At the TUC, we’re currently embarking on a project to identify and rationalise the shadow IT that our organisation uses. It’s one of our biggest digital and data risks, and will be for most unions as well.
First some definitions. When we’re talking about “shadow IT”, we mean the use of a whole secondary set of IT tools that are not part of the toolset officially chosen and managed centrally by the union.
But rather they’re tools that were found and are being used by individual staff or activists, or teams within the union, off their own initiative.
And to add another bit of jargon, most of these tools are classified as “Software as a Service” (SaaS). That means they aren’t traditional applications that are provided by a union’s IT department and need to be installed onto your computer in order to use them.
Instead these tools live in the cloud and are delivered through websites, where you log on when you need to use them, or on apps on your mobile devices. Mostly, you use them for free or for a small subscription, rather than a one-off purchase cost.
Why is this growing?
The rise of SaaS and shadow IT are trends that’ve been going on for years, but which got a huge bump since the pandemic.
Over the course of the pandemic, every union has had to use new tools and behave differently to do their work. And bringing a much wider range of new tech tools into the union so quickly has had lots of wider implications.
The list of new SaaS tools covers products that allow unions to do things like:
Manage events and meetings at a local and national level, online and offline, with video conferencing, event ticketing and meeting interaction tools.
Improve internal co-ordination, co-authoring documents, digitising processes, or sharing files.
Turn office-based work into remote work, with office suites, networking connections, automation and workflow tools.
Respond to members’ rising expectations of digital service, with engagement tools & customer service tools
Why is it a concern?
This rush to innovation has brought a few challenges with it for unions.
1. Fracturing across services
Sometimes one team thinks one tool is the best for the job, and another likes something else. Sometimes there are unique reasons for it – other times it’s just that people use the tool they see people around them using.
This means problems of support as well. Union IT teams are often under-resourced, and there is no way they can add effective support for a portfolio of tools that is constantly changing. So if staff and reps pick up new tech tools, they are often doing so “on their own”, without the union’s training and tech support.
That can mean risks in inappropriate or insecure use of the software, or just wasted time trying to solve tech problems without help.
2. Data security
Data protection law has been a huge headache for union data protection officers, as member data has split across hundreds of laptops, phones and services.
As we use new tech tools in different parts of the organisation, we’re creating new silos of personal data, separate from core systems.
The people signing up for a new service don’t always realise what they’ll be storing. But the data they end up storing and processing in it is definitely covered by the union’s data protection responsibilities. Doing due diligence on all this is another big overhead on stretched DPOs
Plus when there’s a subject access request, how does the DPO know that the union is holding information that they need to turn over, when they didn’t know a branch had moved onto a new service?
3. Confusion on costs
This stuff is mostly pretty cheap, but it ads up. Many new services are priced on a tiered basis for personal accounts. Rather than specifying tools under a central IT budget, different teams can end up renting new tech for themselves, solely for their own areas.
Often a large number of low-tier personal accounts can end up costing the union more than combining into an enterprise level account (which would often add considerable functionality too).
4. The blurring of professional/private lives
Many union activities – community groups, messaging, video conferencing and so on – need people to use personal accounts to access them. Sometimes this is also true for emails and files, which end up mixed between union and personal accounts.
Organisers particularly report this in terms of having to mix their personal and professional with messaging or community tools such as WhatsApp and Facebook groups. Being always on can be draining for staff and reps.
What do we do about it?
There’s a big challenge here to look at how you manage to reduce the risks and downsides, without stifling innovation.
We’ve started our project at the TUC by gathering information on what’s being used. We ran a survey and have interviewed key people around the organisation. We looked at network traffic to see if key SaaS providers were being used.
Now we’re starting to look at functionality groups for pilots – the first will be online surveys and file sharing.
For each, we’ll look collaboratively at the costs and functionality of the various tools being used, the risks to the organisation and any possible mitigations we can make.
We’ll check where our core toolset of Microsoft Office 365 could cover off some of the needs colleagues have.
And where we decide we still need to keep additional services, we’ll put in place measures to make them more sustainable going forward. That means more consistent licensing. And better communication across the TUC about which tools we use for what, so everyone starts on the same page. The people currently using these tools are often the early adopters, but we need to better signpost this for the mainstream users as they join their more digitally engaged colleagues.
It also means developing a RoPA (Register of Processing Activities). This is a list of all the services being held around the union that may hold personal data. It’s even more important for unions than for many organisations, as union membership (or non-membership) counts as sensitive personal data under the GDPR.
To do this, we’ll document which systems hold what data, and who the contact people for each new tool are. Making a clear and accessible resource on this will help us quickly respond to members seeking to invoke their data protection rights, such as a subject access request or the right to delete or correct data.
Is your union looking into this area as well? We’re planning to develop more work on responding to shadow IT, and on information security in unions, over the rest of 2023. We’d be really interested to hear your own challenges that we should address, or what would be helpful to your unions. Please do get in touch.