Introduction
[pages 3-5]On 25 May 2018, data protection laws in the UK will be strengthened by the implementation of the EU General Data Protection Regulation (No.2016/679) (GDPR). The GDPR automatically comes into force across all EU Member States from that date and has “direct effect”. This means that its rights apply to individuals and can be legally enforced through the courts.
Growth of the digital economy
Rapid advances in technology and the growth of the digital economy over the past decade have resulted in a huge increase in the volume of personal data being collected and exchanged. Data is being collected and used in different ways, too. Online services track our habits and preferences and data is now routinely collected and processed automatically. Decisions about credit applications are made without human intervention, for example. Increasingly, so are decisions relating to our work, such as whether our attendance has fallen below an acceptable level. One of the provisions of the new law is to ensure that we have a right to insist on human intervention in decisions such as those that significantly affect us.
As well as strengthening individuals’ rights in the protection of our data, the GDPR aims to contribute to the economic and social progress that the technological explosion has created. Its goal is to strike a balance between the rights of individuals and the commercial and public interests of those organisations exchanging the data. It was approved by the EU Parliament after four years of preparation and debate on 14 April 2016.
The GDPR replaces the 1995 Data Protection Directive (95/46/EC) which established a framework for processing personal data and for free movement of data within the EU two decades ago and was implemented in the UK by the Data Protection Act 1998 (DPA).
The Data Protection Bill
The DPA remains the main legislation governing the protection of personal data in the UK today. It was used to expose blacklisting in the construction industry which had resulted in hundreds of workers losing their jobs and being unable to secure new ones. The workers were deemed troublemakers for raising legitimate workplace issues. The Unite and GMB general unions secured compensation on behalf of hundreds of workers after the Information Commissioner’s Office carried out an investigation and found the blacklist.
The DPA will continue to apply until it is replaced by the new Data Protection Bill (set to become the Data Protection Act 2017), which was introduced in the House of Lords on 13 September 2017. Since the provisions of the GDPR will be implemented domestically through the new Bill, they will remain a part of UK law after the UK leaves the European Union.
As well as giving effect to the GDPR, the Data Protection Bill is also designed to bring into domestic law the EU data processing Law Enforcement Directive (No.2016/680) – aimed at protecting the data rights of those involved in criminal investigations or proceedings – and to meet the UK’s obligations under the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
While most of the provisions of the GDPR will be adopted wholesale by the Bill, it does allow for some derogations – these are articles that allow Member States the freedom to expand or restrict their standard provisions.
Derogations
One of the derogations that the UK government is planning to take advantage of is to remove the rights of individuals who are subject to an immigration procedure to discover what personal data is held about them. Public sector union UNISON condemns this move as unnecessary, discriminatory and divisive and says it will increase the likelihood of errors and undermine trust in public services. Others agree, including the data rights organisation Open Rights Group (ORG) which argues that adding an exemption would deprive individuals of their fundamental rights to access their personal data and have it rectified or erased, which are vital particularly when mistakes in immigration procedures occur.
The exemption would not just apply to data held by the Home Office, but include any organisation that processes information used in relation to immigration controls, which currently includes schools, GPs, hospitals, landlords, employers and the DVLA.
Further derogations and special conditions are discussed in Chapter 1.
What’s new?
While much of the law remains the same and the principles will be familiar to those who already know the existing data protection laws, the GDPR will strengthen the law and add some new rights. For example, there are more stringent conditions for individuals to consent to their personal data being used; opt-outs will no longer be an option and organisations will need to gain consent through a positive opt-in instead.
It will be easier for individuals to withdraw their consent for their personal data to be used; and explicit consent will be required to process special categories of data (what is termed “sensitive personal data” under the DPA), which includes information about an individual’s trade union membership.
Individuals will have new rights including the right to be forgotten allowing them to have their personal data removed, particularly where they put it online as children. Trade unions will need to have processes in place to ensure that they can erase an individual’s personal data when requested to do so.
Organisations will have to provide more information to individuals and keep more records about their data processing decisions and procedures. It will be easier for individuals to know what information organisations hold about them and to access that data, which must now generally be provided free of charge. The maximum fine allowable against organisations committing serious data protection breaches will be vastly increased. It will become mandatory to inform the supervisory authority of a personal data breach.
Trade unions are “data controllers” and “data processors” in respect of their members’ and potential members’ personal information. As such, they must comply with the GDPR when carrying out all of their trade union duties and activities. Employers are also data controllers and processors. Trade union representatives therefore also need to be aware of how employers are processing data and recognise when their own or a member’s personal data has been misused and what they can do about it.
This booklet sets out the main provisions of the GDPR that are relevant to trade unions. It explains the data protection principles and provides guidance for trade union reps on how to comply with data protection laws when collecting and using information about members in the course of carrying out trade union duties and activities. It uses examples from the Information Commissioners’ Office that illustrate the operation of data protection principles in practice and explains the law in relation to breaches of the GDPR. There is a glossary of terms at the end of the booklet.