Data Protection Policy

What Data We Gather And Why

1. Data Protection And You

As a membership organisation, which provides legal advice and representation, the IWGB gathers a fair amount of data. In addition to personal data pertaining to our members, we also gather data on our employees and volunteers, as well as on donors and business contacts. Below we set out more information on the information gathered and reasons for gathering.

2. Membership Data

  1. The IWGB maintains membership records for all members. The records include such things as the member's name, contact details, bank information, demographics, and employment-related information. This information is provided by the members.
  2. An individual's membership records are maintained by us during their membership and for six years post-membership.
  3. The lawful basis for collecting this data is known as "Legitimate Interests" (GDPR Article 6(1)(f)). The legitimate interest we pursue is running a grassroots and campaigning trade union whose primary purpose is to facilitate and promote collective and collaborative action of its members to improve their wages, terms, conditions, and working conditions.
  4. As we collect information on demographics like race and gender, and as by definition our membership records reveal the individual's trade union affiliation, our membership records are considered "Special Category Data". This means we need a further justification for processing this data. For this we rely on the Legitimate Activities" justification as given in GDPR Article 9(2)(d): Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
  5. The IWGB has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing membership data are appropriate. A copy of the DPIA can be provided to members upon request.
  6. As part of the IWGB’s aim is to facilitate collective action and collaboration, the IWGB will facilitate members contacting each other by the calling of meetings or use of Whatsapp groups or similar technology. No more information will be shared than the minimum necessary to facilitate group communication and collaboration and members have a right to opt out of these communications if they so wish by merely informing the IWGB of their desire to opt out.
  7. The IWGB engages data processors to assist with the processing of membership data. Types of processors include email servers such as gmail, electronic document storage such as Dropbox, and other processors which facilitate communication with members, such as Mailchimp and Text Tank. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of membership data in furtherance of the legitimate aims identified above.

3. Casework Data

  1. The IWGB maintains additional records for members who are seeking legal advice and/or representation with our Legal Department. The records include such things as extensive details related to their occupation or licencing and in many cases will include medical records. This information is provided mainly by the members though some may be provided by third parties involved in the member’s case.
  2. An individual’s casework records are maintained by us during their case and for six years post-case.
  3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is providing quality legal advice and representation to IWGB members.
  4. As we collect information on demographics like race and gender, and often medical data, casework data are considered “Special Category Data”. This means we need a further justification for processing this data. For this we rely on the “Legitimate Activities” (GDPR Article 9(2)(d)) justification: Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
  5. The IWGB has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing casework data are appropriate. A copy of the DPIA can be provided to members upon request.
  6. The IWGB engages data processors to assist with the processing of casework data. Types of processors include email servers such as gmail and electronic document storage such as Dropbox. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of casework data in furtherance of the legitimate aims identified above.

4. Employee Data

  1. The IWGB collects personal data on its employees so as to carry out its function as an employer. The records include such things as contact details, CVs, bank details, and employment records. This information is provided by the employees.
  2. This data is maintained by us for two years or as long as is necessary for the defense of potential legal claims.
  3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The Legitimate interest we pursue is: being a fair employer which provides staff with all relevant statutory rights as well as terms and conditions above and beyond those required by statute.
  4. The IWGB has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to employees upon request.
  5. The IWGB engages data processors to assist with the processing of employee data. Types of processors include email servers such as Gmail, electronic document storage such as Dropbox, and other processors which facilitate the IWGB’s role as an employer, such as pension provider NOWPension and payslip provider KashFlow. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of employee data in furtherance of the legitimate aims identified above.

5. Volunteer Data

  1. The IWGB collects personal data on its volunteers so as to carry out its function as a voluntary/non-profit organisation which uses volunteers. The records include such things as contact details and CVs. This information is provided by the volunteers.
  2. This data is maintained by us for six years after volunteering or as long as is necessary for the defense of potential legal claims.
  3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is being a voluntary/non-profit organisation which depends on the help of volunteers to function.
  4. The IWGB has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to volunteers upon request.
  5. The IWGB engages data processors to assist with the processing of volunteer data. Types of processors include email servers such as Gmail and electronic document storage such as Dropbox. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of volunteer data in furtherance of the legitimate aims identified above.

