As a union representative (Rep) you are implicitly agreeing to abide by the Union’s responsibilities to data protection. You will have access to or will receive lists of members in your workplace and handle some casework so it is important you use reasonable security measures to safeguard members’ data at every stage until deletion or return to the Union, whichever is most appropriate.
This guide will highlight the core of your responsibilities. It is not an exhaustive list and will be updated as appropriate.
Start of role – Workplace Rep
At the start of your role as a Rep carrying out the following should ensure a responsible approach to Data Protection.
- Read and understand and keep to hand this document on data protection making a note of where other supporting information can be found e.g. reps training course materials
- Read and understand the ‘data protection statement’ in Appendix A; as a Rep you have implicitly signed up to these
- Register and receive your official union access to download members’ lists (when available)
- All devices where you may use or store list of members or hold member information must be password protected or ensure you have your own secure login if the device is a shared resource.
- On receiving a list of members in your school you are not obligated to share this with your Head/Principal or anyone else, under any circumstances.
While an ‘authorised’ rep - collecting, using and sharing members’ data
- Encrypt or password protect all members’ data files especially if stored in cloud storage facilities.
- Make note of your responsibility as per the data protection statement, Appendix A.
- Keep and use accurate and up-to-date members’ data by regularly downloading and refreshing your core list of members from the national union; delete old lists including from the recycle bin.
- Regularly manage, by deleting or updating, members’ data you may have uploaded to an on-line site e.g. on-line survey or bulk e-mailing applications
- Record and send to the national union all ‘opt out’ messages received from members following any marketing campaign or other on-line activity. E.g. uploaded e-mail addresses for surveys. See Appendix B
- Include the member’s Membership Number when advising the NEU membership department of updates/changes. This ensures the correct record can be identified.
- Casework – if carrying out casework, file any members’ casework data and correspondence in a separate folder from your other e-mails or folders for easy access and/or sharing with branch officers or regional/Wales colleagues.
- Keep data for longer than is necessary – delete, especially if out of date
- It is unlikely that as a rep you will need to share data with any third parties. Any 3rd party data sharing is likely done at the District/Branch level. You must inform the secretary if you are about to share data external to the Union.
- Don’t do anything that enables one member to see another member’s data e.g. when e-mailing a group of members use the BCC field so e-mail addresses are hidden
- E-mail members’ lists unless the attachment is password protected.
- Upload members’ data to any on-line cloud storage unless it is encrypted or at least password protected.
Devices: Laptops, PCs, tablets, iPads, smart phones, usb sticks
- Ensure all devices ‘have password protected’ access and practice using strong passwords.
- Use good password practices e.g. never keep your ID and password details with your laptop
- Ensure all devices (mobile, tablets etc.) are secure using the security and privacy settings provided with the device.
- Shut down your laptop or workstation using the ‘Shut Down’ or ‘Turn Off’ option, never leave opened accessible devices unattended.
- Be aware of anyone viewing your screen as you enter passwords, view members’ data or any other sensitive information.
Reps and casework
- As part of your workplace rep role, you may deal with casework relating to a member. While we anticipate that a lot of this will be conversations you have, you may still have written records, for example, minutes of any meetings, e-mails to management etc. Please follow the above guidance for keeping this information secure in line with GDPR guidelines.
- This may be rare, but if you start to do more complex casework, a member in your workplace may make a subject access request (SAR) to you for any information you/the NEU holds about them.
- If you receive such a request or any request for personal data from a member, please forward it to your regional/Wales officer as soon as possible who will liaise with the NEU Data Protection Officer to comply with the request.
It is a legal requirement to comply with SARs and the Regional/Wales officer will liaise with you to obtain any recorded information you hold about the member related to their casework. Please be prepared to provide any data to the Region/Wales officer as soon as possible; the Union has only 30 calendar days to respond to the SAR.
It is your responsibility to use and share data responsibly. When working with online tools e.g. SurveyMonkey, e-mail marketing tools where you upload members data use the minimum data necessary to achieve the objective.
You are responsible for knowing where your data is, the versions shared/uploaded and data currently in use.
- Share the bare minimum data needed for your objective.
- Download a fresh set of members’ data before any communication with members.
- Store members’ data in any cloud storage facilities e.g. drop box unless encrypted or password protected
- Do NOT store members’ data on removable storage drives. If you absolutely have to store members’ data on removable media (i.e. USB memory drives, CDs, portable drives), encrypt the media or password protect the files in case of loss.
- Send sensitive information on removable media (i.e. USB memory drives, CDs, portable drives) without encrypting/password protecting the data.
- Send sensitive information by email unless you encrypt or password protect the file.
- Securely lock away paper documents containing personal or sensitive personal data when not in use.
- Secure any documents or notes containing personal information that would cause damage or distress if it were lost or stolen.
- Shred all end of life paper records that may contain personal information using a criss-cross shredder before disposing in commercial bins.
- Return any personal information collected from a member back to that member e.g. they may share a copy of a letter from the head, their appraisal form in asking for your advice.
- Leave documents containing personal information unattended anywhere e.g. class rooms/home office.
- Disclose documents containing personal information to people who do not need to see them.
- Leave documents containing personal information on photocopiers, scanners, or printers.
- Fax personal information unless you’ve pre-agreed the recipient will be at the recipient fax machine to confirm receipt. Check the fax number is correct.
Leaving the role
At the end of your role as a Rep there are some good practices you need to adhere to ensuring the Union can continue to fulfil its data protection obligations.
- Inform the District/Branch secretary and Region/Wales officer of the Union of your change of status
- All access to union facilities will cease
- All data you may have saved on any personal devices must be copied back to the district/branch or Union and then deleted. This includes casework, relevant e-mails and paper files.
- Return all other members’ data or loaned resources to the District/Branch secretary or the Union and delete all copies in your possession.
- You are no longer authorised to have, process or use any members’ data.
- If you’ve outstanding casework and it is sensible for you to see these through to their conclusion, the steps above will apply at the end of each case. Casework data must be kept for 6 years following the end of a case so return these to the Local district or the region/Wales office.
Data Protection statement
THIS DATA IS SUPPLIED STRICTLY IN ACCORDANCE WITH THE UNION'S DATA PROTECTION REGISTRATION AND THE INFORMATION IS FOR THE CONFIDENTIAL USE OF CURRENT AUTHORISED OFFICERS OF YOUR ASSOCIATION OR DIVISION ONLY.
THE DATA MUST NOT BE COPIED OR PASSED TO THIRD PARTIES. PLEASE ALSO BEAR IN MIND THAT MEMBERSHIP DATA IS SUBJECT TO CONSTANT CHANGE AND SHOULD YOU INTEND TO USE THE INFORMATION FOR A MAILING TO SOME OR ALL OF YOUR MEMBERS THEN ONLY VERY RECENTLY SUPPLIED DATA SHOULD BE USED.
Reporting Opt-outs to the Union
Please report, as regularly as possible, any opt-outs from members received during on-line campaigns or bulk e-mailing.
Please note that opt-out is global and they would be excluded from all other communication excluding taking part in the democracy of the Union or operational communications from the Union.
Members can elect to opt back in at any time. E-mail any member ‘opt-outs’ to firstname.lastname@example.org