GDPR – a barrier to organising?

Many activists experience being told they can’t do this or that to build the union because of GDPR – the General Data Protection Regulations. Ian Allinson and data protection lawyer Lois C explore how we can avoid GDPR being a barrier to effective organising.

We’ve had data protection legislation in Britain since 1984, but it has been much higher profile since  2018, with the implementation of the European Union’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018. A major factor in organisations giving it greater attention was a dramatic increase in the potential fines – up to £17.5m or 4% of an organisation’s global annual turnover. But the underlying principles of the legislation didn’t change as much.

Much of the drive for data protection legislation came from Germany. The Nazi dictatorship and businesses processed data about the population to enable the holocaust. Little wonder this caused widespread hostility to surveillance and a desire to restrict organisations holding personal data. Whenever people try to bamboozle you with technicalities, hold on to the fact that the point of data protection is to protect people from harm.

‘if there was some slight unintentional breach which did not harm individuals, then penalties are unlikely or small – particularly if you tried to follow the data protection principles’

If you control the processing of data, you are responsible for avoiding harm by ensuring that the seven key data protection principles are followed:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

The legislation is enforced by the Information Commissioner’s Office (ICO), whose website has lots of useful information. The ICO takes a ‘risk and harm’ based approach to enforcement meaning that if there was some slight unintentional breach which did not harm individuals, then penalties are unlikely or small – particularly if you tried to follow the data protection principles.

In Workers Can Win (p.286), Ian argued that:

The latest weapon in the bureaucrat’s armoury is GDPR (General Data Protection Regulation), the rules on data protection. Unions must comply with data protection principles, which include only holding personal data they need to and restricting access to those who need it for legitimate purposes. But GDPR is widely used as an excuse to deny people the information they need to perform their role in the union, even if they have been elected to that role. Don’t be afraid to call bullshit on GDPR excuses or to ask what needs to be put in place to enable you to perform your role.

This article is focused on a different way in which GDPR can act as a barrier to organising – when people exaggerate the restrictions on ‘mapping’ or ‘charting’ workplaces. Different organisers and unions use the terms mapping and charting in different ways. Ian uses ‘mapping’ to mean ‘drawing the physical layout of a workplace or workplaces and marking it up with information’ and ‘charting’ to mean ‘listing all workers and grouping those who interact most, to record information about them.’

In Workers Can Win (p.134), Ian said:

It’s important to be ethical about your mapping and charting. Don’t write down anything about someone that would cause a problem if they saw it, particularly if it’s a judgement about them rather than strictly factual. I was once on the receiving end of a ‘Subject Access Request’ from a manager, under the data protection legislation, to obtain personal information I held about them, such as emails. Fortunately, there was nothing problematic and they later joined the union. Never leave personal information lying around. Sometimes activists allow concerns about data protection to get in the way of organising. It’s worth remembering what the legislation is there for. It’s to protect people against those in power, such as companies, intruding into their privacy or making decisions based on information they shouldn’t have or which isn’t accurate. You are organising to make society fairer and more democratic, challenging those who hold power. Irrespective of legislation, you aren’t doing anything to harm the workers included in your mapping or charting. I’ve yet to hear of a union activist falling foul of data protection law over mapping or charting – your employer is a much bigger threat.

For most activists, ensuring that they are ethical and don’t get in trouble are much higher priorities than worrying about the letter of the law.

Individuals can make a Subject Access Request (SAR) (sometimes called a ‘right of access request’ under GDPR) to obtain a copy of information held about them. Never record anything about someone that you would be uncomfortable sharing with the individual if they made a SAR, or any information you couldn’t justify holding in relation to your purposes (see below).

When you are engaged in union business, even at work, and even if the data is on your employer’s systems (which you may wish to avoid for other reasons) the ‘data controller’ is the union, not your employer. This means that if someone made a SAR to your employer to obtain data you held about them, you would only disclose information you held as an employee, where the employer was the data controller. To get the data you held on them as a union activist, they would need to make a SAR to the union. Legally, any complaint about mapping or charting data would need to go to the union, not the employer. Of course this doesn’t guarantee that some manager might not try to have a go at you about it – but strictly speaking it’s none of their business. Any employer discipline would then be for trade union activity (so unlawful).

Not all data is the same

Personal data is any information that relates to an identified or identifiable living individual. Examples of personal data that could be relevant to your organising could include, for example:

(a) job title and grade;
(b) salary;
(c) demographics like race and gender; and
(d) whether the person is a member.

Certain information, including (c) and (d), are considered extra sensitive ‘Special Category Data’ (SCD) which is subject to stricter rules.

What is your purpose?

The ‘purpose limitation’ data protection principle means that you must be clear why you are processing the data from the start. Your purposes will influence what data you can process. The ‘data minimisation’ principle restricts you to data that is relevant and necessary for those purposes. The ‘storage limitation’ principle means you should hold that data no longer than necessary for your purposes.

