This Privacy Policy was last revised on: 10 November 2024.

The Industrial Workers of the World (IWW) is committed to protecting the confidentiality and integrity of your personal data and will process all data in accordance with our responsibilities under the UK General Data Protection Regulation (UK GDPR), Data Protection Act (DPA) 2018, Privacy and Electronic Communications Regulations (PECR) 2003 and all other applicable laws.

This privacy policy explains who we are, the types of information we hold, how we use it, who we share it with and how long we keep it. It also informs you of certain rights you have regarding your personal information under current data protection laws.

This policy text is meant both to inform all persons whose data we collect and process (Data Subjects), as well as guide all persons who process personal data for the IWW (Data Processors).

Anyone who processes data on the IWW’s behalf must read, understand and abide by this policy and any other IWW policies relevant to data processing. IWW Data Processors should pay particular attention to sections and paragraphs set in bold or marked with a symbol.

All IWW members and non-members who use IWW communications and data processing platforms must also respect this and any other IWW policy about data processing with regard to how they treat other people’s personal data. Passages in bold indicate the essential parts of the policy that concern you as a Data Subject and how we process your personal data.


Contents


Policy Summary / Privacy Notice

We are committed to keeping your data secure and to never using it in ways you would not expect.

The IWW is the Data Controller for the personal information you provide when interacting with the IWW, participating in the IWW and using its services. We use this data to improve our work as a union.

The principal lawful basis for our collecting and processing personal data is the IWW pursuing our legitimate interests as a trade union (namely, when we collect and process personal data from membership applicants and members, or when people contact us).

In certain cases of supplementary personal data collection and processing, we will do so on the basis of your informed consent (in particular, when we collect data that is considered sensitive and specially protected under data protection laws, or specific instances where we intend to share your data with third-parties not listed in our Privacy and Data Protection Policy, or when we actively solicit data from non-members). 

Please click here to see the full list of personal data we may collect and how we may collect it.

Please click here to see the full list of purposes for which we may collect personal data.

As a trade union, we have a statutory requirement to keep an accurate register of members’ names and addresses. If you wish to be an IWW member, you must provide this information to us.

As with most websites, the IWW uses cookies to improve our users’ experience. Cookies may also collect personally identifiable information. Our cookies policy explains which cookies we use and why, along with where you can find more information about cookies.

We may disclose information about you to IWW officers, staff, administrators, organisers, accredited IWW trainers, accredited IWW worker’s representatives (‘Reps’), or any other IWW Data Processors, insofar as reasonably necessary for the lawful bases and purposes as set out in our Privacy and Data Protection Policy, our Rule Book and our Manual of Policies and Practices.

All IWW Data Processors must sign a Data Processor Agreement with us, in which they commit to comply with our Privacy and Data Protection Policy and with applicable UK data protection laws.

The IWW will not disclose any of your personally identifiable information to any third party unless it is justified by:

  • the lawful basis of pursuing our legitimate interests as a trade union, and the data is shared as described in the full text of the IWW WISE-RA Privacy and Data Protection Policy further below;
  • or it is necessary to fulfil our contractual obligations;
  • or we have your explicit consent to do so;
  • or it is necessary to protect someone’s life;
  • or we are required to do so by law.

We do not routinely transfer your data outside of the UK or the European Economic Area (which share the same data protection standards). However, if it is necessary, we will ensure appropriate data protection measures (as applicable under UK law) are in place.

You have rights as a data subject. These rights include: subject access; erasure; rectification; the right to restrict or object to processing; the right to data portability; and the right to complain to the Information Commissioner’s Office (ICO).

The IWW is fully committed to upholding these rights. If you believe we have not done so, please get in touch so that we can put things right.

Where you have given consent for the IWW to process your data, you may withdraw it at any time by contacting us, as well as exercise all your data subject rights listed above.

Where we collect and process your data on the basis of pursuing our legitimate interest as a trade union (namely, for members), you likewise can exercise all of your rights listed above, but keep in mind that as a Trade Union, we have statutory requirements as well as other lawful bases to hold and process certain essential elements of members’ personal data, without which their membership in the IWW cannot be maintained.

Subject access requests, the provision of data portability, or requests of erasure, rectification, or to restrict or object to processing of your data may be refused or partially refused by the Data Protection Officer in certain cases as provided by the relevant legislation or regulatory authorities. These grounds for refusal are outlined for each type of request on the Information Commissioner’s Office Website. Data erasure requests and subject access requests, in particular, may be refused in part or in whole if the data are relevant to, or if you are subject to, any formal internal process reasonably requiring the data to be retained, such as a formal complaint or investigation, or if the Data Protection Officer decides the data needs to be retained for any reason compatible with the present Privacy Policy or as provided by the relevant legislation or regulatory authorities.

