Your rights relating to the use of your personal data changed in May 2018, with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 coming into force.
This privacy notice does not apply to personal data collected and used by the Certification Officer and officials supporting her when she is acting in her judicial capacity. Article 14 of the 2018 Act contains an exemption in respect of judicial proceedings and specifically Article 14 (2) provides that the “listed GDPR provisions do not apply to personal data processed by (a) an individual acting in a judicial capacity or (b) a court or tribunal acting in its judicial capacity.” The Certification Officer acts in a judicial capacity when determining complaints between an applicant and a union.
This Privacy Statement explains in plain English how and why the Certification Office (“CO”) which supports the Certification officer processes your personal data. It covers personal data, in any format, that the CO may collect, use and retain.
The CO collects, uses and holds personal information about you when you make a complaint, raise an issue with the Certification Officer or submit an enquiry to us. How we use your personal data is explained below.
If you have a query about this Privacy Statement please contact the Data Protection Officer at the contact details below.
About Personal Data
Personal data is information that relates to a living individual who can be identified from that information. It can include your name, address or telephone number and also more sensitive data like medical history, ethnicity or trade union membership.
We recognise how important it is to protect the privacy of all Certification Officer customers. We will safeguard your personal data and will only disclose it when it is lawful to do so, or where required, with your consent.
Types of Personal data we process and how we use your personal data
The CO collects personal data about you to fulfil the legal functions that the Certification Officer is charged to deliver under the Trade Union and Labour Relations (Consolidation) Act 1992, as amended by Transparency of Lobbying, Non-party Campaigning and Trade Union Administration Act 2014, and the Trade Union Act 2016.
We only process personal data that is relevant to meeting our legal obligations. The personal data will usually be obtained from you, your representative or the other party in complaints. Your personal data may also be obtained from other interested parties, such as a trade union you are/were a member of.
1. Complaints raised against a trade union
If you make a complaint against a trade union to the Certification Officer, the CO will asks you for personal information such as your name, email address, postal address, postcode, job title, daytime and/or mobile phone number, and information about your union membership in order to progress any complaints / issues.
You may also voluntarily provide us with personal information about any special needs you may have so that we can try to ensure our services meet your requirements.
We retain personal data collected via your application form / letter /e-mail on your complaint file for a period of three years after the conclusion of the complaint. At this point your details and any related correspondence is destroyed.
It is kept for this period due to the possibility of any appeals in a higher court occurring, for which and in accordance with our records retention policy.
2. Financial Irregularities investigations
A financial irregularity investigation can be undertaken either leading from a complaint or the Certification Officer coming across information via other sources. Any information, including personal information, e.g. home address, bank statements etc., are kept on the relevant manual and electronic files. The files are retained for 3 years from the date of the final date of correspondence or date of ‘Findings Letter’.
Should an investigation lead to a prosecution, your information may be shared with other statutory bodies.
3. General Enquiries
If you make an enquiry about any aspect of the Certification Officers power, the details that you provide, including your e-mail address if the enquiry is made via e-mail is retained for one year.
Hard copy enquiry – 3 years
4. Making a Freedom of Information (FOI) or Subject Access Request
If you wish to make an FOI or Subject Access Request, your contact details and case history will be collected to process your request and stored for three years.
If you wish to make a complaint to the Information Commissioner’s Office (ICO) regarding a decision on a FOI or Subject Access Request case, the CO is legally obliged to share your case records, which includes personal data, with the ICO in order to progress your complaint. You may withdraw your complaint at any time.
5. Use of our website
When you visit our website, we collect your Internet Protocol (IP) address as a unique identifier. We also collect the following:
- Data about how you use the Certification Officer’s Website;
- Information about your computer (including your IP address and browser type);
- Demographic data;
- If you visited the Website by clicking on a link from a different website, we collect the URL of that website; and
- Information about your online activity, such as the pages you have viewed and the purchases you have made.