You need to be able to explain why you need to do mapping or charting and what information is needed for it. Write all this down to meet the ‘accountability’ principle. An example data protection plan is here.

You may define a general purpose such as ‘running an effective union which facilitates collective organising to improve workers’ jobs, pay and conditions and the other objectives of the union’. You may need a more specific purpose to justify processing particular data, such as ‘identifying who is affected in what way by the issues in the 2024 pay claim in order to contact them and involve them in a campaign to win it’. You should consider why you need a particular type of information to meet your purpose. For example, it is unlikely you would need to record a member’s medical history and so that should be deleted. 

Lawful basis for data processing

You should now understand why you want to process personal data (the purpose) and how that justifies each type of data you plan to hold. You must also ensure that the processing is lawful by identifying at least one lawful basis for processing data. GDPR sets out six possible lawful bases for processing personal data. These are: 

a) Consent – the individual has given consent for you to process their data.
b) Contract – the processing is necessary for a contract you have with the individual.
c) Legal obligation – the processing is necessary to comply with the law.
d) Vital interests – the processing is necessary to protect someone’s life.
e) Public task – the processing is necessary to perform a task or function which is in the public interest and has a clear basis in law.
f) Legitimate interests – the processing is necessary for your legitimate interests.

A union normally relies on the ‘legitimate interests’ lawful basis to justify processing data about its members. Where an organisation is relying upon ‘legitimate interests’ they often complete a Legitimate Interests Assessment (LIA) to ensure that the processing is lawful. This means in practice, identifying the legitimate interest, noting why the processing is necessary to meet that interest and finally balancing the impact of the processing on the individual.

‘Legitimate interests’ is not a sufficient basis to cover the processing of special category data, but there is a specific rule which enables not-for-profit bodies including unions to process members’ special category data as part of their ‘legitimate activities’. This also covers former members or people who have regular contact with the union for union business.

Including non-members in mapping and charting

UNISON has a useful guide to different levels of mapping and charting your workplace for different purposes. It’s well worth a look, but assumes you can’t hold data on non-members. For charting and mapping we normally need to include non-members too. We might be able to rely on legitimate interests for non-SCD data, but it is safest to use the ‘consent’ basis instead. On the face of it, this seems absurd – how can you get someone’s consent without having them on a list and contacting them? The guidance from many unions is pretty useless on this, and would lead many activists to give up on organising or give up on trying to comply with GDPR. The guidance from the University and College Union (UCU) is considerably better, and well worth a read.

You can identify non-members to contact in order to seek their consent. At this stage, you would be processing their contact details for the purpose of seeking consent under the ‘legitimate interests’ lawful basis. Minimise how long you hold their name and/or contact details prior to getting consent. For example, if you are trying to chart a large organisation, you might tackle a department at a time. You need to contact them and as part of that conversation, which might be about your current campaign, explain the purposes for which you want to process their data. This is obviously best done verbally – in person if possible, but otherwise over the phone, Teams or whatever. If they give consent, record the date, time and how the consent was given. If they don’t give consent, remove their personal data. For example, you might remove their name from your list but keep an anonymised record of how many people in that team didn’t give consent.

Under GDPR, consent is ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. This means you need to be specific that it is the union who would be processing their data and for what purposes. You should also tell them that they can withdraw their consent at any time. Because you need a ‘clear affirmative action’, it’s best to directly ask them for their consent, once you have explained why you want it. For some purposes that might be very simple, such as:

Your pay and conditions are determined by collective bargaining between the employer and the union. The union would like to contact you to keep you informed about the issues, our campaign and bargaining, but we are only allowed to do this if you join, or if you consent to us processing your personal information. Obviously you would get more information as a member. Would you like to join, or if not, do you consent to the union processing your personal information (i.e. your contact details and the fact you are not a member) for this purpose?

UCU advises that ‘a year is a reasonable amount of time to wait before you map the workforce again and contact those non members [who did not consent] to see if their opinion has changed’ so bear that timescale in mind when defining your purpose. Something too short-term could leave you temporarily chart-less. Including longer-term purposes could enable you to retain at least some of the data of those who consented.

Controlling access to the data

People should only have access to the data they need for the defined purposes. This usually means most activists don’t need access to all the data. Sometimes parts of the data can be anonymised (information that might identify individuals removed) or aggregated (data for different people grouped together to hide the individual data). And of course data should be held securely, so it doesn’t fall into the wrong hands, and erased or anonymised when it is no longer needed for the purposes.

Don’t panic

What all this shows is that even if you want to comply with the letter as well as the spirit of the legislation, you can still map and chart your workplace and run campaigns that reach out to workers who aren’t yet union members.

Example data protection plan (word doc)