You can opt-out/unsubscribe from receiving emails and communications from us at any time. Opt-out/unsubscription methods will be accessibly signposted in our regular communications. However, we will retain the right to send you a minimal number of important communications for the purposes of pursuing the legitimate interests or meeting the statutory requirements of the IWW as a trade union (namely for union ballots and communicating our Annual Returns Statement).

We will keep your personal data confidential and will take appropriate measures to protect it against loss, theft or misuse and to safeguard your privacy. The IWW uses industry standard efforts to safeguard the confidentiality of your personally identifiable information

We retain your data only for the period necessary to enable us to fulfil the purpose(s) for which we collected it, to comply with our legal obligations and/or whilst we maintain your consent or a legitimate interest in retaining it.

Personal data about members in good standing and any personal data we hold about non-members will be retained in our Membership Database and/or organising and casework records for as long as members remain in good standing or we maintain a lawful basis and purpose to retain it according to our Privacy and Data Protection Policy and the applicable legislation.

Additionally, the standard retention period is 7 years, In the IWW WISE-RA Membership Database and/or in our organising and casework records, for personal data about lapsed, cancelled or deceased members, and for personal data about non-members, where we no longer maintain a lawful basis and purpose for retaining the data longer according to our Privacy and Data Protection Policy or applicable laws. At the end of this standard retention period, the personal data will be erased (either deleted, or anonymised so that it is no longer personally identifiable), except in rare cases where we maintain a lawful basis and purpose for retaining it for longer. If you make a legitimate personal data erasure request, your personal data may be erased (deleted or anonymised) sooner than this.

By default, contents that you have emailed, posted or uploaded yourself via IWW communications services (email accounts, email lists, internal chat, forum, file repository, etc.) will remain indefinitely stored and visible to users on those platforms, even if you are no longer a member, unless you delete them yourself or explicitly request their erasure (the default, when we apply such requests, is anonymisation).

Likewise, on third-party communications (or data processing) platforms where you have given your consent to the IWW to share your personal data in order to connect/subscribe you and communicate with you (e.g., Whatsapp or Signal chat groups, Slack Channels, Loomio, etc.), contents that you post may remain indefinitely stored there unless you take action to delete them yourself or request their erasure by that third party Data Controller. You can ask us us to remove the subscription/connection/contact-data, that you had initially given us to add/subscribe you to a third-party platform, and we will comply with your request (except in rare cases where we maintain a lawful basis to delay or refrain from doing so), but we cannot, on your behalf, erase the content you posted yourself from those platforms, and it is your responsibility to do so.

If you have any questions or concerns about our Data Protection and Privacy Policy or would like to request access, deletion or restricted use of your personal data directly from the Data Protection Officer, you can send an email to the IWW Data Protection Officer (click here); members can also do this by clicking here to submit a request via the members’ website contact form (password protected site) (select the ‘Personal data requests’ category), or by post at the following address:

Data Protection Officer, IWW, PO Box 111, Minehead, TA24 9DH, United Kingdom.


Purpose, scope and general provisions of this policy

The IWW WISE-RA (Wales, Ireland, Scotland and England Regional Administration) is committed to processing personal data in accordance with its responsibilities under UK law.

The purpose of this policy is to:

  • Inform IWW members and other individuals whose data we collect and process about who we are, the types of information we collect, how and for what purposes we process it, who we share it with and how long we keep it;
  • Inform the reader of certain rights they have regarding their personal information under current data protection laws;
  • comply with the law in respect of the data the IWW holds about individuals;
  • follow good practice;
  • protect all persons whose personal data is processed by the IWW from data breaches or damage resulting from non compliance with the applicable legislation;
  • protect the IWW and its authorised Data Processors from liability, damage and other negative consequences resulting from failure to handle personal data correctly, or non compliance with the applicable legislation;
  • provide a framework of principles, rules and procedures for establishing compliance with all applicable legislation;
  • guide IWW Data Processors, make sure that they understand their responsibilities with regard to data processing, and ensure that they are aware of, and comply with all our policies relevant to data protection and processing, as well as all applicable legislation.

