Rulebook update:
The rulebook now requires both Branch Officers (Rule G4.1.7) and all stewards (Rule G5.3(6)) to complete UNISON’s mandatory data protection training. However, in accordance with the ICO’s instruction, anyone who handles personal data is required to complete the training. This includes branch employed staff. The training can be accessed via your MyUNISON login here: https://e-learning.unison.org.uk/ . If anyone experiences issues accessing or completing the training, please contact UNISON’s Data Protection Team on dataprotection@unison.co.uk.
Phishing emails/Organising Space resources:
Guidance on phishing emails and what to do if you are a victim of a phishing attack is now available on the Organising Space, accessible via your MyUNISON login, along with other useful guidance on topics from WhatsApp use to training access. The Organising Space is available here: https://organisingspace.unison.org.uk/OS/login/
Branch Data Protection Handbook/ guidance updates:
The Branch Data Protection Handbook is under review to ensure it is relevant to UNISON’s processing activities and as helpful as possible for branches, including day to day guidance and explanations of their responsibilities in terms of helping UNISON comply with data protection legislation. Please look at the existing handbook, available on the Organising Space, and contact UNISON’s Data Protection Team on dataprotection@unison.co.uk if you have any suggestions for what you would like to see in the next edition.
Email security tips:
Email is often a thorny issue, especially for branches which may use their employers’ email under a facilities agreement. To help keep your branch emails safe, we advise the following:
- Use a case management system, such as CaseWeb, rather than storing all case data in emails, because it means the employer cannot see what’s in there.
- Use WARMS to send bulk emails, as this avoids the risk of accidentally exposing members’ personal email addresses and gives you a second chance to ensure your attachments are all correct.
- Ensure all emails sent on branch business have a clear UNISON email signature, and include ‘UNISON’ in the subject field, to help differentiate between employer and UNISON data.
- Double check that you’re not sending things to shared mailboxes if you can avoid it. It is not always possible to tell who has access to shared mailboxes, and this can expose member data to unwanted parties.
- Attachments should be double-checked before sending. A common data breach involves sending ‘blank’ templates such as case forms which turn out to have been partially filled with someone else’s data.
Subject Access Request advice:
We are finding that subject access requests (SARs) are being missed, which puts UNISON at risk of regulatory action because it means statutory deadlines are not being met. Any time you receive a request for personal data – whether someone is asking for a copy of their file, making a Freedom of Information request that involves personal information, or asking for notes from a case meeting – send it to UNISON’s Data Protection Team on dataprotection@unison.co.uk, immediately.
75% of the follow-up complaints we receive about subject access requests relate to data the data subject believes to be missing from the SAR response, of which over one third are substantiated. Please ensure when gathering data for the Data Protection Team’s SAR process that you include anything at all that may be relevant – even if it may be unflattering to the representatives that supported the member. If you have concerns about disclosing the data, please speak to UNISON’s Data Protection Team.
Third party security:
The Information Commissioner’s Office (ICO), the UK’s regulatory body for data protection has fined British Airways £20M for a breach committed by one of the data processors that the company uses to handle data on their behalf. To mitigate risks like this, we advise making sure that you have a data processing agreement in place with any third party that handles your branch’s data – this can include mailing houses, archival or storage companies, 3rd party IT suppliers, and so on. Major email suppliers like Microsoft and Google will have a processing agreement built into their default terms of use, but any smaller or independent contractors are likely to need one. If you have any questions, please contact UNISON’s Data Protection Team on dataprotection@unison.co.uk.