Protecting the personal information of our members is a legal requirement and this part of the guide is essential for all representatives whatever their role and level of experience. The information you process is the union’s data and PCS is the registered Data Controller. This means you are bound by PCS policies and procedures so do use this guide and the links within it to ensure you understand your responsibilities. Whilst the overall responsibility for data protection lies with PCS under the General Data Protection Regulation (GDPR) individuals also have potential liability for data breaches.
GDPR which was incorporated into UK law in the Data Protection Act 2018, is based on the following seven principles:
Lawfulness fairness and transparency
The lawful basis for our processing is set out in the PCS Privacy Notice.
You must securely retain the information you need to progress the case. Don’t collect information for the sake of it. Tracking the processing of cases e.g. for monitoring by the Branch Executive Committee can be done without any issues as long as it is anonymised so it does not involve the sharing of personally identifiable information.
Our data processing should be proportionate to the needs of the case. Think about how you communicate so that you retain the information you need without setting off enormous email chains. When you take advice from a more experienced rep it may be better to call rather than email. Remain professional at all times and remember that emails concerned with personal cases are frequently legally disclosable. If you make rough notes during a meeting or a call these may be disclosable if you file them. If you decide not to retain your notes make sure you destroy them securely. If you file them they do fall within the PCS retention policy.
It is always best to check your understanding with the member or members concerned as the information is gathered and make any corrections supplied by the member.
PCS retention policy requires that personal case information is retained for seven years to enable the exercise of legal claims.
Integrity and confidentiality
Personal case files will include content falling within special categories of data under GDPR. To preserve the integrity and security of personal case information it is vitally important to ensure that access to it is limited to those who need the access. Ideally it should only be the representative directly involved in a case. Of course advice may need to be sought or cases re-assigned to other representatives but branch position or hierarchy should not automatically entail access to personal data.
PCS owes a legal duty to the individuals whose data is processed to protect the integrity of their data. This can only be fulfilled if those processing the data understand their own roles and responsibilities which are set out in the PCS Branch Guidelines.
A very large amount of PCS personal case information is within employer systems. This is partly because in the civil service members tend to use the employer’s email system when seeking representation. There are some advantages to this as long as only you have access rights to the email account. This condition is not satisfied if you share access to the email account with your line manager or other colleagues. If you are not able to satisfy this condition for any reason you must seek advice before processing PCS data using an employer system. It may be that a lead representative can intervene to resolve the issue. If not they will seek advice from the PCS Data Protection Officer (DPO) (link to email@example.com)
In employment areas without this facility you will need to consult your branch or a full-time officer to identify a secure alternative. This is because, except for use of PCS Digital and the Branch App, PCS cannot authorise the processing of its data on your personal device.
Subject Access Requests
Individuals have access rights to their own personal data. They can make a subject access request to the union via the PCS DPO. Always remember that the information you gather and store is PCS data and not employer data. This means that if you are asked to make a subject access return for an employer you must not give access to any PCS data and must exclude it from any return you make. Individuals who wish to make a subject access request to PCS must make it to the PCS DPO.
If a member asks about a subject access request or submits one to you refer them to the Privacy Notice (https://www.pcs.org.uk/privacy-policy) where there is information on how to submit a request. Do not deal with or seek to respond to a subject access request yourself.
The detail of personal cases should not in any case be discussed at Branch Executive or other committee meetings but you also need to be aware when using video conferencing that if meetings are recorded or if the chat is saved a record is created which could be disclosable and is subject to the retention policy.
Sources of information
Contact the Data Protection Officer firstname.lastname@example.org
Information from the Information Commissioner’s Office (ICO) website and helpline - 0303 123 1113 (9am to 5pm, Monday to Friday)