Branch Secretary News February 2025 – Data Protection & GDPR

Branch email systems

All branches were contacted on 11 February 2025 about the use of employer email systems for trade union activities and the need to have a Data Processing Agreement (DPA) in place. This is because of an identified risk, and in line with guidance from the Information Commissioner’s Office (ICO). Here is what you need to do:

• If your branch does not use an employer email system, you do not need to do anything other than email dataprotectionprojects@unison.co.uk by 11 March 2025 to inform us it is not applicable to your branch and read the document ‘Branch Minimum Security Standards’ that was included with the email you were sent on 11 February.
• If your branch does use an employer email system, and already has a data processor agreement in place, please contact dataprotectionprojects@unison.co.uk to confirm and provide a copy by 11 March 2025 and read the ‘Branch Minimum Security Standards’ included in the email you were sent on 11 February. The Data Protection Team will review the agreement to ensure it is compliant.
• If your branch uses an employer email system, and has no data processor agreement in place, it is important that action be taken immediately. Please refer to the email you were sent on 11 February and contact dataprotectionprojects@unison.co.uk if you have any questions.

Using the email your employer provides to conduct trade union activities may be in line with your facilities agreement under the Trade Union and Labour Relations (Consolidation) Act 1992, but putting a data processing agreement (DPA) in place sets a clear boundary for employers. It ensures the employer understands that their only role is to host trade union data, and that they do not get to determine what they do with it; it keeps our members safe by ensuring the employer understands they cannot use UNISON data just because it’s on the employer’s email system.

It is essential that you contact the UNISON’s Data Protection Team as soon as possible to confirm your branch’s status and start getting a data processing agreement in place if necessary.

Updated data protection training

UNISON’s data protection training has been updated, meaning there is a new module for 2025-26. If you have completed the training within the last 12 months you do not need to worry yet. The updated training module is for those who are yet to complete it for the first time and those who have met the anniversary for their annual refresher. Accessing it is still as simple as ever; activists need to log in with their MyUNISON account at UNISON’s e-learning site (https://e-learning.unison.org.uk/)  and select the Data Protection module. It only takes around 20 minutes and includes new elements to help activists understand how to keep our members’ data safe.

UNISON’s Data Protection Team are aware that on occasion with the previous training module, training dates were not always accurately recorded. The updated training has fixed this issue and upon completion you will be awarded a digital badge that shows an expiry date. Per the UNISON Rulebook, Rules G4.1.7 and G5.3(6), training must be completed annually.

If you are having difficulty with accessing the training, please contact the Data Protection Team on dataprotection@unison.co.uk for help and advice.

Last year’s statistics, improvements and warning signs

The Data Protection Team have had year-on-year workload increases every year since UNISON first started tracking data protection statistics, and 2024 was no different. Below are the figures for data breaches across the union: