Further to LTB 529/18 issued on the 14th September 2018 advising Branches of the General Data Protection Regulations introduced on the 25th May 2018, CWU and RMG has since endorsed a Code of Practice around how both parties will move to a new process of data sharing that is unambiguous and not open to local interpretation, particularly where there is a potential for a breach of data. This Code of Practice can be found at Appendix A which will also be shared with all Royal Mail Managers.
Branches will be mindful of the changes contained in LTB 529/18 and the receiving of information from Royal Mail that is classified as confidential. In order to obtain certain levels of information described as ‘Confidential’, it will require the application of encryption to the email being sent by RMG using an encryption communication protocol called Transport Layer Security (TLS). Attached as Annex B is an easy to follow step-by-step guide on enabling TLS on your PC.
If the recipients mail can support TLS, the email will be released and travel through the encryption channel otherwise the email will default to ‘Strictly Confidential’ and be retained in a secure online cloud storage service e.g. iCloud. The recipient must then access a security portal called Mimecast in order to retrieve/respond to that email. This portal has been deployed by RMG to provide email risk management along with the ability to retain corporate data for a certain period and protect against data exfiltration and other advanced threats.
Going forward, CWU Representatives who need to receive data from RMG will be required to provide confirmation through a simple statement which is attached as Appendix C that allows Representatives to use their own device on accounts such as btinternet/hotmail/gmail etc. which also supports TLS. Signed statements should then be forwarded onto Laura Fleming who is based at;
185 Farringdon Road
London EC1A 1AA.
This process has been successfully deployed in RM Fleet and will now be utilised across RMG. For ease of access, all Divisional Representatives have been provided with a Royal Mail domain due to their requirement to attend Mail Centres and Delivery Offices where they can access a RMG terminal to log onto their account if necessary.
Under good practice, Branches should note that personal data should only be shared where we can demonstrate a legitimate interest which is not overridden by the individual’s rights and freedoms. Personal data should only be shared on a confidential basis only to the extent necessary and in line with other data protection considerations such as security. Once the personal data has been received, Branches must only share this data with others if it is strictly necessary and they are authorised to do so.
Branches should consider adopting a best practice approach as attached at Appendix C, to obtaining members’ consent for the purpose of representation e.g. when a member is invited to attend a meeting for the first time under the conduct procedure who subsequently seeks representation, a single statement of consent at the start of the procedure will provide the Branch with the ability to escalate the case between the various levels of representation (Unit Rep/Area/Divisional) without having to refresh this mandate at each level. Furthermore and in view of the potential for claims to be submitted by individuals for copies of all emails which displays their address, it is considered good practice to blind copy other individuals on email exchanges that are only limited to authorised people or if there is a need for information to be retained, this should be stored somewhere securely for an appropriate period of time.
To reiterate, GDPR is an important legal change and the CWU must show improved responsibility with members’ information. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data that will carry sanctions, including potential fines of up to 4% of turnover.
It would be appreciated if Branches could forward any issues relating to the application of GDPR within their locality to Alan Tate, Postal Executive (firstname.lastname@example.org) who is leading on this issue on behalf of the DGS(P) Department.
Any enquiries in relation to this LTB should be addressed to the DGS(P) Department quoting reference 10020.
Deputy General Secretary (Postal)