The 1998 Data Protection Act sets out the rules on the use of people’s personal information that UK unions and other businesses need to follow. It followed a 1995 Directive from the EU on the protection, processing and movement of data.
But the 1998 Act will soon be superseded by the new EU General Data Protection Regulation (GDPR), which requires organisations to take more stringent measures.
The GDPR also introduces tougher fines for non-compliance and breaches and gives individuals more control over what organisations, including unions, can do with their data. The regulation takes effect on 25 May 2018 and Prospect has been working hard to ensure it complies with the new rules.
Why the change?
The data world has changed significantly since the 1995 Directive was introduced. In order to keep pace with the advances of the digital age, a uniform regime was considered crucial – including an expansion of rights and a more “privacy-friendly” approach.
Are these completely new rules?
Yes and no. The 1995 rules are being replaced but the fundamental aspects of privacy will continue to be protected and extended. Organisations will be required not only to maintain more detailed documentation but to implement data protection “by design and default”, which means making sure that privacy is embedded into everything they do.
Who needs to comply?
The GDPR applies to any organisation touching and managing (that is collecting, storing, processing and/or sharing) individuals’ personal data. Personal data includes “any information relating to an identified or identifiable natural person” and is an extensive definition.
That means Prospect staff and reps must comply with the new regulation in everything they do.
What are the new rights?
Some of the more important new rights are:
- the Right to Portability – where an individual can ask for their personal data
- the Right to be Informed – where an individual has a right to receive concise, transparent and easily accessible information
- the Right to be Forgotten – where an individual has a right, under certain conditions, to have their personal data erased
- the Right to Data Rectification – where an individual can ask to have data changed if inaccurate.
There are also stronger rules for how individuals consent to how their personal information is used. This means we must always think about the individual before we use their information in any way.
Always ask yourself: has the individual consented to how I am about to use this information? For example, if an individual has not explicitly agreed to information being shared, or their contact details being used to communicate with them, we must not use this data in that way without asking them for permission.
Data breaches can have far-reaching effects and the financial consequences of failing to comply are steep – with fines of up to either €20m or 4% of global annual turnover, whichever is greater.
This means that data security must continue to be one of Prospect’s key objectives and staff and representatives will need to work together to make sure we deliver this.
How will changes affect reps undertaking Prospect business?
Reps are asked to continue to respect the data protection principles already in place under the 1998 Act, but to exercise caution when handling members’ data – this includes thinking about how, where and in what format records are stored, and ensuring that they are secure.
One of the key drivers of the GDPR is to improve individuals’ rights. It is therefore crucial that reps obtain explicit consent when transferring or sharing personal, sensitive and/or special category data.
Special category data is defined as relating to race, political opinion, religious or philosophical beliefs, sexual orientation, trade union membership, sex life, health or criminal (or alleged criminal) activities, proceedings or convictions.
Additional care is also required when using social media, text and email facilities.
What if I accidently breach the regulations?
If you think you might have breached GDPR, or if you see someone else commit a breach, please contact Prospect’s data compliance officer immediately at firstname.lastname@example.org.
We will be able to investigate and discover whether there has been a breach and identify the best way to remedy it.
The most important thing is that Prospect is open and transparent about any mistakes and works quickly to notify the affected individuals and rectify any issues. If you’re unsure, always err on the side of caution and check with us.
Next steps for reps
A few key dos and don’ts are listed below, but we are also recommending that all reps undertake a GDPR training session with our legal team.
To arrange a training session for your branch, please email me at email@example.com
- Ask for permission if you’re not sure if someone has consented to how you are about to use their information.
- Store all personal information securely. Information must not be saved, held or transmitted in a way that is not secure.
- Use password protection on documents that are private.
- Delete personal information when it’s no longer required. (Check with Prospect’s data compliance officer if you’re not sure what information should be deleted or how long personal case records should be kept.)
- Use the blind copy (BCC) function when sending emails to multiple members. Remember that members may not want their colleagues to know that they are a union member. Unless they’ve consented to you sharing this information, they are entitled to complete confidentiality.
- Contact our data compliance officer immediately if you think you may have breached Prospect’s data protection rules. The earlier we know about a breach, the easier it will be to remedy it.
- Sign up to one of our GDPR knowledge calls or request a GDPR training session for your branch.
- Contact Prospect’s data compliance officer if you’re unsure about how you’re using personal data.
- Use your own personal device to send or respond to SMS or instant messages (eg WhatsApp) with any information that includes a member’s identifiable data. Email should be your primary means of communication when representing Prospect members.
- Share any personal information about a member with any other person without obtaining the member’s explicit permission first.
- Leave members’ personal information on your desk or in an accessible drive on your computer. This includes member names or email addresses. Personal information should be locked away or held securely in private computer files.
- Publicly identify any individual as being a trade union member without their explicit permission.
- Ignore a potential breach of data protection regulations. If in doubt, contact Prospect for help or support.
You can find more information about the legislation on the Information Commissioner’s Office’s (ICO’s) website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
If you have any other questions about GDPR, please email Prospect’s data compliance officer at firstname.lastname@example.org