This briefing covers disclosure of TSSA membership details to third parties (including to employers), privacy and security of personal data on TSSA members and processing of personal data on non-TSSA members.
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, updating and extending the scope of the Data Protection Act 1998 (DPA) which it replaced. The aim of the new regulation is to make it easier for individuals to manage and understand what data is held about them and to provide a higher level of protection for all data subjects.
The Regulation defines the rights of individuals in respect to the data processed about them and lays out principles that organisations should follow when processing that data. These principles are broadly the same as those defined under the DPA 1998.
- Used lawfully, fairly and in a transparent way (lawfulness, fairness and transparency)
- Adequate, relevant and limited to what is necessary (data minimisation)
- Accurate and kept up to date (accuracy)
- Kept only as long as necessary (storage limitation)
- Kept securely (security, integrity and confidentiality)
- Not transferred to another country without appropriate safeguards (transfer limitation)
- Made available to data subjects on request (data subjects rights and requests)
The GDPR applies to the processing of personal data, broadening the definition to include any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This would include name, membership number, location data or an online identifier. The GDPR applies to both automated personal data and to ‘organised’ manual filing systems.
Trade Union membership is one of several Special Categories of data under GDPR – previously classified as "sensitive personal data" under the DPA. In addition to trade union membership, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, sex life or sexual orientation are included. Article 9 of the GDPR sets out the requirements that must be followed in order to process these special categories. The TSSA will rely on the fact that the processing is carried out within its legitimate activities as a Trade Union in so far as it relates to members and former members of the Association or those that have regular contact with it and on the proviso that the personal data is not disclosed outside the Association without the consent of the data subjects.
Disclosure of TU membership information to employers
It is implicit, when we represent members, that members consent to the disclosure of the fact of their membership to an employer or other third party.
In exceptional cases, if there are reasons to doubt that consent is implicit, then express consent should be obtained from the member.
Processing of information on non-TSSA members
You will, from time to time, need to process information on non-TSSA members, even if this is just for the purposes of declining requests for representation.
Similarly, you may contact new entrants or non-TSSA members with a view to recruiting them into membership.
In these circumstances, strict regard should be paid to the principle of data minimisation, only collect what is required and keep it for as long as necessary.
This means that whilst it would be permissible to process (i.e. to record and retain) personal data on non-TSSA members either in response to a specific enquiry when recruiting new entrants, or for a specific recruitment campaign, this does not entitle us to retain this information forever. Files and records should be regularly reviewed and weeded to ensure we are not retaining information that may be in breach of the Regulation.
It should also be noted that recording of information about TU membership would also cover both membership of another union and non-union members. This is one of the special categories of information and would in most cases require the express consent of the individual for us to be able to process it.
Security and Privacy of Personal Data
The Regulation requires that all personal data should be protected by an appropriate level of security.
You should continually review your arrangements for storage and retention of personal data, and in particular consider the following aspects:
- are files and papers kept in a secure location? Do you take steps to ensure personal papers are kept away from "casual" visitors to the workplace?
- who besides yourself could have access to personal files?
- is correspondence conducted securely, i.e. in sealed envelopes?
- if files are kept on computer, is access protected by a secure password at least eight characters long with a mix of upper and lower alpha, numeric and special characters?
- do other people have access to the computer, or to files stored on it?
- if files, membership lists or other personal data are being stored or processed in the workplace, do you have an agreement with your employer that allows you to do this and also ensures privacy and security of data?
- if workplace e-mail is used in the conduct of personal cases, is the content of e-mails secure under your employers’ policy?
You should also ensure you do not disclose details of personal cases to other members or to other reps.
Care should be taken in the conduct of Branch Meetings, so that any personal data that is disclosed is limited to that which is necessary and relevant.
For example, new membership applications are subject to approval at a branch meeting (Rule 3b); this does not however necessitate the entire contents of an application form being disclosed to those present.
Similarly, individual benefit claims and legal cases being referred to Head Office should only be discussed at Branch Meetings when it is necessary to do so (e.g. if the branch is being asked to make an appeal to the EC against the decision not to provide legal support).
Retention of Data
You should review archived files to ensure any personal data is stored securely, and also that it is only stored for as long as is necessary.
For financial records, we are required to retain these for six years by law; any retention of data by branch officers beyond this time that identifies an individual would need to be by exception (i.e. there would need to be a special reason).
Personal or individual files should be retained for the same length of time (six years from the conclusion of the case).
