Branches will be aware that the General Data Protection Regulation (GDPR) was introduced on 25th May 2018. The GDPR expands the rights of individuals to control how their personal data is collected and processed and places a range of new obligations on organisations to be more accountable for data protection. It is imperative that all organisations are fully compliant of these new rules.
Royal Mail Group has already notified the CWU that in order to comply with these new regulations, personal data must only be shared with those who are authorised or have a legitimate reason. They have further confirmed that managers will assume accredited CWU Representatives (who are authorised to represent CWU members when dealing with workplace issues) will receive information on the following matters:
• Health and Safety
• Revision Planning
• New Recruits
There are also special categories of personal data that are classed as confidential and should no longer be shared in the same way, for example:
• Health Records
• NI Numbers
• Bullying and Harassment Cases
• Union Membership etc.
Whilst we are still able to receive certain levels of information, the use of what is typically described as “Confidential” will require the application of encryption to the email being sent by RMG, using a communication protocol called Transport Layer Security (TLS). If the recipient’s mail can support TLS, the email will be released and travel through the encryption channel, if not then the email will be retained and default to ‘Strictly Confidential’. The recipient must then access a security portal (Mimecast) in order to retrieve/respond to the email. The portal deployed by RMG to provide email risk
management has the ability to store corporate data and protect against sophisticated spear phishing and other advanced threats.
For our Representatives in the field to be able to bypass this encryption and receive protected personal data, email exchanges can take place using a RMG domain name (e.g. email@example.com) and password, which Royal Mail Group will encourage.
Members can still receive information to their personal email addresses as long as the same protocols of security are adhered to. Additionally, if personal email accounts are being used, then there will be a requirement on that individual to confirm that the email account is not shared or open to other members of their family.
For ease of operation going forward, there is a requirement to construct an agreed Code of Practice around how data is shared between CWU and RMG as soon as possible that is unambiguous and not open to local interpretation. RMG have issued their own GDPR update to all managers with employees in CWU represented grades (attached for information).
The GDPR is an important legal change and any information acquired by either the CWU or RMG must be in line with the new requirements as detailed above or risk the penalty of a heavy fine along with a number of legal consequences.
If Branches have any comments relating to the application of GDPR within their locality, it would be appreciated if they could be forwarded to Alan Tate, Postal Executive, (firstname.lastname@example.org) who is leading on this issue on behalf of the DGS(P) Department.
Deputy General Secretary (Postal)