You are:

Data Protection Act

Briefing for TSSA reps and officers

This briefing covers disclosure of TSSA membership details to third parties (including to employers), privacy and security of personal data on TSSA members and processing of personal data on non-TSSA members.


The Data Protection Act 1998 came into force on 1 March 1998. There was, however, a transitional period covering data processed in existing files and systems; these were not covered by the new regulations until 24 October 2001.

The new Act replaces the 1984 Data Protection Act, and extends the scope of that Act to cover not just personal data held on computer or electronic systems, but also personal data held in manual (paper) filing systems.

The Act also changes the focus from registration to compliance with the eight Data Protection Principles, which in summary provide that data shall be:

  • fairly and lawfully processed
  • obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose.
  • adequate, relevant and not excessive
  • accurate and where necessary up to date
  • kept for no longer than necessary
  • processed in accordance with data subjects’ rights
  • protected by appropriate security
  • not transferred without adequate protection

In addition, individuals who are the subject of that data have, with some exceptions, the right of access to a copy of information comprising the personal data held on computer or in a relevant filing system and a right to have that data erased or corrected when inaccurate.

The Act applies to the "processing" of personal data, but processing is very widely defined, and covers: "retaining, recording or holding ... including organisation, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of the data".

It should be assumed that any data held either on computer or on file that identifies an individual is subject to the provisions of the Act.

There are additional provisions relating to the processing of "sensitive personal data", i.e. data on any of the following:

  • Racial or Ethnic Origin
  • Political Opinions
  • Religious or other Beliefs
  • Trade Union Membership
  • Physical or Mental Health
  • Sex Life
  • Criminal convictions/processing

Sensitive personal data may only be disclosed to a third party in defined circumstances, including:

  • Where the data subject has given explicit consent to the processing of the data or
  • Where the processing is necessary for the purposes of exercising or performing any right or obligation conferred or imposed by law on the trade union or
  • Where the processing is carried out in the course of the trade union’s legitimate activities, carried out with appropriate safeguards for the rights and freedoms of the member and does not involve disclosure to a third party otherwise than with the consent of the member or
  • The member has already, deliberately, made the information public or
  • The processing is necessary for legal proceedings or otherwise necessary for the purposes of establishing, exercising or defending legal rights.

These additional requirements, whilst welcome from the point of view of personal privacy and fair employment (e.g. by rendering employers’ lists of trade union activists illegal), place some new constraints on our operation as a trade union.

Discussions have been taking place with our solicitors over a considerable period of time with a view to establishing what, precisely, we can and cannot do in future while still complying with the Act.

Disclosure of TU membership information to employers

1. Staff reps’ elections under "railway" bargaining procedures (i.e. elections where the employer conducts the election and any ballots, with information on TU membership supplied by the unions), are in breach of the Data Protection Act if they require the disclosure of information on individual TU membership to the employer without the express consent of every member involved.
2. Negotiation of pay and conditions on the basis of membership (or otherwise) of a trade union will, if this involves disclosure by the union to the employer of details of individual TU membership, be in breach of the DPA unless the express consent of each individual member has been obtained.

Our policy on reps’ elections is currently the subject of consideration by the Executive Committee in the light of existing TSSA policy, and further guidance will be issued in due course.

Pending confirmation of our final policy, information on individual TU membership must not be disclosed to an employer for the above purposes without the express consent of each individual member.

In pursuing individual cases with management, there can be an implication that the member is prepared for the fact of their TSSA membership to be made known to management.

If you are going to raise an individual’s case with management, you should ensure that you reach a clear agreement with the member that they are willing and prepared for you to do this, and that they understand and agree that this is what you intend to do.

Processing of information on non-TSSA members

You will, from time to time, need to process information on non-TSSA members, even if this is just for the purposes of declining requests for representation.

Similarly, you may contact new entrants or non-TSSA members with a view to recruiting them into membership.

In these circumstances, strict regard should be paid to the fifth Data Protection Principle (that data should be "kept for no longer than is necessary").

This, therefore, means that whilst it would be permissible to process (i.e. to record and retain) personal data on non-TSSA members either in response to a specific enquiry, when recruiting new entrants or for a specific recruitment campaign, this does not entitle us to retain this information forever. Files and records should be regularly reviewed and weeded to ensure that we are not retaining information that may be in breach of the Act.

It should also be noted that recording of information as to TU membership would also cover both membership of another union and non-union members. This is, under the Act, defined as sensitive personal data and would in most cases require the express consent of the individual for us to be able to process it in accordance with the Act.

Security and Privacy of Personal Data

The Act requires that all personal data should be "protected by appropriate security".

