CSP Data Protection Act guide for stewards and safety representatives

This guidance will assist those of you who undertake casework.

In the simplest terms, the data protection principles you apply to patients/clients also apply to members in the management of their casework. This includes any supporting documentation relating to a case, such as patient records. 

Data Protection overview

Any personal information you receive, gather or record for casework, or in the general course of union activity, is covered by data protection legislation.  That means the subject of the information – the member – has rights to how it is processed, stored and used.  It also means the CSP, including you as a union volunteer (steward/safety rep), has responsibilities to process, store and use the information within the terms of the Data Protection Act (DPA). 

There are eight enforceable principles of good practice listed in the Act.

These state data must be:

  1. processed fairly and lawfully
  2. processed for specified, lawful and limited purposes
  3. adequate, relevant and not excessive
  4. accurate
  5. not kept longer than necessary
  6. processed in accordance with the data subject’s rights
  7. secure
  8. not transferred to countries without adequate protection

Gathering data

It’s important that you maintain proper and sufficiently comprehensive records of cases, but without keeping unnecessary information.  Ask yourself, is the information you are collecting: relevant? needed? proportionate?

Make sure you don’t gather information that could be in breach of someone else’s rights. e.g. patient records could support your case but you must have permission from your employer so you can agree how you ensure you are not breaching the patient’s rights. 

Don't collect information for the sake of it.  Keep all note taking simple, factual, accurate and professional.

Remember: all your notes, correspondence and emails concerned with a case are more likely than not to be disclosable under data protection legislation, including those about the member rather than directly addressed to the member. 

Storing data

Physical security is the first line of defence in protecting members’ data. Is there a union room or a lockable storage container/filing cabinet with appropriate restricted access?  Management have an obligation to provide accredited reps with suitable facilities, but if you are having difficulties speak to your Senior Negotiating Officer. 

Files and records should be locked away when not in use and there should be limited access to the storage. If your notes are electronic, then access should be password protected.  If using a shared PC, then individuals should have separate log-in profiles and casework files should be in protected folders.

Who owns the data?

Your casework files and records, whether paper-based or electronic, belong to the CSP and is our data.  It is subject to our data protection registration and responsibilities. 

As a union volunteer you are also bound by our data protection policies and procedures.  Please make yourself aware of your responsibilities in maintaining members’ privacy, confidentiality and the protection of their data.  Under the DPA, individuals are responsible and accountable as well as organisations, which is an important reason why you should adhere to the CSP’s guidance to help ensure you protect yourself. 

Where management’s resources are used to store files and records, be these in physical cabinets or on IT networks, the files and records remain the data of the CSP and subject to our data protection rules and not that of the employer. 

Therefore the employer has no right to see our data, even if they receive a Freedom of Information (FOI) request.  The person enquiring can always make a separate request to the CSP if they believe we hold personal data about them. 

If in doubt, or management do not accept your argument about data ownership then refer the matter to the CSP’s data protection officer, tel: 0207 306 6666. 

Accessing the data

Ideally, only be the steward/safety rep directly involved in a case should be able to view the data.

Of course, members have access rights to their own personal data.  They can submit a request to see their data, this is called a subject access request.  If a member enquiries about making a subject access request or submits one to you, you can refer them to this page on the website for more information.

It is not your responsbility to deal with subject access requests, or even to pass them on.  The member is responsible for getting the request to the CSP's data protection officer.

Retaining data

Files and records of casework should be kept for six years, which covers the period during which a claim could be made against the CSP in relation to the case. 

If you have any concerns regarding any of the above, you can discuss them with your Senior Negotiating Officer.

If you would like to read a more in-depth review of these points, please download the attachment below.