the right to prevent processing for direct marketing - data controllers must not use personal data for direct marketing purposes if the data subject asks them not to.
- Individuals have the right to take action to correct, block, erase or destroy data that is inaccurate or contains opinions that are based on inaccurate data
Exceptions: There may be situations in which these rights do not apply. For example, individuals do not have the right of subject access if it affects the way crimes are detected or taxes are assessed.
Appropriate security measures must be taken to protect against unauthorised or illegal data processing.
Data controllers must make sure that security controls are in place and are followed. These may be technical (for example, relating to computer systems), or organisational (for example, management structures and physical layout of workplaces). Only employees who need to use personal data to carry out their work should have access to that data.
Transferring personal data outside the European Economic Area (EEA) is restricted unless the rights and freedom of data subjects are protected. Some countries outside Europe do not have the same legal requirements to protect information.
The eighth principle means your employer or data controller must take steps to make sure personal data that is transferred outside the EEA is secure.
Data security procedures in PCS
Data security within PCS means guaranteeing the confidentiality, integrity and availability of data.
- Confidentiality: only people who are authorised to process data can access it.
- Integrity: personal data should be accurate and suitable for the processing purpose.
- Availability: authorised data users should be able to access the data if they need it for specific purposes.
- Entry controls: protect your building from unauthorized visitors. You should report any strangers or unauthorised personnel seen in secure areas.
- Secure lockable furniture: all paper-based records should be locked away in desks, filing cabinets or cupboards, when they are not in use. Keys should be kept in a safe place.
- Methods of disposal: safe methods for destroying papers include shredding, incineration and using confidential waste bins. Make sure you know the policy for each type of data. Portable electronic storage devices (such as floppy disks and CD-ROMs) containing sensitive data should be physically destroyed or overwritten.
- Secure equipment: special care should be taken with computer screens, fax machines and photocopiers: Place equipment appropriately within secure areas - make sure other people cannot see your monitor. When you are away from your desk, make sure computer screens are clear and lock away documents. Be aware of the security procedures for portable equipment such as laptops. Remove documents from photocopiers and fax machines after use. Make sure only authorised staff can collect incoming faxes.
Security requirements within PCS are being identified and we will establish procedures for good working practice. Measures which you can take now include:
- A risk assessment to identify weak areas and the likely result of security problems.
- Data classification to decide what data is required, or not, and the length of time it is needed.
- Physical security controls.
- Computer Security Access controls: access to software or computer files can be protected in various ways, including: log-on procedures; user identification, such as passwords; password-protected screen savers.
- User responsibilities: everyone in the workplace is responsible for protecting information. Make sure you know and follow any procedures put in place by PCS; you never give anyone your password or use another person's password.
- Handling enquiries
- Individuals may want to find out what personal data is kept about them. A formal request for information under the Data Protection Act 1998 must be made in writing. If you receive a written request, give it to the person within PCS who is authorised to deal with it.
- Keep in mind the following when dealing with data queries: Check the person's identity to make sure you only give information to the person who is entitled to it.
- If you are not sure about their identity, and cannot check it, suggest that the person writes in for the information.
- Never give out any information about another person. For example, you should not give friends and relatives of employees and members their address details. Do not be bullied into giving information. Ask your manager if you need help.
Some questions about data protection
Can I keep details of members?
Yes, provided they are relevant and obtained for specified and legal purposes. Branch records would come under this category.
What details can I keep?
Only data needed for the specific purpose should be collected and recorded. Data cannot be collected for a possible future use.
Do I have to keep membership data in a secure place?
It is essential that all information, including computer records, are only available to those who need access to carry out their work. Files should be locked away when not in use and computer records secured by means of a password-accessed screen saver.
Can I pass on the details of members to third parties?
Not unless the member has given permission to do so.
Can a member ask me for any details held on them?
Yes, a member is entitled to request to see any personal details held.
Can I withhold any details?
No, a member is entitled to see all records kept of their personal information, providing they are reasonably accessible and do not contain personal details of another individual. This can
include such things as personal details, employment details or even any emails held on the system.
Will I still be able to get lists of members from headquarters?
Yes, membership lists will still be available; however greater care must be taken to ensure that any use of the list complies with the Act.
Can my employer refuse to give me the names of new employees?
No, this information is not considered ‘sensitive personal data’ so should be available from employers.
What do I do about personal cases?
Personal cases are legitimate business of the union instigated by the member. However, where there is a necessity to disclose personal information to a third party as a result of the case, permission must be given by the member.
How long can I keep data?
Formal retention policies for the various types of data will be issued shortly. Once the retention period has expired it must be destroyed or depersonalised.
PCS is not responsible for the content of external websites