Data protection for workplace reps

Collecting, using and sharing members’ data

Do

• Encrypt or password-protect all members’ data files, especially if stored in cloud storage facilities.
• Make note of your responsibility as per the data protection statement.
• Keep and use accurate and up-to-date members’ data by regularly downloading and refreshing your core list of members from the national union; delete old lists including from the recycle bin.
• Regularly manage, by deleting or updating, members’ data you may have uploaded to an online site, e.g. online survey or bulk emailing applications.
• Record and send to the national union all ‘opt out’ messages received from members following any marketing campaign or other online activity, e.g. uploaded email addresses for surveys.
• Include the member’s membership number when advising the NEU membership department of updates/changes. This ensures the correct record can be identified.
• Casework – if carrying out casework, file any members’ casework data and correspondence in a separate folder from your other emails or folders for easy access and/or sharing with branch officers or regional/Wales colleagues.

Don’t

• Don’t keep data for longer than is necessary – delete, especially if out of date.
• It is unlikely that as a rep you will need to share data with any third parties. Any third party data sharing is likely to be done at district/branch level. You must inform the secretary if you are about to share data external to the union.
• Don’t do anything that enables one member to see another member’s data, e.g. when emailing a group of members use the BCC field so email addresses are hidden.
• Email members’ lists unless the attachment is password-protected.
• Upload members’ data to any online cloud storage unless it is encrypted or at least password-protected.

Devices: laptops, PCs, tablets, iPads, smart phones, USB sticks

Do

• Ensure all devices have password-protected access and practice using strong passwords.
• Use good password practices, e.g. never keep your ID and password details with your laptop.
• Ensure all devices are secure using their security and privacy settings.
• Shut down your laptop or workstation using the ‘shut down’ or ‘turn off’ option; never leave opened accessible devices unattended.
• Be aware of anyone viewing your screen as you enter passwords, view members’ data or any other sensitive information.

Reps and casework

• As part of your workplace rep role, you may deal with casework relating to a member. While we anticipate that a lot of this will be in conversations, you may still have written records, for example minutes of any meetings, emails to management etc. Follow the above guidance for keeping this information secure in line with General Data Protection Regulations (GDPR) guidelines.
• This may be rare, but if you start to do more complex casework, a member in your workplace may make a subject access request (SAR) to you for any information you or the NEU holds about them.
• If you receive such a request or any request for personal data from a member, forward it to your regional/Wales officer as soon as possible who will liaise with the NEU data protection officer to comply with the request.

It is a legal requirement to comply with SARs and the regional/Wales officer will liaise with you to obtain any recorded information you hold about the member related to their casework. Be prepared to provide any data to the region/Wales officer as soon as possible; the union has only 30 calendar days to respond to the SAR.

Online tools

It is your responsibility to use and share data responsibly. When working with online tools, such as SurveyMonkey or email marketing tools where you upload members’ data, use the minimum data necessary to achieve the objective.

You are responsible for knowing where your data is, the versions shared/uploaded and data currently in use.

Do

• Share the bare minimum data needed for your objective.
• Download a fresh set of members’ data before any communication with members.

Don’t

• Store members’ data in any cloud storage facilities, e.g. Dropbox, unless encrypted or password protected.
• Do not store members’ data on removable storage drives. If you have to store members’ data on removable media (ie USB memory drives, CDs, portable drives), encrypt the media or password protect the files in case of loss.
• Send sensitive information on removable media (ie USB memory drives, CDs, portable drives) without encrypting/password protecting the data.
• Send sensitive information by email unless you encrypt or password-protect the file.

Paper documents

Do

• Securely lock away paper documents containing personal or sensitive personal data when not in use.
• Secure any documents or notes containing personal information that would cause damage or distress if it were lost or stolen.
• Shred all end-of-life paper records that may contain personal information using a criss-cross shredder before disposing in commercial bins.
• Return any personal information collected from a member to that member, eg they may share a copy of a letter from the head or their appraisal form to ask for your advice.

Don’t

• Leave documents containing personal information unattended anywhere, such as classrooms or your home office.
• Disclose documents containing personal information to people who do not need to see them.
• Leave documents containing personal information on photocopiers, scanners or printers.
• Fax personal information unless you have agreed the recipient will be at the recipient fax machine to confirm receipt. Check the fax number is correct.

Leaving the role

At the end of your role as a rep there are good practices you need to adhere to ensure the union can continue to fulfil its data protection obligations.

• Inform the NEU district/branch secretary and region/Wales officer of your change of status.
• All access to union facilities will cease.
• All data you may have saved on any personal devices must be copied back to the district/branch or union and then deleted. This includes casework, relevant emails and paper files.
• Return all other members’ data or loaned resources to the district/branch secretary or the union and delete all copies in your possession.
• You are no longer authorised to have, process or use any members’ data.
• If you have outstanding casework and it is sensible for you to see these through to their conclusion, the steps above will apply at the end of each case. Casework data must be kept for six years following the end of a case so return these to the local district or the region/Wales office.

Data Protection statement

This data is supplied strictly in accordance with the union's data protection registration and the information is for the confidential use of current authorised officers of your association or division only. 

This data must not be copied or passed on to third parties. 

Please bear in mind that membership data is subject to constant change and should you intend to use the information for a mailing list to some or all of your members then only very recently supplied data should be used. 

Reporting opt-outs to the union

Report as regularly as possible any opt-outs from members received during online campaigns or bulk emailing. Opted out would be excluded from all other communication apart taking part in the democracy of the union or receiving operational communications from the union.

Members can elect to opt back in at any time. Email any member opt-outs to [email protected].