You should review your arrangements for storage and retention of personal data, and in particular consider the following aspects:-

  • Are files and papers kept in a secure location? Do you take steps to ensure that personal papers are kept away from "casual" visitors to the workplace?
  • Who beside yourself could have access to personal files?
  • Is correspondence conducted securely, i.e. in sealed envelopes?
  • If files are kept on computer, is access password-protected? Do other people have access to the computer, or to files stored on it?
  • If files, membership lists or other personal data are being stored or processed in the workplace, do you have an agreement with your employer that allows you to do this and also ensures privacy and security of data?
  • If workplace e-mail is used in the conduct of personal cases, is the content of e-mails secure under your employers’ policy?

You should also ensure that you do not disclose details of personal cases to other members or to other reps.

Branch meetings

Care should be taken in the conduct of Branch Meetings, so that any personal data that is disclosed is limited to that which is necessary and relevant.

For example, new membership applications are subject to approval at a branch meeting (Rule 3b); this does not however necessitate the entire contents of an application form being disclosed to those present.

Similarly, individual benefit claims and legal cases being referred to Head Office should only be discussed at Branch Meetings when it is necessary to do so (e.g. if the branch is being asked to support a review of the claim).

Retention of Data

You should review archived files to ensure that any personal data is stored securely, and also that it is only stored for as long as is necessary.

For financial records, we are required to retain these for six years by law; any retention of data by branch officers beyond this time that identifies an individual would need to be by exception (i.e. there would need to be a special reason).

Personal or individual files should be retained for the same length of time (six years from the conclusion of the case).

Notification under the Act

TSSA has provided notification under the 1998 Data Protection Act on the types of personal data that we process and in what circumstances, and this notification also covers our staff reps and branch officers.

This does not, however, remove any responsibilities from lay officers of TSSA for ensuring that personal data is processed in accordance with the Act and the eight Data Principles.

Subject Access Requests

Individuals are entitled, with some exceptions, to ask for information as to what data is held on them, have the right of access to a copy of this information and also the right to have that data erased or corrected when inaccurate.

If you receive a formal request under the Data Protection Act for a copy of personal information held, you must refer this request immediately to John Smith, TSSA Data Protection Contact, Walkden House, London NW1 2EJ.

Please forward copies of any relevant papers along with the original request, and give any relevant background.

You should do this even if you believe that all the data requested could be made available by you locally; we will be able to provide advice and guidance on what is required to be disclosed and also ensure that we are meeting the full terms of the request (we may hold some relevant information centrally that would also need to be disclosed).

In the event of a Subject Access Request, we have 40 days in which to respond. We need to respond even if we do not hold any information; if we do not respond we could face a formal assessment by the Information Commissioner, followed by an order to disclose data.

The first part of this briefing has concentrated on the aspects of the 1998 Data Protection Act most pertinent to lay staff reps and branch officers.

It is not a full guide to the Act, or to its implications across the whole range of TSSA’s activities.

We have, however, also included below some information on other areas where the Act impinges on the way we work at present, as you may be asked about these by members.

Statutory Postal Ballots for industrial action and recognition

Ballots for industrial action or recognition will, as they are required or permitted by statute, allow us to disclose membership details to a third party.

Ballots for Executive Committee seats etc would also allow third-party disclosure for the purpose of conducting the postal ballot, as this is required by law.

Distribution of TSSA publications

For the purposes of distributing the Journal, Diary and other TSSA publications, we are engaging our distributors as "data processors" under the Act, acting solely on our behalf and with specific written contractual provisions in force on the use and non-transfer of the personal membership data supplied by us.

These contractual provisions will also be applied in cases where there is a statutory requirement to disclose personal data to a third party, for example for postal ballots.

Additional Member Services

We may, from time to time, also provide additional member services via direct mail (for example the TUC credit card).

We will apply the same contractual provisions as above; in addition, members will have the right to opt out of any such additional direct mailings by giving notice to Head Office.
A "Data Protection Notice" (sometimes known as a "Fair Collection Notice") has been drawn up and will be published in the TSSA Journal and on the TSSA website, and amended as necessary.

In the event of any member enquiries, it should be stressed, however, that providing and drawing attention to the entitlement to "opt-out" of direct mailings does not mean that we intend to make dramatically increased use of direct marketing of member services, but rather that we are regularising the position for the limited occasions where we do this.


It is necessary to recognise the dilemma that exists through, on the one hand, potential use of the Act on behalf of our members in the workplace (e.g. for obtaining disclosure of personnel records) and on the other hand the fact that the Act places responsibilities on us as a Data Controller.

At the same time, we should recognise that the Act provides us with an opportunity to regularise and update our own policies and procedures, while setting an example of best practice.

Many of the above points may be regarded as "common sense" and reflect the way in which we would want our own personal data to be handled.

However, we need to ensure that we have examined our own practices and procedures, so that we can seek to work within both the spirit and the letter of the Act.

If you have any further questions on any aspect of this briefing, or on any other point arising from the Data Protection Act, you should contact: John Smith, TSSA, Walkden House, 10 Melton Street, London NW1 2EJ.

The briefs in this section provide guidance and some basic details of employment rights. They do not attempt to be comprehensive, and should not be taken as an authoritative statement of the law.