Latest News

CWU TV

CWU News

Postal

Telecoms and Financial Services


CWU Data Protection Policy and Procedures

The Communication Workers Union (CWU) is committed to meeting its obligations under the Data Protection Act of 1998. The CWU will strive to observe the law in all collection and processing of subject data and will meet any subject access request in compliance with the law. The CWU will only use data in ways relevant to carrying out its legitimate purposes and functions as a Trade Union in a way that is not prejudicial to the interests of individuals. The CWU will take due care in the collection and storage of any sensitive data. CWU employees and, where appropriate, representatives, will do their utmost to keep all data accurate, timely and secure.

  • All CWU employees and representatives, whether permanent or temporary, must be aware of the requirements of the Data Protection Act when they collect or handle data about an individual.
  • CWU employees and representatives must not disclose data except where there is subject consent, or legal requirement. Data sent to outside agencies must always be protected by a written contract. All collection and processing must be done in good faith.
  • The Data protection manager will keep records of all complaints by data subjects and the follow up. He/she will also keep a record of all data access requests. There will be a repository of all CWU statements of Data Protection Law compliance and information about any contacts made with the Data Protection Registrar. This information will be available to relevant employees and data subjects on request.
  • The CWU will inform subjects of any processing, or disclosure that does not fall within the CWU's purpose in a way that any individual supplying could be expected to understand.
  • The CWU will keep registration (now called notification) up to date.
  • Principles of data protection outlined in the Data Protection Act:
  • Anyone processing personal data must comply with the eight enforceable principles of good practice.

They say that data must be:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept longer than necessary;
  • Processed in accordance with the data subjects rights;
  • Secure;
  • Not transferred to countries without adequate protection;

Collecting Subject Data
Policy on collecting subject data
The CWU will only collect data that is relevant to the carrying out of the legitimate purposes and functions of the Union in a way that is not prejudicial to the interests of individuals. All data on individual subjects will be treated in a consistent way. Subjects will be informed about how the CWU will store and use the data at the time of collection. This will require a standard statement to be sent in all written requests for data and a similar verbal script to be used for phone data collection. Where the CWU intends to use data for its main purposes, subjects will be deemed to have given their data for this purpose. If other use is to be made of the data, they will be offered an opt-out for any mailings beyond this core purpose. The CWU will honour this opt-out to the best of its ability.

The CWU will strive to ensure that data collection is as accurate as is possible, given the methods used in collection. Voice mail data may be less reliable than written documents. Data may be stored in many ways such as databases, ordered manual files or Word or Excel files. The data will be collected consistently no matter where the data is to be stored.

Sensitive Data
The CWU will strive to ensure that sensitive data is accurately identified on collection so that the proper safeguards can be put in place. Sensitive data means data consisting of information relating to the individuals:- (a) racial or ethnic origin (b) political opinions (c) religious beliefs (d) Trade Union membership (e) Physical or mental health (f) Sexual life (g) Civil or Criminal offences.

Procedures for collecting subject data

  • A Data Record will be kept showing all data collection points.
  • Employees must inform the Data Protection Desk if they plan to access any new data from individuals.
  • Employees are responsible for ensuring that data is collected accurately and fully.
  • Employees are responsible for ensuring that sensitive data is identified when collected and will inform the subject that this data will be stored at the time of collection.
  • All personal information should be dated at the time of collection so that records can be archived at an appropriate time.

Statement for written forms and web/email communications
When data is collected the following statement must be included in all written forms and also web/email communications:

"If you complete this form the CWU will store and process your data in accordance with the requirements of its Data Protection Policy and in keeping with the Data Protection Act 1998. The CWU occasionally supplies information to other reputable organisations and may keep you informed about products and services that may be of interest to you. Please tick the box if you do not want your data to be used in this way. "

Storage and Processing
Policy for Data Storage and Processing
The CWU will only hold data that is relevant to the carrying out of the legitimate purposes and functions of the Union in a way not prejudicial to the interests of individuals. Information will be accurate and timely and will be held in an environment as secure as possible. CWU employees and, where appropriate, representatives, will be responsible for ensuring that all regular data care procedures are fully and conscientiously followed. All ordered manual files and databases will be kept up to date and will have an agreed archiving policy. Data no longer required for the legitimate purposes of the CWU will be regularly purged.

  • All individual data will be kept secure, by regular office security procedures or through the controls over the computer network. Sensitive data will be treated with appropriate security. Employees and representatives will also take care to meet high standards of security by disposing appropriately any written reports, which are generated from individual records.
  • Any data processing will only be allowed where there is a clear rationale for the activity, which meets the Data Protection Act criteria. Data records will be maintained and employees will be responsible for keeping this up to date.
  • Where data is passed to a third party for processing, The CWU will ensure that a written contract is put in place that states that the agent will work within the CWU's data protection policy. Control of the data will not be allowed to move to the third party.

Procedure for Data Storage and Processing

  1. All data processing should be included in the appropriate data record. Any changes to data storage or processing to be logged with the Data Protection Desk.
  2. All employees must take responsibility for following through any data care work required of them to maintain accurate corporate data systems. They are also responsible for any records they keep in any ordered filing systems.
  3. Archiving policies for data no longer needed in our storage systems will be set up for all data stores. A clear rationale must be supplied for personal data to be kept beyond six years.
  4. All data will be stored in a secure location and precautions will be taken to avoid letting data become accidentally disclosed.
  5. Any agent employed to process data on the CWU's behalf will be bound to comply with the CWU's data protection policy by a written contract.
  6. Any mailings generated from stored data will observe opt out choices in good faith.
  7. Sensitive data should not be kept unless agreed by the Data Protection Desk at the CWU.
  8. Information that is stored on a laptop should be password protected. Particular care should be taken when using a laptop in remote countries without comparable data protection laws.