Rights of access, correction, erasure, and restriction
It is important that the personal information we hold about members is accurate and up to date. You should encourage members at every opportunity to check and update their record on MyTSSA or to email any changes to firstname.lastname@example.org
Under the GDPR members have several rights designed to give them more control over the data that we hold and process. Members have the right to:
- request access to their personal information – known as a "data subject access request". Enabling members to request a copy of the personal information we hold about them and to check that we are processing it lawfully. This could include information held by representatives in non-TSSA and non-employer media such as email, whatsApp, SMS or other digital media. When using such media be extremely careful not to identify members or non-members. Do not retain material any longer than is strictly necessary.
- request correction of the personal information that we hold
- request erasure of their personal information
- object to processing of their personal information – in most circumstances this will be treated as a withdrawal form membership
- request the transfer of their personal information in an electronically portable format
If a member wants to review, correct or request the erasure of their personal information or request that we transfer a copy of their personal information to another party then they should contact our Data Protection Officer Will Boisseau. No fee will usually be required for this. However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Statutory Postal Ballots
Statutory Postal Ballots for industrial action and recognition
Ballots for industrial action or recognition will, as they are required or permitted by statute, allow us to disclose membership details to a third party.
Ballots for Executive Committee seats etc would also allow third-party disclosure for the purpose of conducting the postal ballot, as this is required by law.
Third Party and TSSA Mailings
We may, from time to time, provide additional member services via direct mail. These are classified as third-party mailings and would only be sent to members who have opted in to receive this type of mailing. Additionally, under GDPR members must actively opt in to receive such mailings. We don’t, as of June 2018, currently process or have any plans to market additional member services via direct mail.
We do plan to offer members more choice in the mailings they receive from us by categorising our TSSA mailings as either required or optional. Required mailings will be compulsory and will include correspondence on matters such as subscription collections or membership status. Optional mailings will be grouped by subject area and members will be able to choose which mailings they wish to receive through a mailing preferences area on MyTSSA. A further update will be sent to Reps, Officers and members direct when this is available.
Further advice on communicating with members is available here branches should pay special attention to the advice on contacting members through social media.
MyTSSA and GDPR
MyTSSA makes membership records available to members to check and update their information, and that information is available to Division Council and Branch Officers, Company Reps or Local Reps when they have been associated with a Reps' Constituency.
MyTSSA is a key resource for organising, recruiting and communicating with members but it must be used in line with the principles of GDPR that were listed at the top of this page.
Adequate, relevant and limited to what is necessary – the information that is made available to you through MyTSSA has been done so with this principle in mind – but do not keep records on members that are unnecessary or excessive.
Accurate and kept up to date – MyTSSA is our main tool for ensuring this. Encourage members to update their membership information and you update the membership information where you can (branch and local reps can update member workplace details, only members themselves can update their personal information).
Kept only as long as necessary – we make details of 'left' and 'withdrawn' members available to you through MyTSSA for 12 weeks, after that they are hidden. The most accurate membership information is available each day. Do not store lists.
Kept securely – never share your login and never share the membership information that is made available to your for the purpose of carrying out your role. Protect your MyTSSA account and the data trusted to you with a secure password and take steps to avoid the most common causes of data breaches.
- data posted or faxed to incorrect recipients
- loss or theft of paperwork
- data sent by email to the incorrect recipient
- failure to redact data
- failure to use bcc when sending email
Take steps to avoid these problems by always checking your recipient list when posting or emailing, keeping TSSA lists and paperwork securely locked away, redacting data when necessary and never sending emails to more than one member using the 'To:' button. To email your members, TSSA has previously recommended using Mailchimp. This advice will be updated on our site shortly and a link made available here.
Source: Information Commissioners Office website '2017-18 top five categories of reported breach'
Data Protection Officer
In line with the regulation TSSA has a designated DPO – Will Boisseau. If you are in any doubt about the actions to take or suspect you have inadvertently caused a breach you should consult him without delay by email at email@example.com. Will will get back to you with advice as soon as he is able to do so.
The GDPR requires us to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is known as ‘data protection by design and by default’. This means, in essence, that as an organisation the TSSA has to integrate or ‘bake in’ data protection to all our processing activities and business practices. In response to the GDPR we will continuously review all our Information Security processes and procedures. We have an on-going process of improvement including running staff training and representative awareness programmes. Our privacy notices have been updated and re-issued.
These policies, procedures and notices are designed to guide the actions we take as reps and officers in working to protect the privacy of the personal data that our members entrust us with.
This advice was last updated on 7 June 2021.