Identifying and handling subject access requests (SARs) – including requests from employers
We have found that on occasion, an employer will contact a branch or individual reps to request data about a person, because the employer has received a SAR. An individual cannot access UNISON data by submitting a SAR to an employer, even if the branch uses the employer email system to conduct trade union duties. It is important in these cases to understand what can and cannot be disclosed. Data relating to a reps’ substantive post is employer data, however, anything sent/received in their capacity as a UNISON rep belongs to UNISON. If you are asked by an employer to provide data for a SAR, please contact UNISON’s data protection team immediately.
An individual can submit a SAR to anyone in UNISON, and they do not have to call it a SAR when they do so. A SAR could come in the form of a request for copies of emails about the individual, or a copy of the individual’s case file, without ever using the words “Subject Access Request”.
It is therefore imperative that the SAR be recognised for what it is and escalated to UNISON’s data protection team immediately. The branch must not handle a SAR on its own or attempt to respond to it. Improperly handled SARs can open the union to serious risk which may result in regulatory action from the Information Commissioner’s Office (ICO).
Retaining and storing data
UNISON has recently had several data breaches where data has been lost due to deletion or poor storage security.
What the branch retains is just as important as what is securely destroyed. Even when a member leaves UNISON, data must be retained for a specified period which can even include data the member asks us to delete. For guidance on how long to retain data, please check the branch retention schedule which can be accessed via the UNISON website or Organising Space:
https://www.unison.org.uk/content/uploads/2019/03/UNISON-Records-Retention-Schedule-Branches.pdf
Where there is a risk that data may be lost through a lack of proper handover, the branch must take necessary steps to ensure that there is a full handover of data – including of closed cases still within their retention period – when anyone in the branch leaves their post. It is essential that member data is not lost when a rep retires or if an employer withdraws access to their systems.
For as long as the branch must retain data, the data must be stored securely and safely. It is highly recommended that a case management system, such as CaseWeb, be used to ensure that correspondence and supporting documents relating to member cases are all kept in one, suitably secure, place.
Bulk emails
Merlin has now been rolled out to all branches. This replaces WARMS and contains similar tools for sending out emails to large groups of members. Rather than downloading lists or extracts which can rapidly become out of date, always use Merlin for sending bulk emails.
As per the bulletin to branch secretaries dated 12 August 2025, all bulk email must go via Merlin to ensure it is sent securely and our members are protected.
Training
UNISON’s data protection training is mandatory for all branch officers and stewards. It must be completed within three months of being elected and annually thereafter. Our records show that only 47.8% of those required to complete the training have done so. Please encourage those in your branch to complete the training as soon as possible. The training is accessed via the e-learning platform – Home | UNISON e-learning
CaseWeb
Over 50% of UNISON branches are now signed up to the CaseWeb system. CaseWeb is now the means of processing case work for most branches and handles case work for 67% of the UNISON membership.
Three quarters of branches that expressed interest have already taken up using CaseWeb and we are following up interest from a further 7% of branches.
We will be seeking to contact branches that have not already expressed interest to offer them the chance to consider signing up to the system.
CaseWeb training for branches
Branches that sign up to CaseWeb are provided initial training online, using Microsoft Teams. Once training has occurred, the branch is made live on the system. New users in branches can attend our regular new user training sessions. Training for new branch users are held on the first Tuesday, second Thursday and third Tuesday of every month from 2-3:30pm.
We do run refresher training sessions; however, we also have a series of training videos in the help and support pages of the system. These can be used by any system user to refresh part or all the training.
CaseWeb training videos for existing users, can be found online: https://live.caseweb.co.uk/support
If you would like to book training for new users, please contact caseweb@unison.co.uk with the following information –
Name/email/Branch Role Membership number
Confirm ERA Accredited – within the last 5 years/ on membership record
Confirm GDPR completed – within the last 12 months
Is your branch interested in using CaseWeb?
If your branch is looking to a more secure and organised way of handling members cases, you may wish to explore how CaseWeb can help you.
If you wish to know more about CaseWeb or attend an online demonstration, please email us on caseweb@unison.co.uk or register your interest at https://caseweb.co.uk/register-your-interest/