6. Donor and Supporter Data

  1. The IWGB collects personal data on donors and supporters so as to carry out fundraising activities and obtain support for campaigns and other initiatives. The data concerned are names and contact information. This information is provided by the donors, supporters, or a third party which assists in the fundraising or campaigning efforts.
  2. This data is maintained by us indefinitely or until it is requested we delete it.
  3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to obtain donations and support from individuals in order to help finance the IWGB as a voluntary/non-profit organisation and support the IWGB as a campaigning organisation.
  4. The IWGB has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to donors and supporters upon request.
  5. The IWGB engages data processors to assist with the processing of donor and supporter data. Types of processors include email servers such as gmail, electronic document storage such as Dropbox, and other processors which facilitate communication with donors and supporters, such as MailChimp. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of donor and supporter data in furtherance of the legitimate aims identified above.

7. Business Contacts' Data

  1. The IWGB collects personal data on business contacts so as to be able to liaise with other organisations to achieve its aims. The data concerned are names and contact information. This information is provided by the business contacts themselves, by third party mutual contacts, or is publicly available.
  2. This data is maintained by us indefinitely or until it is requested we delete it.
  3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to have a network of like-minded organisations with whom the IWGB can work to achieve its aims.
  4. The IWGB has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to business contacts upon request.
  5. The IWGB engages data processors to assist with the processing of business contacts’ data. Types of processors include email servers such as gmail, electronic document storage such as Dropbox, and other processors which facilitate communication with business contacts, such as Mailchimp. The IWGB reserves the right to engage other processors as and when is necessary to assist with the processing of business contacts’ data in furtherance of the legitimate aims identified above.

Your Rights

1. Right of Access

  1. You have the right to access your personal data and supplementary information. This will allow you to be aware of and verify the lawfulness of the IWGB’s processing of this data.
  2. To request access to your personal data, please send your request to the IWGB (contact information below) and entitle the request: “Access to Personal Data”.
  3. So as to ensure that your data is not accidentally disclosed to a third party, the IWGB will use reasonable means to verify your identity.
  4. Once a request is received, your information will be provided to you free of charge, save for exceptional circumstances. However, the IWGB does reserve the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. The IWGB may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative costs of providing the requested information.
  5. Your information will be provided without delay and at the latest within one month of receipt, save for exceptional circumstances. If your requests are complex or numerous, the IWGB may extend the period for compliance by a further two months. However, if this is the case, we will contact you within one month of receipt of your request, in order to explain why the extension is necessary.
  6. In the unusual event that for some legitimate reason the IWGB refuses to respond to a request, the IWGB will, without delay, and no later than one month from receiving the request, write to you to explain the rationale of the refusal and informing you of your right to complain to the Information Commissioner’s Office (ICO) and to a judicial remedy.

2. Right to Rectification

  1. You have the right to have your personal data rectified if it is inaccurate or incomplete.
  2. If the IWGB has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification unless this proves impossible or involves disproportionate effort. If requested, the IWGB will provide you with information about these recipients.
  3. Once a request for rectification is received, the IWGB will comply within one month unless the request for rectification is complex, in which case the time period may be extended by a further two months.
  4. In the unusual circumstance that the IWGB for some legitimate reason does not take action in response to a request for rectification, we will explain why, and will inform you of your right to complain to the ICO and to a judicial remedy.
  5. Your request should be sent to:
    1. If you are an employee, to your line manager;
    2. If you are a volunteer, to your main contact at IWGB;
    3. If you are a member and the request relates to membership data, to Sebastien Flais (contact information below);
    4. If you are a member and the data relates to a case you have or had with the Legal Department, to your caseworker;
    5. For any other reason, or for more than one of the above, to the IWGB (contact information below).

