Entering sensitive data. Photo: Urupong / Getty Images

Data protection responsibilities in designing systems and processes for union casework

As unions bring digital tools deeper into their case management processes, they start generating loads of often sensitive personal data. And that brings some clear responsibilities with it under the General Data Protection Regulation (GDPR).

This blog is intended as a kind of broad checklist for principles and practices that you might find helpful to think about to ensure what you’re doing is lawful. As always you should check with your own advisors when planning detail for your union around this, as there will likely be specific factors that affect you in different ways.

1. Design approach for new systems

Data controller role

When you’re working with your members’ data, the union is known as the data controller under the GDPR. That is a clearly defined role within the regulation. It means you are responsible for why the data is being collected, and the integrity and security of data being processed.  Your union is responsible for your staff and reps’ actions when using personal data related to the work of the union. If things go wrong anywhere in the case management process relating to data privacy, that comes back on you as data controller.

So my headline message would be to have a well-designed, well thought through, well tested approach to case management. And make sure your project and design is documented so that if something goes wrong and the regulator for the GDPR (the Information Commissioner’s Office) gets involved, you can show that you did do your due diligence upfront.

Privacy by design and DPIA

Privacy by design is a high-level principle in the GDPR, which says that you need to think about the individual (your member), right from the outset of a project. And you need to design that project or that system around those people and the need to protect them and their sensitive personal data.

You can do that through the use of a tool called a data protection impact assessment (DPIA). This is a framework which helps you think through the issue that you’re trying to solve. It legitimises under the GDPR what data you’re collecting and why you can collect it. It looks at who you’re sharing the data with, retention and security, and it helps you to focus on what the risks are with the approach you are planning. From that it helps you think about mitigating those risks.

As well as helping you design a great approach, it’s also very important to have that DPIA in writing in case there is a situation that does go wrong. It shows the regulator your thinking at the design stage and the attempts you have made to protect personal data.  You are more likely to avoid a fine for poor GDPR compliance if you can show consideration of privacy by design from the outset.

We’ve got some more advice on how to fill out your own DPIA.

Planning your data fields and their uses

When you’re thinking about the data fields you want to include in your case management system, don’t just think about doing case management on a one-to-one basis. This also covers what data your union actually wants to know about case work overall.

So for example, do you need to know how much your case work programme is costing? Are there demographic considerations you need to know, such as whether you are supporting many more women than men, younger workers, or any other groups.

To get good data out you need to put good data in. So spend time planning the fields you’re going to build into your system, and how easy it will be for your staff or reps running cases to consistently and easily record high quality, useful data in the system.

Role based access

The GDPR states that only the people that really need to see data should get to see the data. But this can be complicated in a union structure.

So what roles do you need to assign to see different levels of detail in a case? In my old union, we had a big debate when we were bringing in case management and CRM. One issue was around our frontline staff in our call centre. Did they need to see that there’s a case in play? Yes, probably, because they want to be able to recognise that a caller could be vulnerable or maybe upset.

But do they need to see all the detail of a case? Probably not, because they’re not involved in actually running that case. For your union, you may have a different view, but you need to think about that as part of the design early on.

Procurement

For any system, whether you’re buying a bolt-on module to an existing cloud platform, or getting a purpose-built case management system, you’re probably contracting with another organisation that are acting as your data processor under the GDPR.

As part of that, you need a contract, and you need to make sure the right Data Processing Agreement clauses to fit with the GDPR are included in that contract. You also have to be confident that supplier is actually doing all that, on things like their security, and the training they give to their staff, before you allow them to work with your members’ data.

Staff and rep training

And finally, there’s the training for people in using your case management system. Obviously that’s important in terms of giving a good service and doing the best you can for cases. But it’s particularly important too in covering your back as a union. If things go wrong and the regulator comes in, you need evidence to show you trained everyone in data protection, and refresher training happens at sensible intervals. So it shows a problem is more likely to be human error, not that you didn’t try your best to enable staff and reps to work in the safest way.

2. When starting a case

Issue the privacy notice

When you’re taking on a new case, it’s good practice to issue your privacy notice again to the member.

