Who needs training?
While the UNISON rulebook (rule G 4.1.7) only states that Branch Officers must undertake UNISON’s mandatory data protection training, the Information Commissioners Office (ICO), which governs personal data use in the UK, has made it clear that anyone who handles personal data must complete the data protection training.
This means that stewards and branch employed staff are also required to complete the data protection training. This is not just a requirement by UNISON but by the ICO. Failure to follow recommendations by the ICO could result in regulatory action against UNISON.
UNISON’s data protection training can be accessed via the e-learning site: UNISON e-learning.
Branch employed staff will need to be set up as an RMS contact before they can get a MyUNISON login and access the training. Where needed, please consult your regional RMS team.
Breaches and legal deadlines
If anyone (branch officer, steward, or branch employed staff) discovers a data breach has occurred or is in anyway concerned a data breach may have happened, they must contact UNISON’s data protection team directly for advice on what mitigation measures should be taken.
UNISON has only 72 hours to report certain data breaches to the ICO and it is for the data protection team to assess whether the incident meets the required threshold. Those 72 hours apply even on bank holidays and weekends – a breach at 8am on a Friday will have to be reported by 8 am the following Monday. With such a tight legal deadline, it’s essential that any breaches discovered by anyone in the branch make it to the data protection team as soon as possible.
We are experiencing an increase in delays in receiving completed breach reports. We require the reports to be completed to enable us to fully assess what has happened, how the breach can be contained, and if the matter needs reporting to the ICO. A copy of UNISON’s breach report can be found on the Organising Space: UNISON – Organising Space – Resource – Data Protection at UNISON.
Subject Access Requests (SARs) and legal deadlines
On receipt of a subject access request – a request for a copy of personal data being processed – UNISON has one month in which to provide the information to the data subject. Remember that a SAR can come in any form and may not be labelled as such; any request for copies of personal data may be treated as a SAR.
We are experiencing an increase in delays in having such requests forwarded to UNISON’s data protection team, which can mean we have less time to process the request to ensure UNISON’s meets the statutory deadline.
Please ensure that any requests are forwarded to UNISON’s data protection team immediately. Further information about SARs can be found on the Organising Space: UNISON – Organising Space – Resource – Data Protection at UNISON.
Our resources for you
As part of making sure that all branches are empowered to handle their members’ data as safely and securely as possible, and to protect our members at every level, there is lots of information on the Organising Space: https://organisingspace.unison.org.uk/OS/#/category/5517/data-protection-at-unison
WhatsApp guidance has recently been added and sits alongside other useful guidance such as getting workplace lists from employers and how to make surveys compliant.
If you have any suggestions for guidance that might be helpful for branches, please let us know on dataprotection@unison.co.uk.
Risks and complaints
Part of the data protection team’s job is handling complaints relating to how UNISON has handled personal data. While some of these complaints may be on a small, personal scale, others can have a bigger impact and reflect on UNISON as a whole.
The most common complaints we get are:
- Data missing from SARs. Where stewards use their employers email system to carry out trade union duties, it causes issues when they leave, and the branch can no longer access the data. We recommend that branches use a case management system to ensure member data is stored centrally to the branch and accessible when required.
- Victim of a data breach: Over 40% of the data breaches reported are because an email has been sent to the wrong person. We recommend that people take time to double check that the recipient is indeed the correct person.