This guidance is for UNISON branch secretaries with branch employed staff.
Processing Subject Access Requests (SARs) for Branch Employed Staff
Your branch may employ staff to help with the workload. Where this is the case, you must understand that as the branch secretary, you have additional responsibilities when it comes to complying with data protection legislation.
Where a branch employs staff directly, it is the branch who is the data controller for the employee’s personal data, not UNISON. The branch is the data controller because it determines the purposes and means of processing the employee’s personal data. A data controller has responsibilities which are set out by the UK GDPR and include:
- Ensuring sufficient technical and organisational measures are put in place, and
- Implementing internal data protection policies such as responding to data subject right requests.
Right of Access/SARs
Under the UK GDPR, there is the ‘Right of Access’, more commonly known as a subject access request (SAR). A SAR is where an individual requests a copy of their personal data that an organisation is processing. Requests can be made verbally or in writing. The scope of a SAR can vary significantly from just one document to all data. There is a statutory one-month deadline in which to respond to these types of requests.
Responding to a SAR from a member of branch employed staff may involve a level of cross over between the branch and UNISON. The request may be made to just the branch (scenario 1 below), or just UNISON (scenario 2 below), or both. The purpose of this guidance is to help you understand when the branch is responsible for responding to a SAR, and under what circumstances the branch must liaise with UNISON’s Data Protection Team (dataprotection@unison.co.uk).
Scenario 1
If a member of branch employed staff submits a SAR to the branch, information held at the branch only should be considered for disclosure. This includes the individual’s personnel file and any information held on the email system used by the branch. Remember, this is for personal data only i.e., information that relates to them as an individual, anything considered ‘business as usual’ would not need to be included. For example:
- Your staff member may be a caseworker whose role includes liaising with members about their cases. Whilst emails will include the staff member’s name and email address, the contents of the emails do not relate to the staff member and so are considered ‘business as usual’.
- However, if the emails include anything about the staff member’s sickness absence or food allergies for the Christmas lunch for example, this counts as personal data and would need to be included.
Whilst employment matters such as grievances and employment tribunals should remain a matter for the branch to deal with independently, we understand that this is not always the case and advice is often sought from region. Therefore, where the scope of the request means UNISON’s advice on the matter will be disclosed, the branch must inform UNISON’s Data Protection Team immediately. Furthermore, a copy of the emails be provided to UNISON’s Data Protection Team in a redacted form for review before they are released to the data subject. This will give UNISON a chance to consider if further redactions or exemptions are required. It will also mean UNISON has a copy of the emails should they be subject to a SAR from the same individual and will ensure consistency in that exact copies will be given to the individual.
Scenario 2
If a member of branch employed staff submits a SAR to UNISON, information held at region and national levels of the union only should be considered for disclosure. This means any emails held on UNISON email accounts.
Where the scope of the request means branch emails will be disclosed, UNISON will inform the branch immediately. Furthermore, a copy of the emails be provided to the branch in a redacted form for review before they are released to the data subject. This will give the branch a chance to consider if further redactions or exemptions are required. It will also mean the branch has a copy of the emails should they be subject to a SAR from the same individual and will ensure consistency in that exact copies will be given to the individual.
Recommendations
Some additional recommendations for you to consider as a data controller are:
- Registering with the Information Commissioner’s Office. The link to the registration self-assessment can be found here: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
- Reading the ICO’s guidance for small organisations on responding to SARs from employed staff: https://ico.org.uk/for-organisations/advice-for-small-organisations/how-to-deal-with-a-request-for-information-a-step-by-step-guide/
- Contracting an external data protection service provider to help with monitoring compliance and responding to data subject right requests from members of branch employed staff.