Data protection in UNISON

A guide to data protection in UNISON branches

Data breach graphic

Current legislation

The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. It amended the existing EU GDPR and was incorporated into UK law following the end of the Brexit transition period. It functions within the UK legal framework and works alongside the Data Protection Act 2018.

The Data (Use and Access) Act (DUAA) was introduced into UK law on 19 June 2025 and updates some laws about digital information matters. DUAA sits alongside current data protection legislation to streamline compliance and modernise data usage.

The Privacy and Electronic Communications Regulations 2003 (PECR) covers digital marketing (emails, calls, texts), cookies, and the security of communication services. PECR sits alongside current data protection legislation to give people specific privacy rights in relation to marketing communications by electronic means.

Data protection principles

Data protection legislation strengthens individuals’ rights to make them aware of, and enables them to control, how their own personal data is processed.

To comply with data protection legislation, UNISON branches need to ensure they are working in a data-compliant way. Personal data must:

  • be processed lawfully, fairly and in a transparent manner. This involves using personal data in full compliance with the law, and in a manner that members would reasonably expect of the union. When collecting data, you should always tell people how it will be used so that they can make an informed choice about whether to provide the information;
  • only be processed for the purpose for which it was collected and not for something extra or unrelated (Purpose Limitation);
  • limited to only that data needed to achieve the desired task. Do not collect excessive amounts of data if it is not needed for the task at hand. (Data minimisation);
  • accurate and kept up to date. This means using UNISON’s membership system as the one true source of member data and not keeping separate contact lists (Accuracy);
  • only be kept for as long as you need it. When you no longer need it, it should be securely destroyed or deleted in accordance with the branch data retention schedule (Storage limitation);
  • be processed in a manner that ensures appropriate security of the data. Safeguards should be put in place to prevent unauthorised processing or unlawful access to personal data, and against accidental loss, destruction or damage. (Integrity and Confidentiality/Security).

Personal data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Personal data breaches must be reported to UNISON’s Data Protection Team immediately. They can be contacted at [email protected]

The Data Protection Team will assess the necessary mitigation and determine whether the incident meets the threshold for reporting to the Information Commissioner’s Office (ICO). The law states that data breaches must be reported to the ICO within 72 hours of the organisation becoming aware of the incident.

Subject access requests (SARs)

The right of access, commonly referred to as a subject access request (SAR), gives people the right to obtain a copy of the personal data that an organisation is processing that relates to them.

There are no formal requirements for a valid request. A person can make a SAR verbally or in writing, including by social media. They can make it to any part of an organisation, and they do not have to direct it to a specific person or contact point.

Any SAR received by a branch must be forwarded to UNISON’s Data Protection Team immediately as there is a one-month statutory deadline in which to comply. It is essential, therefore, that the branch acts quickly when these requests are received.

Right to erasure

Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Any request to delete data received by a branch must be forwarded to UNISON’s Data Protection Team immediately as there is a one-month statutory deadline in which to comply. It is essential, therefore, that the branch acts quickly when these requests are received.

Training

UNISON’s data protection training is mandatory, as per UNISON’s rulebook, and must be completed within three months of being elected, and annually thereafter. You can find the data protection training via UNISON’s Learning website.

Bulk communication

The most important thing that we can do to comply with data protection legislation is to all use the same membership system so that it is the one, true source of member data. For branches, this means using Merlin for sending bulk email. This is because:

  • It does not email members who have unsubscribed.
  • It uses up-to-date email addresses.
  • It does not email lapsed members.
  • Recipients’ email addresses are automatically added to the Bcc field.
  • Changes to member contact preferences are immediately reflected.
  • An unsubscribe/MyUNISON link is automatically added.
  • A link to UNISON’s privacy policy is automatically added.

Further guidance on how data protection legislation applies with UNISON’s processing activities can be found in our resources section below. 

Contact us

If you have any questions about data protection, please contact our Data Protection Team at [email protected]