Erasures
UNISON is currently receiving a high volume of erasure requests. These are requests that any person can make under UK GDPR for their personal data to be deleted by the organisation that holds it – non-members and former members are most likely to make this request.
If your branch receives a request to delete personal data, don’t delete anything yet. You should instead alert the Data Protection Team immediately and await further instruction. The Data Protection Team may need to carry out additional identity checks to ensure that someone’s data isn’t incorrectly deleted. They will also have guidance on what sort of data may be deleted – as well as what sort of data to keep. Some types of personal data are exempt from erasure under data protection legislation, and deleting the wrong thing may cause a data breach.
Sometimes individuals may make their erasure requests to the region or directly to the Data Protection team. When this happens, the first thing your branch hears may be a request to find out what data is held about that person. It’s essential to answer in a timely manner, as Erasure Requests have strict legal deadlines. Any delay can put UNISON at risk of breaching our legal obligations.
If you have any questions about erasures, please contact dataprotection@unison.co.uk
Retention and destruction
Every part of UNISON has a retention schedule – the regions, UNISON centre, and all branches. These schedules outline how long various kinds of data should be held for, and when they should be securely destroyed.
You can find the branch retention schedule here:
UNISON-Records-Retention-Schedule-Branches.pdf
It’s important not to delete anything before the end of its retention period! As the retention schedule shows, some things may be destroyed once they’re finished with (such as working notes and memory aids, which aren’t needed once they’ve been typed up or otherwise served their purpose). Many things, however, must be kept for their full document lifespan: Case files in particular, should be kept for the entire seven years from the date when the case is closed.
UNISON recommends using a case management system, such as CaseWeb, for all branch case work. A case management system will ensure that all the important information on the case stays together, and prevents it being accidentally lost or deleted before the end of its retention period. These can be essential tools in maintaining our members’ data integrity, and can also be very helpful if a member’s case has to be re-opened later or if a representative leaves during a case and needs to hand over the details.
When a document reaches the end of its retention period, however, it should always be deleted or securely destroyed. This saves the branch’s storage space and reduces the risk of data breaches by not having old paperwork around that could be inappropriately accessed. In the case of paper documents, this means options like secure shredding, rather than just disposing of intact papers in a paper recycling bin. In the case of digital files, this means that the items should be deleted, and then the digital recycling bin should also be emptied to make sure the file can’t easily be restored.
The Information Commissioner’s Office (ICO) has a guide for securely destroying old paperwork and deleting old digital files here:
Practical methods for destroying documents that are no longer needed | ICO
If your branch would like to conduct a spring clean and you need additional support on which documents the branch can keep and which should be safely disposed of, please contact the Data Protection Team for advice.
Phishing attacks
A UNISON branch has again been the target of a phishing attack. These are emails or texts which attempt to trick you into clicking a link or entering your credentials, allowing them to infect your computer and access data like your address book. These can pose a serious risk to the union and our members, so please take some time to familiarise yourself with these safety tips:
- Were you expecting this email? If you don’t know why this person would be emailing you, don’t click on any links in it.
- If they might have sent you something but you weren’t expecting it, contact them separately to check if they really did send you the link/ file/ etc before you try to access it.
- Look for strange grammar, odd phrasing, changes in font, changes in colour – they’re getting more convincing, but unusual formatting can still be a tell.
- Hover over any links rather than clicking them. Does the link appear to go where you expect? If it’s a strange address, do not click on it.
- Change your passwords if you or someone you know may have been phished. It’s better to be safe than sorry.
Phishing attacks use a variety of different tricks, with no two exactly alike. Common attacks include sending a link to “encrypted documents” which will ask for your credentials to log in, sending a QR code that will take you to a misleading site, or otherwise sending emails that require you to follow a link to access some kind of attachment.
If you have been the target of a phishing attack, you should immediately alert both your IT provider and UNISON’s Data Protection Team. Your IT provider will help to quarantine the attack and prevent it spreading any further, and can also let you know if your account has been compromised and sent any infected messages. You should tell Data Protection if your account was compromised. It is also useful for Data Protection to know how many messages were sent, and if any other UNISON branches may have been attacked as a result.
Phishing attacks can spread very quickly, so it’s essential to act immediately.
Scams and email security
Gmail has been the target of a new security scam: scammers call up a phone number and say they’re from Google, then claim they need to verify a recovery account or details change for that person’s account.
This is an attempt to get the two-factor authentication code and other credentials that may allow them to take control of the account and lock them out.
The scammers can “spoof” their number so that it will appear to come from a real Google number, and can provide an official-looking email address, but this is all fake. They also use tactics of fear and intimidation, trying to put time-pressure on the person they’re calling or claiming the person will be locked out if they don’t share their credentials or security code.
Google will NEVER call you to reset your password or otherwise call without warning. If you receive a call like this, hang up immediately and do not provide any information. If you believe you have fallen for a scam like this, change all your passwords immediately and let the Data Protection team know.
Keep safe:
- Don’t send personal or financial information on the spot. Never let yourself be bullied into payment or sharing sensitive information on a single call.
- Don’t let potential scammers try to pressure you with urgency. They do this to fluster their targets into making mistakes. Other scams may involve claiming to be the police or HMRC and will use similar pressure tactics.
- Take your time to research. If the call is really coming from your bank, the police, etc, then you will be able to call them back on a number you can look up independently. Don’t just redial the number in your phone’s history, get it fresh from a proper source.
Keeping up with training
The UNISON rulebook under Rule G requires all stewards and branch officers to complete UNISON’s mandatory data protection training within three months of election and as a refresher on an annual basis. An updated version of the training module was rolled out at the start of this year which includes a new recording system to make sure your most recent score is properly recorded.
How to complete the training:
- Go to Home | UNISON e-learning and log in using your MyUNISON details
- Click “Data Protection and the GDPR”
- Scroll down to “Data Protection e-learning module” and choose either of the links below – the “text only” one reduces the amount of images and animations for those with visual impairments or a poor internet connection.
- Click the “start” button, or click “start new attempt” if you want to override your old score with a new attempt.
- Follow the course to the end.
If you have trouble accessing the training:
- Check the connection you are using. Some employer firewalls limit our training site, so try again using a different internet connection or a different device.
- If you have forgotten your password, contact UNISON Direct on 0800 0 857 857 and they can reset that for you. They can also update your details if your email address or other information has changed.
- You may have received an error message. Take a screenshot of the error and send it to dataprotection@unison.co.uk so that we can look into it.
- We may have to ask follow up questions to fix your access, including checking whether your MyUNISON profile matches your RMS profile.
- If we cannot fix it, we will escalate your problem to the Learning And Organising Services (LAOS) team for further help.