It’s not even halfway through 2023, but it’s shaping up to be a busy year for UNISON’s Data Protection Team – we’ve already had over 120 data breach reports compared to less than 80 this time last year, and a similar increase in Subject Access Requests (SARs). We’re working hard to protect our members’ personal data and ensure that even complex requests are handled within statutory deadlines. With that in mind, we’ve put together a few useful tips and resources for you:
- Merlin’s first rollout is coming soon now, and access may be restricted based on whether branch WARMS users have completed UNISON’s mandatory data protection training- https://e-learning.unison.org.uk/ – so don’t delay.
- If you need to check out GDPR tips and suggestions or find guidance on best practice in UNISON in accordance with data protection law, we’re building a Data Protection Knowledge Base on the Organising Space – with guides on everything from day-to-day data handling through to Subject Access Requests (SARs) and data breaches, we’re sure you’ll find it useful.
- With email proving one of the biggest causes of data breaches, we’ve put together a few tips to help you keep our members safe:
- Password-protect your spreadsheets. It’s as easy as File > Info > Protect Workbook!
- Try encrypting your emails. We have an easy-to-follow guide to this up on the Organising Space under Processing Data in the Data Protection section.
- Remember to follow retention schedules and securely destroy data that you no longer need! Holding onto data “just in case” can result in old spreadsheets with inaccurate information or sensitive data at risk.
- When a breach does happen, here are some ways you can help to mitigate it:
- Recall that email! Recalling an errant email helps make sure the data doesn’t stay with the wrong recipient. If you can’t recall, you can always ask the recipient to delete it.
- Amend the contact details: we get plenty of breaches where a simple spelling or transcription error results in the wrong email address on an RMS record.
- Contact the Data Protection Team for advice – we can provide advice in more difficult situations
We’ve also put together a short guide to the Seven Principles Of GDPR; these principles are at the heart of all data processing under GDPR, so data use that doesn’t comply with them is a data breach or infringement of GDPR. Every use of data needs to meet these principles, which we’ve included in the Organising Space: Organising Space
UNISON’s templates for Data Processing and Data Sharing Agreements have been updated in accordance with changes to data protection law. These agreements are between UNISON and third parties who we might need to share data with for a legitimate reason i.e., mailing house or employers. They lay out how the data should be handled, for what purposes, set standards and help all parties involved in sharing to be clear about their roles and responsibilities. They’re a basic step toward GDPR compliance and good practice to demonstrate compliance and accountability. Get in touch if your branch shares data with anyone outside UNISON, and we can find the right agreement for you.
Following communications with a challenging employer in the Yorkshire & Humberside region, UNISON’s Head of Data Protection worked with the Information Commissioner’s Office (ICO) to determine ownership of the data contained within representatives’ emails sent using their work email address for trade union purposes. The ICO have agreed that UNISON is the data controller for such data and that in these circumstances, the employer is a data processor i.e., processing data on UNISON’s behalf. This conflict had arisen in other regions with other employers and has on a couple of occasions resulted in employers agreeing to review the facilities agreement in place.
If you have questions about anything above, want to report a GDPR breach, or just need to know a bit more about data protection principles, please get in touch on dataprotection@unison.co.uk – we’re here to help.