Labour Research April 2018

Features

Preparing for the new data law


Wide-ranging changes to data protection legislation take effect on 25 May — with major implications for many organisations, including trade unions, as Simon Parry reports.


Much tougher standards around data protection are due to come into force next month — and the new regulatory regime ensures that the repercussions for unions caught engaging in bad practice could be severe.


Currently, the UK relies on the 1998 Data Protection Act (DPA) which was based on the 1995 EU Data Protection Directive. However, against a background of major changes in technology over the last 20 years, the EU’s General Data Protection Regulation (GDPR) will supersede the current legislation.


There are two key drivers behind the GDPR. The first is to do with providing greater control for people over their personal data. Given the massive increase in the collection and use of personal data, the GDPR is trying to give more power to individuals over their own data.


The rise of social media services such as Facebook and Twitter, who provide their platform for free in exchange for use of individuals’ personal data, has created business models based on exploiting this information through such things as targeted advertising.


Other technologies, such as the Google search engine and music streaming services, also collect data from users to be able to target specific audiences or to identify trends. The GDPR introduces tougher regulation for companies collecting personal data and gives more rights to individuals.


The other reason driving the GDPR is the need to create a more transparent and uniform legal framework for firms and organisations working within the EU. The annual savings to business are estimated by the EU to be worth €2.3 billion.


With the outcome of Brexit and the UK’s future relationship with the EU still uncertain, the government has confirmed that UK organisations will still need to comply with the GDPR. This position has also been reinforced by the Information Commissioner’s Office (ICO), the regulatory body that will enforce the legislation.


It is thought that the UK will continue to keep the GDPR standard as any cross-border data flows will need to meet adequate safeguards. US companies must already meet the US/EU-agreed Privacy Shield standard, a framework protecting the rights of anyone in the EU whose personal data is transferred to the US for commercial purposes.


‘Right to be forgotten’


Among the major implications of the GDPR are the “right to be forgotten”, issues around consent, data breach notifications and potentially heavy fines for breaches.


The “right to be forgotten” achieved prominence in recent years thanks to a 2014 ruling by the Court of Justice of the European Union (Google Spain SL and Google Inc. v Agencia Esañola de Protección de Datos (APED) and Mario Costeja González). 


This applied specifically to internet search engines and held that an internet search engine operator must consider requests from individuals to remove links to web pages resulting from a search on their name.


The GDPR refers to a “right to erasure” where “the data subject shall have the right to obtain from the controller the erasure of personal data” they hold on them, and request for it to be deleted.


With people increasingly embarrassed by old pictures on the internet or social media comments they regret, this new right will help give individuals more power. However, ensuring all personal data can be identified, organised and deleted will be a difficult task for many organisations.


Consent

The GDPR also states that organisations, including unions, “shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.


Many people have become used to clicking “I agree” on things like online sign-up forms and website cookie notifications without ever reading a word of the legal text. Under the new regulations, organisations that want your personal data need to try harder and make clearer what it is they will use your data for.


This also has implications for data collected before the new rules come in. For example, how did someone end up on a union email list? 


If the person is a member who signed a membership form, this should be less of an issue. But what if it’s a list containing non-members? How were their details collected and is there a record of their consent?


One minefield is the use of photographs. If someone can easily be identified in a photo used in a newsletter or poster, for example, the new rules suggest that consent will be needed. This could involve retrospectively collecting consent forms from individuals who appear in publications and websites.


Data breaches

With hacks and data breaches becoming increasingly commonplace, the GDPR also shakes up the rules about notifying when such breaches happen. Organisations “shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority” and “shall communicate the personal data breach to the data subject [the user or customer] without undue delay”.


With some high-profile hacks only coming to light a long time after they took place, organisations now have to act more quickly and ensure the people affected get told. This has implications for unions, including union reps, working with membership data.


Penalties for non-compliance

Under the DPA, the repercussions of falling foul of the regulations were fairly limited. The fallout from bad publicity was often the biggest risk for organisations. 


The GDPR addresses this by giving much sharper teeth to the regulators. Now, fines of up to €20 million, or up to 4% “of the total worldwide annual turnover of the preceding financial year, whichever is higher” can be levied against offenders. 


In severe cases, the GDPR could in theory also lead to prison sentences for senior managers such as company directors, or even, in the case of unions, general secretaries. 


However, Information Commissioner Elizabeth Denham has emphasised that the ICO has always “preferred the carrot to the stick” in its approach to regulation and has dismissed predictions of huge fines as “nonsense”. 


