BECTU NEC Report to 2003 Conference appendix D: Data protection: a guide for BECTU Branches

Definitions

The Data Protection Act 1998 came into force on 1 March 2000.¹ It repealed the previous 1984 Act, and introduced new rules for processing personal information. It also extended the law to cover paper records as well as those held on computers.² The word "data" is actually a plural, but this guidance note sometimes uses it as a singular where this helps the meaning.

"Processing" data means not only collecting it, recording it, referring to it and using it, but also storing it, transferring it, modifying it, or destroying it. And data includes not only information held on computer, but also on e-mails, a card index, or any "structured" paper filing system.

The Act applies to "personal data". The word "data" just means information, but the Act is concerned only with data about identifiable living individuals. Personal data includes both facts and opinions about the individual, and stated intentions towards the individual on the part of the person or body processing the data.

There are five key definitions under the Act which need to be understood:

• "data subjects" are the people about whom information is processed;
• "data controllers" are the people or bodies who decide the purpose for which the data is processed and how is it processed;
• "data processors" are people or bodies unconnected with the data controller who may process data on behalf of the data controller;
• "recipients" are people, who may or may not be connected with the data controller or data processor, to whom data is disclosed;
• "third parties" are people other than the data subject, the data controller, the data processor, or anyone else authorised to process the data.

BECTU as a data processor

BECTU is notified to the Information Commissioner (formerly the Data Protection Commissioner) as a data controller. Our notification entry can be viewed online at the website of the Data Protection Register, www.dpr.gov.uk/ by typing our registration number Z5584596 in the search box. We have made statements to members in Stage Screen & Radio (September 2001, October 2002) identifying BECTU as a data controller and describing what data we process and for what purposes. Membership application forms should contain a similar notice to prospective members. Data about members cannot lawfully be processed outside the terms of BECTU's data protection notification and the statements made to members.

For data protection purposes, "BECTU" as a data processor means the union as a body, its employees, and its agents. "Its agents" includes branches and branch officers of the union. In other words, branch officers are required to comply with the statutory rules on data protection (the Data Protection Principles) as much as the General Secretary or the head office membership staff.

The Data Protection Principles

The eight Data Protection Principles say that personal data must be:

1. fairly and lawfully processed;
2. processed for limited purposes and not in any manner incompatible with those purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than is necessary;
6. processed in line with the data subject's rights;
7. secure;
8. not transferred to countries without adequate data protection provisions.

Processing can only be carried out where at least one of the following conditions are met:

• The individual data subject has given consent
• The processing is necessary for the performance of a contract with the individual
• Processing is required by a legal obligation
• Processing is necessary to protect the vital interests of the individual
• Processing is necessary to carry out public functions
• Processing is necessary in order to pursue the legitimate interests of the data controller (unless it could prejudice the rights of the data subject).

The relationship between BECTU and a member is a contractual one (based on the application form and the rule book), and the union is permitted to process members' personal data for this reason. The union seeks to obtain members' consent to processing though regular notices in its journal, on its website and on its membership application forms, though this assumes "opting-out" where a member refuses consent. The union also considers that processing members' data is necessary to protect their vital interests (their rights at work and as union members), to carry out a public function (trade union representation), and to pursue the union's legitimate interests (its functions as a trade union).

Sensitive personal data

There is a further definition to be grasped: that of "sensitive personal data". This includes information on an individual's

• racial or ethnic origin
• political opinions
• religious or other belief
• health
• sex life
• criminal proceedings or convictions.

Crucially from our point of view, it also includes information on an individual's

• trade union membership.

Trade union membership

The fact of whether an individual is, or is not, a member of a trade union is regarded as sensitive personal information. As such that fact should treated with the same care as the other, more obvious, sensitive personal information. It must not be communicated to a third party unless at least one of the following conditions has been met:

• The individual has given explicit consent
• The processing is required by law for employment purposes
• The information needs to be processed to protect the individual's vital interests
• The information needs to be processed to protect someone else's vital interests
• The administration of justice or legal proceedings require the processing.

Data protection at head office level

Branch officers are of course asked to update and correct lists from the union's central database of members. There is a legal contradiction involved here. The union is legally required to keep its register of members accurate and up-to-date,³ but it may legally accept a mailing address other than a home address for a member only if the member him- or herself has notified it in writing.⁴ The Certification Officer has stated that where a union does not have a member's home address, it must not use a "c/o Employer Ltd" address - by the same token it should not use an address supplied by someone other than the member. It is preferable, according to the Certification Officer, to disenfranchise the member.⁵ This ruling remains to be challenged, but BECTU will follow what it deems to be the higher priority - a database that is as complete and accurate as possible - so as to enfranchise the maximum number of members in ballots and activities.

Data protection at branch level

The key requirement for branch officers, however, is to ensure that the transmission of the data remains securely within the union. For instance: they must not leave membership lists lying about in the workplace; they must not send or e-mail data about members to addresses they cannot be sure are inaccessible to a third party; they must not use an employer's internal mail system for items that are clearly being sent to union members only.

That being said, the ordinary everyday activities of trade union organisation cannot be conducted clandestinely. Not should the union feel inhibited by data protection procedures from functioning normally and reasonably. Data protection becomes critical when the union is doing something that is not clearly anticipated, either explicitly in its rules or as an obvious thing for it to do. An example of this is marketing a credit card. BECTU's objects include the promotion of members' interests "commercially or otherwise by any method deemed appropriate by conference or the National Executive Committee".⁶ But members' interests include the right to opt out of direct mailing, and hence the union is required to issue data processing notices as well.

As a data subject, any member has the legal right (subject to certain procedures) to see the data the union holds on him or her. This will include any data held at branch level. When data is being processed, the person processing it should always be aware that one day the member concerned might see it. Check that all the Data Protection Principles are being upheld.

Branches must not, for this reason, use the data supplied by head office for purposes not covered by BECTU's data protection registry entry. Data held at branch level is included in the union's entry. Branches must not routinely collect additional data that the union does not collect centrally - for example, sensitive personal information on health, even if connected with benevolent or social purposes, or on political opinions, even if connected with anti-fascist vigilance. If a branch has a legitimate purpose for which it would like to collect and process data, and that purpose is not covered by the union's registry entry, it must consult head office first. If appropriate, the registry entry can be altered or extended, if the National Executive Committee approve.

In fact, whenever a branch is in doubt about what data it is processing, or how it is processing it (and remember, this could include paper files), it should contact head office.

Notes

1. Thompsons Solicitors have prepared a booklet Data Protection - an Introduction to the Act, available free through BECTU's head office on request
2. For a transitional period (until 24 October 2007) paper files are included in the data that must be disclosed in a "subject access request". After 2007 paper files will be treated like electronic files for all other purposes. Data Protection Act 1998, Schedule 8.
3. Trade Union and Labour Relations (Consolidation) Act 1992, s.24(1)
4. Trade Union and Labour Relations (Consolidation) Act 1992, s.24(5)
5. Certification Officer, Decisions D/10-13/96 (4 September 1996)
6. BECTU rule book, rule 5(c)