This is the document under the GDPR that articulates to them, how you as a union are looking after their information and who gets access to it. How long will the data be retained? What’s their right to challenge it? It may be that you have a high-level union privacy notice on your website, but you may feel you need to write a specific case management privacy notice to highlight relevant information.

It’s good to do this as it helps set expectations about what’s going to happen with their data and hopefully heads off any kind of misunderstanding down the line.

Using a knowledgebase

I would think about highlighting any system and protocol changes since the last time a staff member or rep actually did some case management work. Using a knowledgebase that the case handler can search for current information is a good idea to support those people with common queries, and ensure consistency in case management across your union.

Capture the right consents

Consent is an important part of the GDPR principles for case management. If you’re wanting to disclose personal and sensitive personal data to third parties, you need to obtain and record the member’s consent to do so. Third parties here could be the member’s employer, occupational health, lawyer, or anyone else involved in the case external to your union. GDPR is very strict about consent and ensuring that you can evidence when that consent was given.

Data entry standards

Data entry standards are very important. There’s obvious things like not recording gossip in case files and keeping entries factual and professional. Members and people discussed have the right to request to see data you hold on them under the GDPR.

But it’s also worth thinking about where recorded data comes from. For example in the health environment, if a member were accused by a patient of something, they could take information from that patient’s records to provide evidence for their case, which could be a breach of their employer’s protocols, and the GDPR.

Getting legal advice about the kinds of issues that might be relevant in your sector, and building that into your protocols could help avoid members being naïve about data they provide for their case and ultimately undermining it.

Security

How do you move data around and share it safely between the union and reps? Do you have standards on using encrypted memory sticks, emails with passwords or, a secure storage space in your own cloud, with tightly managed access?

In normal times, people travel to support cases and will take kit and equipment out with them. Make sure all tech used in case work has been encrypted, so the information can’t be seen if it’s lost or stolen.

3. Ending a case

Retention

It’s important to reaffirm the retention period. For example, will you keep the records for seven years from the close of the case? Confirm this to the member, so that if you’re then pushing the delete button at some point, and that person then comes back 10 years later, they shouldn’t expect you to have everything about it.

Some kind of software/workflow that helps you flag a case for review/deletion, or an automatic deletion system would be a handy thing to look at.

Other uses

Of course, I’m all for deletions – Data Protection Officers like good data hygiene – but stop and think. Is this a really amazing case? Can you anonymise that truly and use it in some way, for a case study or some ongoing training and support? Think about what you’d need to do to the data to preserve the value but in a compliant way.

4. Ongoing compliance issues

Data protection policies

Under the GDPR, you have a responsibility to evidence your compliance with data protection regulations. Having a good data protection policy helps, as long as its up to date, has all your case management protocols and standards referenced, and if your staff and reps are working to the policy/protocols.

Information asset register

It’s important, once you’ve designed a case management system, that you add it to your corporate information asset register. Under the GDPR, you have to map out what personal data you’re collecting for what purpose in what systems, who are your data processors, and how long the data is going to be retained.

You need to have this high level ‘map’ to hand, so if there is a problem, a breach or some other issue involving the regulator, or your auditors want to see all this, it’s all very easy to pull out and talk through.

Personnel issues

Think about your organisational handover protocols. If staff leave or if reps leave – particularly if you’re case management process involves the use of email or has case files in people’s personally allocated drives – how will you ensure continued access on behalf of your union?

Data breach management

If you keep having breaches around case work, what are the patterns? Stand back and look at that, to see if you can identify any fixes you can put in place that might prevent them happening again.

Audit practice

Audits are important for any new system. They’re useful to you in terms of general GDPR compliance, but definitely around case management. Take some samples of files, look how those cases have been run, and whether they live up to your policies and standards.

Particularly you should check how easy it is to get all case files together for review. For a GDPR rights request, like a subject access or a right to be forgotten request, you only have a month to get all the data together and respond. Clearer systems can help cut the work overhead of requests like that dramatically.

This blog was adapted from a presentation I gave at a recent Digital Lab seminar on digital case management systems, with case studies from PCS and Accord. You can watch the rest of the session here.