Disclosures
Policy on Disclosures
The CWU will not allow data collected from subjects to be disclosed to third parties except in circumstances, which meet the requirements of the Data Protection Act. This will be either:

  1. The subject has consented to the disclosure.
  2. The CWU is legally obliged to disclose the data.
  3. There is a business requirement to disclose data that is within the remit of the Data Protection Act and is not prejudicial to the interests of the individual.

The sale or swapping of any data collected by the CWU will only take place where the subject has been informed about this use of their data and offered the chance to opt out.

Procedure on Disclosures

  1. All employees must ensure any general disclosure is recorded on the `Table of Data' and each class of disclosure includes a clear rationale as to why this is taking place.
  2. Any new disclosure to be made must be checked for suitability with the Data protection manager. This may be referred to the Data Protection Registrar for advice.
  3. Any request for data based on a legal requirement, e.g. from Police or other body, must be put in writing and be checked against the advice of the Data Protection Registrar before data is disclosed.
  4. All employees and representatives have a duty to protect individual's data from accidental disclosure:
    * Do not give out passwords to other people, who will then have access to the data you are entitled to view.
    * Do not recycle reports that contain personal data.
    * In particular, take due care to ensure that data is not left about on laptops or in files out of the office where they can be accessed by other people who are not CWU employees or representatives.
  5. In cases where sets of data are disclosed to non-CWU employees, for example external consultants carrying out specific reviews, employees must ensure that subjects have been informed of this use of their data, and why this is done. They must have had an opportunity to opt-out.

Where sensitive data is involved, employees or representatives should not disclose data to outside agents except in cases agreed by the Data protection manager

Subject Access
Subject Access Policy
The CWU will provide information in response to any reasonable subject access request. The CWU will ensure data is kept in an accessible form to facilitate subject access.

Procedure on Subject Access Policy

  1. Employees and representatives will make every effort to ensure that immediate action is taken when a data access is requested. They will contact the Data Protection Desk immediately.
  2. A standard letter (amended as appropriate) will be sent to the subject stating the CWU policy on subject access. This will promise to provide the required data to the best of the CWU's ability within 40 days. The CWU reserves the right to ask for a maximum payment of up to £10.
  3. A search will be set up by the Data Protection Desk to ensure that all relevant data will be collected and collated ready to present to the subject. The search will include all electronic data and ordered manual files if required. Information on data collection, storage, processing and transfer may be required.
  4. The data will be offered to the subject at the CWU's premises with an employee on hand to help with any queries or interpretations. If the subject is unable to visit the CWU's premises, alternative arrangements can be negotiated.

Additional Subject Rights The Consumer Credit Act 1974 and Data Protection Act 1998 provide certain specific rights to individuals. The CWU Data Protection Policy recognises these rights as follows:
i) The right of individuals to have incorrect entries in their files removed or corrected and will confirm such deletions or corrections have taken place.
It is recognised that processing is necessary for the performance of a contract with a data subject or the data subject's prior consent has been obtained.

The CWU will cease, within a reasonable time, or not to begin processing, or processing for a specific purpose in a specified manner, any personal data in respect of which the individual is a data subject on the grounds that:
a) the processing of this data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
b) damage or distress is or would be unwarranted

A request to cease such processing must be made, in writing, to the CWU Data Protection Manager. The CWU will respond within 21 days of receiving such a request, confirming compliance with the request or disputing why the processing is warranted.
ii) the right for an individual at any time by written notice to ask a data controller to cease (within a reasonable time) or not to begin processing, for the purposes of direct marketing of personal data in respect of which he is the data subject.
The CWU will cease, or not begin processing personal data on receipt of a request, by the Data Protection Manager, from the individual in writing.
iii) rights of rectification blocking, erasure and destruction in relation to personal data held about a data subject.
The CWU endeavours to ensure that all individual data is accurate. In the event of any inaccuracies being identified then steps will be taken to make appropriate corrections within a reasonable period. Additionally, if information provided to a third party is found to be inaccurate, then the third party will be contacted without delay to ensure that the inaccuracy is corrected.

Complaints and Queries
Policy on Complaints and Queries.

  • The CWU will respond to any complaints as quickly and responsively as possible. Any letter we receive in relation to the Data Protection Act, that questions our policy and/or procedure will be dealt with immediately.
  • Records will be kept of all correspondence for 6 years.

Procedure on Complaints and Queries

  1. Notify the Data Protection Desk.
  2. Continue to inform the Data Protection Desk of any correspondence and developments as they occur.

Glossary of Terms

  • Data Protection Manager Person responsible for ensuring the maintenance and delivery of the CWU Data Protection Policy and procedures.
  • Data Subject Any person who has their personal data recorded and stored by the CWU
  • Data Protection Desk The central point for managing the CWU Data Protection Policy and procedures. Reporting to the Data Protection Manager
  • Data Record Record of all Data Collection points and enquiries regarding the provision of data
  • Other terms to be added as necessary.

Contact: atrewartha@cwu.org

CWU, 150 The Broadway, Wimbledon, SW19 1RX Tel: 0208 9717 200  /  Fax: 020 8971 7300  /  Text Relay: 1800102089717200  /  Email: info@cwu.org