Q&A: PCS reps and new data protection rules
New data protection regulations are coming into force on 25 May, with the introduction of the long-awaited General Data Protection Regulation (GDPR).
PCS Data Protection Officer Martin John goes through some of the questions reps might have about data they process as part of their union roles, and reiterates that the GDPR is not intended to prevent the legitimate activity of organisations:
Q: How has PCS been preparing for GDPR going live on 25 May?
Q: Are elected PCS representatives data controllers or data processors?
A: Reps are data processors. Under GDPR there are precisely defined roles and responsibilities for the processing of data. It is important to distinguish between data processors and data controllers. PCS as an organisation is a registered data controller. The relevant responsibilities for this fall to the senior management team, working with the Data Protection Officer.
For further clarification contact PCS Data Protection Officer, Martin John, at email@example.com
Q: Can we keep an email list of members locally?
A: PCS reps can legitimately process membership data if acting within the guidelines set by PCS, as the data controller, which require that the data relates to their elected role and that processing is in line with our data security standards. Where distribution lists are required they must only relate to branch distribution, be regularly updated, and not be stored anywhere that may be accessible to those not entitled to have access.
Transfer of our data is not allowed which means that free software such as Mail Chimp cannot be used. If further information is required, contact the Data Protection Officer.
Q: Can we do any work at home (on our own computers) on membership data?
A: Access to membership data which is legitimately required is provided via Commix. The work done by reps, working with the PCS membership department, to correct and update PCS data is invaluable.
Data used for organising should be stored securely whilst in use and securely disposed of after use. Distribution lists are frequently held in employer systems but it may also be necessary for branch officers to store them using their own devices. In these cases PCS data security standards still apply.
If necessary, advice should be obtained from the Data Protection Officer. Separate guidance about personal representation records is available on the PCS website.
Q: Can we keep a staff list and mark up the members and non-members for mapping (and targeted recruitment) purposes?
A: PCS has no plans to record the data of potential members in our database as this is not covered in our privacy notice but obviously, when recruiting, our reps and organisers need to know who they want to talk to and will use a combination of local intelligence and lists.
When lists are used it is important that they are securely destroyed after use. Remember that the GDPR is not intended to prevent the legitimate activity of organisations but to ensure that their processing of data is lawful.
Q: Can I conduct a survey of PCS members?
A: As doing so involves the processing of our data, prior approval will be required.
The Organising Department is working on options to respond to genuine survey needs and should be contacted for advice. Privacy issues mean free survey software may not be used without the approval of the Data Protection Officer.
FIND OUT MORE:
- See BB/32/18
- GDPR in Activate: New data law no barrier to organising
- More guidance on secure handling of information: See the PCS data protection guide
- Need help? For more advice about on data protection issues, contact Martin John – firstname.lastname@example.org
Updated 8 May 2018