Data Protection Concerns for Unions

18 Oct 2017

Data Protection General Protection Data Regulations (GPDR)

Trade unions are among the organisations that must put in place proper data protection policies ahead of the General Protection of Data Regulations (GPDR), which come into effect across the EU on May 25, 2018. 

Organisations that fail to comply after that point could face fines of up to €20m. 

Acording to Laura Flannery from the Office of the Data Protection Commissioner, who delivered a recent Friday Briefing in Congress on this issue, the data protection policies must ensure that all information is provided in a manner that is user-friendly and in easily accessible language, particularly when children are involved.

Ms Flannery said pointed out that trade union membership falls under the category of ‘sensitive data’ for the purposes of the Act. Under the provisions of the GDPR, fines of up to €20 million or 4% of group worldwide turnover (whichever is greater) can be imopsed on a company for failure to comply with legislation.

There are eight key principles that govern the holding of information on subjects:

  • Obtain and process information fairly;
  • Keep it only for one or more specified, explicit and lawful purposes;
  • Use and disclose it only in ways compatible with these purposes;
  • Keep it safe and secure;
  • Keep it accurate, complete and up-to-date;
  • Ensure that it is adequate, relevant and not excessive;
  • Retain it for no longer than is necessary for the purpose or purposes;
  • Give a copy of his/her personal data to that individual on request.

 In addition, the protection of data integrity is essential and there are three methods to ensure this:

  1. Pseudonymisation replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified);
  2. Anonymisation processing data with the aim of irreversibly preventing the identification of the individual to whom it relates;
  3. Cryptography a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.

In relation to the the GDPR, the Office of the Data Protection Commissioner has advised that it is best to take a "common sense" approach, and that people who are currently compliant should not find it difficult to meet the additional requirements of the GDPR.  It is recommended that each union put in place and clearly document its own Data Protection Policy.

You can find out more about the GDPR in The Congress Guidelines.

A step-by-step guide to the GDPR is available from the Office of the Data Protection Commissioner