Ensuring the security of personal case information & files is not only a matter of good practice, it is a legal requirement in terms of data protection legislation. All of us involved in personal cases have a responsibility to maintain members’ confidentiality and privacy.
This short note is intended to assist branches and those who undertake personal casework to consider how data protection may impact on casework.
It’s important that you maintain proper and comprehensive records of cases.
There should only be one file location for each case. Where more than one officer is involved it’s preferable that there’s a single, central file which each rep has access to and which is the definitive file. If multiple reps maintain additional files for their own use these are still covered by data protection. At the very least at the end of a case all material should be brought together into a single file and duplicate information held by other officers should be destroyed.
What information are you gathering? Is it:
Don’t collect information for the sake of it. For example, we often have a checklist of ‘about you’ type queries be it equality information, addresses and other contact details. You should consider how much of this is really needed, how much is necessary to progress the case, how much is habit?
A word about note taking:
- keep it simple,
- keep it factual,
- keep it accurate,
- keep it professional.
Remember your notes, memoranda, correspondence and emails concerned with a case are more likely than not to be disclosable under data protection legislation.
Where do you keep your records & files?
Physical security is the first line of defence in protecting members’ data. Is there a union room? In it is there a lockable storage container which preferably should not a cabinet that’s in daily use? Without a union room could management be prevailed upon to provide secure storage?
Files and records should not be left lying around, they should be locked away when not in use. If they are electronic then access should be password protected. If a PC is shared then individual officers should have separate log-in profiles and casework files should be in protected folders.
Where is the information stored? Is it:
- paper based or electronic,
- password protected,
- in a secure container,
- access controlled,
- access recorded.
The content of your files & records both paper-based and electronic is the union’s data. It is subject to our data protection registration and our data protection responsibilities. As a branch and as an individual union representative you are covered by our registration and so there is no need to seek any separate registration with the Information Commissioner.
As an agent of the union you are bound by our policies and procedures. You need to make yourself aware of your responsibilities in maintaining members’ privacy, confidentiality and the protection of their data. Under the General Data Protection Regulation (GDPR) individuals have potential liability as well as organisations which is an important reason why you should adhere to the union’s guidance to help ensure you protect yourself.
Where management’s resources are used to store files & records, be these physical cabinets or IT networks, the files & records remain the data of the union and subject to our data protection schema and not that of the employer.
If management seek access to our data because they have received a subject access request or a Freedom of Information (FoI) request, inform them that our data is not covered by those requests regardless of the storage location of the data. Of course, whoever made such a request could make a subject access request to us if they believe we hold personal data about them.
If in doubt or management do not accept your argument on ownership of the data then refer the matter to the union’s Data Protection Officer, Martin John
- members place their trust in us when they give us their personal data and we need to ensure we do not break that trust.
Who can access files and records? Ideally it should only be the officer directly involved in a case but we recognise there may be instances when more than one officer by necessity is involved. How can access be organised to help ensure the data’s integrity? Can there be a sign-out procedure? If the files are kept in a shared container (e.g. a cabinet or PC) can those who have access rights to other material in the container be prevented from getting to the casework files? If not, can there be alternative locations for that material?
Who has access to the information? Ask yourself:
- who needs to know,
- what do they need to know.
Branch position or hierarchy should not entail routine access to members’ personal data. The Information Commissioner would not be impressed by any argument that a person could access others’ data because they held a certain post. Elected position cannot trump data protection.
Of course, members have access rights to their own personal data. They can submit a request to see their data, this is called a subject access request. If a member asks about a subject access request or submits one to you refer them to the union’s website where there is information on how to submit a request (see links and further reading below).
Do not deal with or seek to respond to a subject access request. This includes not undertaking to pass on a request as it’s the responsibility of the member to get the request to the union’s data protection officer, Martin John - firstname.lastname@example.org: all requests must go through him.
Files and records of personal casework should be maintained for six/ seven years, this is to cover the period during which a claim could be made against the union in relation to the case.
When are your files & records checked? They should be:
- regularly moved to secure archives,
- filleted for duplicates and non-essential material,
- routinely examined to see if it is safe & secure,
- securely destroyed when no longer required.
The personal information you receive, gather or record for any personal case, or, indeed, in the general course of union activity, is covered by data protection legislation. That means the subject of the information – the member – has rights to how it is processed, stored and used. It also means the union, including you as an agent of the union, has responsibilities to process, store and use the information within the terms of the GDPR.
There are six enforceable principles within GDPR. These state that data must be:
1. Processed lawfully fairly and in a transparent manner;
2. Collected for specified explicit legitimate purposes;
3. Adequate relevant and limited to what is necessary;
4. Accurate and, where necessary, kept up to date;
5. Retained only for as long as necessary;
6. Processed in a manner that ensures appropriate security.
The union is a registered data controller and our policies and procedures are designed to ensure we meet our legal responsibilities.
Links and further reading
Information Commissioner’s Office (ICO) website and
helpline - 0303 123 1113 (9am to 5pm, Monday to Friday)