The Certification Officer’s website contains links to other websites, mainly other unions. These websites are not covered by this Privacy Statement and the CO is not responsible for the privacy practices within any of these other websites. You should be aware of this when you leave the website and we encourage you to read the privacy statements of other websites.
Sensitive Personal Information
Some of the information you provide may be personal data that is particularly sensitive, such as trade union membership, ethnicity or medical information. We will only ever use such sensitive personal data where this is essential to provide advice or to provide one of our statutory services such as attending a hearing.
We may also use medical information you provide to make reasonable adjustments to help you access our services (for example, to arrange disabled access to a CO site).
Confidentiality, storage and security of personal data
The CO views the confidentiality and privacy of those using its services as paramount. Any personal information you provide will be held securely, and your personal information will not be sold or traded to another organisation or company.
In order to carry out our functions and respond to enquiries effectively, we may sometimes need to share information with Government Departments, law enforcement agencies, and public authorities (such as the Employment Appeals Tribunals Service). However, we will only do this where it is permitted by law.
Where the CO might share personal data with an external company or service that we employ as part of our work, we will ensure that personal data that we may pass on to them will be held securely and used by them only to provide the services for which it was shared.
The CO safeguards the information you provide using physical, electronic and management procedures on use of personal data.
Personal electronic data is held in an HMG secure data centre in the UK. Back up services are also performed in a separate HMG Secure Data Centre in the EU.
Purpose and Lawful basis for processing
Under data protection law, the Certification Officer must have a ‘lawful basis’ to justify the collecting, storing and use of personal data. Where sensitive personal data is used, the Certification Officer also needs to have a second lawful basis to justify the use of your sensitive data.
The purpose of most activities where the CO processes personal data, relates to the Certification Officer’s legal duties under the Trade Union and Labour Relations (Consolidated) Act 1992.
Our lawful basis for processing personal data is therefore that it is necessary “for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the data controller” (quoted from Article 6(1)(e) of the GDPR).
DPA2018 – “Function of the Crown”?
Where we process sensitive personal data, our additional lawful basis to do this depends on the service that CO requires this for.
For sensitive personal data that may be processed as part of the Certification Officers powers to investigate and/or prosecute and to respond to FOI and Subject Access Requests, our lawful basis is:
“Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity” (Article 9(2)(f) of the GDPR).
Financial Irregularity – lawful basis for processing?
When we ask for your personal data we:
- Will ask only for the personal data we need and not collect information that is irrelevant and excessive.
- Will protect it and make sure no unauthorised person has access to it.
- May share it with other organisations but only where necessary and permitted by law.
Who the information may be shared with
The information you provide will typically be shared with the other parties involved in a case, including their legal representative and the Certification Officer’s legal advisers (Government Legal Department).
Where we are required to share personal data, we will comply with all aspects of rules, including data protection laws. The categories of organisation with whom we may be required to share your personal data may include other public bodies within the EU, providers of transcription services.
Unless otherwise agreed, Certification Officer’s hearings are held in public, so if information you give is referred to at a hearing then it may become public in that way. Media representatives or other persons can attend and report on public hearings, unless the Certification Officer orders otherwise.
Your rights under the data protection law
You have a right to request a copy of the information the CO holds about you and to have any inaccuracies corrected.
You may also have the right to have your personal information erased; to restrict our use of your personal data; and object to our processing of your personal data.
Please address requests (with a return e-mail address where possible) to
The Data Protection Officer
Lower Ground Floor
2-6 Salisbury Square
London EC4Y 8JX
The right to complain to the authority on the use of information, which in the UK is the Information Commissioner’s Office.
Information Commissioner's Office
Telephone: 0303 123 1113
Territories outside the European Economic Area (EEA) may not have laws which provide the same level of protection for personal information as those inside the EEA. However, if we process your personal information on servers or use third party service providers based in such territories, we will endeavour to ensure that your personal information is afforded the same level of protection as in the EEA.
Changes to this Privacy statement
If this privacy statement changes in any way, we will place an updated version on this webpage. If you do not agree with the changes we make please do not continue to use the website. Regularly reviewing this webpage ensure you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.