Unnecessary data


Another aspect of the regulations means that organisations need to avoid collecting and keeping more personal data than needed — “by default, only personal data which are necessary for each specific purpose of the processing are processed”. This may seem like commonsense good practice. Nevertheless, a lot of organisations try to collect and store as much information as possible, but then only end up using a fraction of it.


Profiling

The new rules also have implications for profiling. The use of algorithms and profiling is thought to be on the increase as it can be much cheaper to automate decision making. 


With profiling an increasingly common practice, the GDPR states that people “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects”. This means that companies using algorithms to make important decisions, such as granting insurance cover or monitoring sickness absence, will need to get the consent of users or manually check any decisions at the request of a user. 


Handling union membership information

The DPA, and now the GDPR, makes a distinction between normal personal data and more sensitive data. Now called “special category” data, this section has been expanded to include genetic and biometric data as well as information on, for example, ethnicity, sexual orientation and religion. For those in the union movement, the vital thing to understand is that trade union membership comes under this special category.


This is very important, as it means that even greater care is needed to ensure that the details of members are managed and used in the correct way, and that people are not exposed as being members of a union without their prior consent.


More stringent regulation coupled with the larger fines and union membership’s special category status poses a big challenge to unions.


Personal data on members could be stored in a number of different places, from the union’s main membership database to paper files and ad hoc devices used at a local branch level. All of this data is covered by the GDPR, and so reps and other union officials need to pay serious attention to these changes.


The practical implications of the GDPR are still unclear and, in reality, a number of legal cases will be needed to gain greater clarity. However, poor practice around membership data poses risks to unions and could, in theory, result in significant fines.


A big challenge is around where it is that union reps and branches should be storing personal data. Not only should this data be kept securely, but it should also be accessible to the union’s data protection team in the case of a data access or a “right to be forgotten” request. And, as union officials change over time, the information should be stored in a way that allows personal data to be passed on to the new officials safely.


It may be that many unions drastically need to improve the digital services provided to reps and officials. Andrea Peace, the TUC’s information manager, states that “the gold standard for unions would be to provide a secure, private and easily-accessible space for every rep who handles personal information to keep and work with all personal data”. 


In reality, this could mean a secure area within the union’s website or online union branch system, or providing a GDPR-compliant cloud storage service, licensed to, paid for and administered by the union centrally.


One area unions need to be aware of is the tougher rules around data breaches. Any loss or theft of data needs to be reported within 72 hours to the ICO. Depending on the risk of the breach, each individual affected could need to be contacted directly. There is some basic guidance from the ICO on what constitutes a breach, but to avoid confusion, unions should be issuing their own guidance on this to reps and other officials.


The expectation is that legal precedents, set by case law, will be required before the GDPR’s full implications are known. However, the much tougher standards are spelt out clearly, and the new regulatory regime ensures that the consequences for unions engaging in poor practice could be harsh.


Unions have been working hard to prepare for the new rules. With union membership classified as special category data, and the backbone of unions being made up of the reps and officials who volunteer their time, the challenge to ensure compliance with the GDPR cannot be underestimated.


If you work with the personal data of members, be sure to read all the guidance provided by your union and, if in any doubt, contact your union’s data protection team.


Advice for union reps and officials 


The following checklist can assist reps and officials in complying with the General Data Protection Regulation (GDPR):


• avoid using storage facilities provided by your employer for personal data. Instead, try and use facilities provided by your union;


• try to avoid using home computers for storing personal data — family members should not have access to this data. If personal equipment has to be used, encrypt or anonymise the data;


• never email or post membership data that isn’t properly encrypted;


• hardcopy personal data is included as well — ensure paper records containing sensitive information are kept locked up;


• if a union receives an access request from an individual, be aware that any data being used by reps and officials is subject to this access request and should therefore be passed on to the people handling the request, usually a union’s data protection team;


• personal data should not be stored indefinitely. If in doubt, check with your union how long you should be keeping things like personal case records;


• when taking personal data from members, a privacy statement should be provided. Check with your union for updated guidance;


• don’t keep more personal data than you need. Only store the minimum required;


• getting membership data from employers could become more problematic. Prepare for greater difficulty in getting information such as membership lists if you rely on the employer rather than the union membership system;


• if you are aware of any personal data being lost or stolen, contact your union’s data protection team immediately. A union has 72 hours to report any breaches under the GDPR;


• never ignore any loss or theft of personal data;


• unions will be updating their training courses to include GDPR training. Check with your union if you need to go on a refresher course; and


• your union will be developing its own policies and should be updating reps with guidance on the GDPR and its implications. If in doubt, contact your union’s data protection team.

This article is provided as a resource, but does not constitute legal advice.

Simon Parry is a freelance website consultant with a special interest in unions. He also contributes the regular e-views column to Labour Research.