Branch Secretary News: Data Protection

Rules G 4.1.7 and G 5.3.6 of the UNISON Rulebook make it mandatory for all branch officers and stewards to complete data protection training. This is not just a matter of UNISON rules; the UK’s independent regulator for data protection and information rights law, the Information Commissioner’s Office (ICO), requires it.

To ensure it’s quick and easy to complete the training, in December 2024 a new version of the free e-learning module was launched which eliminates some of the bugs which previous versions had. Unfortunately, fewer than 20% of UNISON activists have completed the new training module since then, despite it being a mandatory requirement.

Low compliance doesn’t just put individual members’ data or individual branches at risk – it puts the entire trade union at risk of regulatory action from the ICO. For example, the training covers identifying and responding to Subject Access Requests (SARs) – these aren’t always labelled as a ‘SAR’, and can come in any form, so completing the training will help the branch to identify them and know when to escalate a request to the data protection team at national office rather than handling it directly. The data protection team have extensive training on how to handle personal data requests in compliance with UK regulations.

You can access the training here using your MyUNISON login details:

https://e-learning.unison.org.uk/

If you have any problems accessing the training, or receive an error message, contact dataprotection@unison.co.uk who will help resolve it.

UNISON’s reported personal data breaches this year appear to be at an all-time low. While this may be a matter of higher training levels and previous experience leading branches and staff alike to be more cautious in how personal data is processed, there is a risk this may be down to personal data breaches not being reported. Compared to last year, 2025 has to date only had 65% as many reported breaches, while all other areas have sharply increased such as SARs at 125% of last year’s volume.

Data breaches aren’t just major events like phishing scams or hacking and data theft. As a reminder, any of the following may constitute a personal data breach:

• Sending an email that uses “To” or “CC” instead of “BCC” for a large group of people, thereby exposing their contact details and trade union membership to each other.
• Sending the wrong attachment, such as a partially completed form instead of a blank template, and thereby sharing that person’s data with the recipient by accident
• Picking the wrong recipient from autofill, e.g. due to similar names, and sending the wrong person another person’s information (e.g. copying the wrong person into a discussion of member cases).
• Loss of data due to a phone or laptop being lost or stolen which had UNISON data on it.
• Loss of data because someone left a branch without a proper handover, resulting in current or old case data being lost or destroyed.

There are many other ways that personal data can be breached, but those are some of the most common types of breaches across UNISON. Anything that exposes a person’s identifiable data to someone else unexpectedly or accidentally, or without their consent, can be a data breach – and likewise, any loss of personal data outside the also counts as a breach.