3. Right of Erasure

  1. You have the right, in certain circumstances, to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.
  2. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have your personal data erased and to prevent processing in the following specific circumstances:
    1. When your personal data is no longer needed in connection with the purpose for which it was originally collected/processed;
    2. If you object to the processing of your data and it can be demonstrated that there is no overriding legitimate interest for continuing the processing;
    3. If your data was unlawfully processed (ie. otherwise in breach of the GDPR); or
    4. Your personal data has to be erased in order to comply with a legal obligation.
  3. c. Your right of erasure is not limited to circumstances in which the processing of your data is causing you unwarranted and substantial damage or distress. However, if the processing does cause you damage or distress, this is likely to make the case for erasure stronger.
  4. The IWGB may refuse your request for erasure if we are processing your data for any of the following reasons:
    1. To exercise the right of freedom of expression and information;
    2. For public health purposes in the public interest;
    3. Archiving purposes in the public interest, scientific research, historical research, or statistical purposes; or
    4. The exercise or defence of legal claims.
  5. If your request for erasure is granted, and the IWGB has disclosed the data in question to others, we will contact each recipient and inform them of the erasure of the personal data – unless this proves impossible or involves disproportionate effort. If requested, we will inform you about these recipients.

Right to Restrict Processing

  1. You will have the right to ‘block’ or suppress the processing of your personal data in certain circumstances. When this right is engaged, the IWGB may elect to store your personal data, but we will not further process it. We will retain just enough information about you to ensure that the restriction is respected in future.
  2. The IWGB will restrict the processing of your personal data in the following circumstances:
    1. If you contest the accuracy of the personal data we will restrict processing until we have been able to verify that accuracy.
    2. If you object to the processing of your personal data (more on which below) and the processing is necessary for the purpose of legitimate interests, the IWGB will restrict the processing of this data while we consider whether our legitimate grounds override yours.
    3. If the processing of our data has been found to be unlawful and you prefer restriction to erasure, we will restrict processing of your data.
    4. If the IWGB no longer needs your personal data but you require the data to establish, exercise or defend a legal claim, then we will restrict processing of your data.
  3. If the IWGB has disclosed your personal data to others, we will contact each recipient and inform them of the restriction on the processing of the personal data- unless this proves impossible or involves disproportionate effort. If requested, we will also inform you about these recipients.
  4. If for some legitimate reason the IWGB decides to lift a restriction on processing, we will inform you of this.

Right to Object

  1. You have the right to object to the processing of your data in certain circumstances. These include if the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), if your data is being used for direct marketing (including profiling) and if we are processing your data for the purposes of scientific/historical research and statistics. Your objection must be on grounds relating to your particular situation.
  2. If you wish to exercise your right to object, your objection should be communicated to:
    1. If you are an employee, to your line manager;
    2. If you are a volunteer, to your main contact at IWGB;
    3. If you are a member and the request relates to membership data, to Sebastien Flais (contact information below);
    4. If you are a member and the data relates to a case you have or had with the Legal Department, to your caseworker;
    5. For any other reason, or for more than one of the above, to the IWGB (contact information below).

Data Protection Officer

  1. The IWGB has appointed Sebsatien Flais, the Central Union Coordinator, as the Union’s Data Protection Officer (DPO). Sebastien Flais’s contact details are found below.
  2. The DPO’s role include:
    1. To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;
    2. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits;
    3. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc.).

International Transfers

The IWGB strongly discourages its reps, officials, employees, or volunteers from transferring personal data held by the IWGB outside of the EU. In other words, accessing IWGB email, DropBox, and other accounts is discouraged outside of the EU.

