UNISON’s mandatory data protection training update
Thank you to everyone who undertook UNISON’s mandatory data protection training in 2025. The training should be completed on an annual basis and so we have updated the training in line with changes to UNISON processes and data protection legislation. Upon completion you will be awarded a 2026/27 badge. If you took the training between 1 January and 10 February 2026 you don’t need to retake the training until next year, you will be awarded the new badge manually.
The requirement to undertake the annual data protection training, as per UNISON rulebook, is mandatory for branch officers and stewards, and strongly advised for anyone else at the branch who may handle members’ personal data.
You can use your regular MyUNISON login to access the training here
Training is crucial for legal compliance, preventing data breaches, building member trust, and protecting sensitive information. It teaches everyone how to handle data correctly, recognise threats and respond to incidents. Training is a legal requirement under UK data protection law.
Physical Record Risks
While the majority of branches are mostly paperless from day to day, sometimes paper cannot be avoided. However, physical documents pose additional security risks because they are easy to copy, easy to lose, and easy for other people to see without leaving any sort of trace. As such, UNISON’s Data Protection Team strongly advise that branches should only use paper records when there is no alternative, and avoid printing wherever possible.
If the branch must have paper copies for any reason, ensure they are kept securely such as in a locked cabinet and are not accessible to passers-by. Branches should also consult the Branch Retention Schedule (available on the organising space to make sure that paper records aren’t being kept for longer than necessary and ensure that paper records are securely destroyed at the end of their lifecycle.)
Secure destruction services may be provided by a third party contractor, an employer with secure destruction bins available if you have a suitable facilities agreement in place, or using a cross-cut shredder if the branch possesses one. Cross-cut shredders reduce a document to very small pieces rather than long, still-readable strips the way normal shredders do, and so are much safer for document disposal.
The Organising Space contains the Branch Retention Schedule and more information. You can use your MyUNISON login to access it here
DPA Project
In 2025 we launched the Data Processing Agreement (DPA) project, to help protect our branches and reps which use their employers’ email systems to conduct trade union duties. This project is ongoing, and if you have not already then you may soon hear from your Regional Organiser to determine whether your branch needs a DPA and provide support with getting one in place if so.
A DPA is an agreement between the branch/UNISON and an employer, wherein the employer acknowledge that UNISON is the data controller for emails sent to/from UNISON activists and agrees that they will not access trade union emails or files without UNISON’s consent. It also includes some general security requirements and data protection standards. This is important, because without it the employer may behave as though they can do whatever they like with trade union data hosted on their systems, and this can put our members at risk especially during disputes.
You need a DPA if:
- Anyone at the branch uses the employer’s email systems for trade union purposes. This includes branch officers, elected reps, and branch employed staff. If trade union emails are sent using the employer’s email address, a DPA must be put in place.
You do not need a DPA if:
- The branch has its own email system and everyone at the branch uses that exclusively for branch related activities.
- Everyone at the branch uses their own personal email instead of the employer’s email for branch related activities.
If your employer refuses to sign a DPA, or insists they are a “data controller” for trade union data on their system:
- Contact UNISON’s Data Protection Team (dataprotection@unison.co.uk) to discuss.
- It would be safer to stop using the employers’ email for trade union purposes. An employer who refuses to sign a DPA may want to have access to trade union emails which they should not be accessing, and that may include using the contents of those emails against individual members or the branch as a whole.
- UNISON recommends moving to a third party provider which meets the criteria in the , linked above), and keeping member data on Merlin and Caseweb as much as possible to minimise the risk of data sharing outside of secure systems.