Personal Data Breaches

  1. The IWGB will make all reasonable efforts to keep your data secure. However, there may be times when an accidental breach is unavoidable. This section of the policy outlines what actions the IWGB will take if a breach does occur.
  2. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. For example, personal data breaches can include:
    1. Access by an unauthorized third party;
    2. Deliberate or accidental action (or inaction) by a controller or processor;
    3. Sending personal data to an incorrect recipient;
    4. Computing devices containing personal data being lost or stolen;
    5. Alteration of personal data without permission; and
    6. Loss of availability of personal data.
  3. If a breach does occur, or if it’s possible a breach might have occurred, it must be reported immediately to the IWGB’s data protection team. The team can be contacted at:
    1. Email: dataprotection@iwgb.co.uk
    2. Phone: 02034907530 or 02035383720
  4. If one of our processors becomes aware of a breach they must inform us without delay, and we will then follow the same steps as below.
  5. Once aware of the breach a member of the team will immediately take steps to investigate the incident and ascertain whether or not the breach was a result of human error or a systemic issue as well as how a recurrence can be prevented- whether this is through better processes, further training or other corrective steps. All information related to the breach and corresponding investigation will be recorded.
  6. However, within 72 hours of becoming aware of the breach, if feasible, the IWGB will establish- based on the information available to it at the time- the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we will notify the Information Commissioner’s Office (ICO) of the breach. If a risk is unlikely then the incident will not be reported, however we will document this and the reasons for coming to the conclusion that reporting to the ICO was not necessary. It is important to highlight that this assessment will be carried out even if the investigation is not yet complete, due to the strict time limits on reporting breaches under the GDPR.
  7. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the individuals concerned will be informed of the breach without delay.

Handling Membership Data

  1. If you are an IWGB official who handles membership data you need to be extra careful and take all necessary precautions to ensure the data is kept safely and securely. If you have any doubts or questions on how to do this please contact the IWGB’s Data Protection Officer.
  2. If you are transporting data you need to be extra careful to always double check and make sure you have everything with you and do not accidentally leave behind in a public place personal membership data.
  3. If you have collected paper membership forms these should be sent as soon as possible to the IWGB Central Union headquarters. Please note that you must not store membership forms anywhere other than at IWGB headquarters.
  4. If you are an IWGB official, volunteer, or employee who handles membership or casework data, it is prohibited to use non-IWGB emails to transmit this data.

Press

The IWGB actively engages with the press in furtherance of its campaigns. If you are a member there may be times when you are asked to engage with the press. This will always be your choice and you will be asked to sign a consent form before any of your data is shared with the press. There will be no negative consequences for you should you choose not to so engage.

Communication with Members

  1. If you are an IWGB official facilitating collective organising by way of group communications such as Whatsapp or similar technologies, you must restrict administrator rights to IWGB officials only. This is so that members are able to opt out if they so choose.
  2. If you are an IWGB official, employee, or volunteer communicating with members via email, you must not reveal email addresses to recipients unless it is for the purpose of an organizing initiative where the IWGB is facilitating collaborative action among recipients. This should be the exception with email communications and members must be given the right to opt out.
  3. Similarly, if you are emailing more than 30 members for standard communication you must use a provider such as MailChimp or similar, rather than BCC as the risk of CCing by accident is too great.

Contact Information

  1. The IWGB’s contact information is:
    1. Address: 12-20 Baron Street, London, N1 9LL
    2. b. Phone: 02034907530
    3. Email: office@iwgb.org.uk
    4. Email for data protection purposes: dataprotection@iwgb.co.uk
    5. Website: iwgb.org.uk
  2. The IWGB’s Data Protection Officer is Sebastien Flais. Sebastien Flais’s contact information is:
    1. Address: 12-20 Baron Street, London, N1 9LL
    2. b. Phone: 02034907530
    3. Email: sebastienflais@iwgb.org.uk

Keeping this Policy Relevant and Updated

  1. If you have feedback on this policy or IWGB data protection practices, please email us at dataprotection@iwgb.co.uk.
  2. This policy will be kept under review and an updated version issued in Autumn, 2018.

Reference Version

This policy is reproduced here. The guiding current version may be found here (PDF).