This policy applies to the Wales, Ireland, Scotland and England Regional Administration (WISE-RA) of the Industrial Workers of the World. This includes:

  • All IWW WISE-RA Data Subjects: all members of the IWW WISE-RA, including affiliated Regional Organising Committees that are part of WISE-RA but based outside the UK and Ireland, and any members of other IWW Regional Administrations belonging to the IWW International Organisation whose data the IWW WISE-RA collects and processes (namely in the Interwob Forum), as well as any non-member whose data we collect and process.
  • ⚠ All associated IWW WISE-RA branches, groups, departments, committees or other IWW WISE-RA affiliated bodies.
  • ⚠ All IWW WISE-RA Data Processors: all IWW WISE-RA role holders, officers, worker’s representatives (“Reps”), organisers, trainers, phonebankers, volunteers, staff, contractors, and other authorised Data Processors, including third-party Data Processors, including members or Data Processors of other non-WISE-RA IWW Regional Administrations who are authorised by IWW WISE-RA as administrators or moderators of data processing platforms that process personal data for which IWW WISE-RA is the Data Controller, and any other authorised Data Processor who handle and process personal data on the IWW WISE-RA’s behalf.

⚠ This policy applies to all personal data we process regardless of the media on which that data is stored or whether it relates to past or present Data Subjects.

In so far as it is the Data Controller of the Personal Data concerned, the IWW WISE-RA retains ultimate responsibility for any personal data it shares or grants access to.

The IWW WISE-RA shall register with the Information Commissioner’s Office as an organisation that processes personal data.

⚠ This policy and its clauses, and any breach of this policy or other IWW WISE-RA policies relevant to data processing shall be governed by the law of England and Wales.

All IWW members, non-members and service users who use IWW WISE-RA communications and data processing platforms or any of our other services must also respect this and any other IWW WISE-RA policy about data processing with regard to how they treat other people’s personal data.

Anyone who processes data on the IWW WISE-RA’s behalf will be informed of the existence of this Policy and the availability of other related policies, procedures and guidelines.

⚠ Anyone who processes data on the IWW WISE-RA’s behalf must read, understand and comply with this policy and any other IWW WISE-RA policies relevant to data processing including the Technical and Organisational Measures and the terms of the Data Processor Agreement. IWW WISE-RA Data Processors must implement appropriate practices, processes and controls as well as attend any trainings provided to ensure such compliance. Any breach of this or related Policies may result in disciplinary action.


We adhere to the principles relating to processing of personal data set out in the applicable legislation, which require personal data to be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals (Lawfulness, Fairness and Transparency).
  • Collected only for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes (Purpose Limitation); further Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
  • Accurate and where necessary kept up to date (Accuracy); every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation); personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
  • Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
  • Made available to Data Subjects, and Data Subjects allowed to exercise certain rights in relation to their personal data (Data Subject’s Rights and Requests).

    We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).



This policy shall be reviewed at least annually by the IWW WISE-RA Data Protection Officer (DPO), who will update it in accordance with any changes to the applicable legislation, or as judged necessary by the DPO, or as decided by the IWW WISE-RA Delegates’ Executive Council (DEC) or Annual Conference.

The Union’s IT Committee should hold regular meetings during which it ensures that all policy and procedure, inventory and guidance documentation relating to the administration of the Union’s IT infrastructure are maintained up-to-date.

It is the DPO’s responsibility to review and propose amendments to the DEC or Annual Conference of any decision/motion relevant to data protection where the DPO deems the original form of the decision/motion incompatible with the applicable legislation.

We must also regularly test our systems and processes to assess compliance.

The DPO is responsible for regularly reviewing, testing and auditing all the systems and processes under our control to ensure they comply with this Privacy and Data Protection Policy, and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.

The DPO works with the IT Committee and Communications Administrator at regular IT Committee meetings to coordinate regular systems security audits and tests, or audits of organisational-processes relating to data processing.

The DPO and IT Committee will include the results of any audit, systems-testing or compliance review in their quarterly reports to the Union’s Delegates Executive Council.

⚠ We are required to ensure that all Union officers, staff, and Data Processors undergo adequate training to enable them to comply with data privacy laws.

The DPO will work with the IT Committee and Training Committee to produce and regularly update a Data Protection training course for the Union’s role holders. The DPO will that that data protection training sessions will be held at least annually.

⚠ Union officers, staff and Data Processors must undergo any data protection-related training that is provided and deemed mandatory by the Union’s DPO.



Who we are

The Wales, Ireland, Scotland and England Regional Administration of the Industrial Workers of the World (IWW WISE-RA, also referred to in this document as “the Union”) is the Data Controller of your personal data.

The IWW is a certified independent trade union registered in the United Kingdom; Certification Officer List Number 790T.

As a Data Controller we are responsible for ensuring that we use your personal data, as the Data Subject, in compliance with data protection laws, making sure that we (including any Data Processor we may entrust with your data) respect all your data protection rights. As the Data Controller, we are directly answerable to you and to the Information Commissioner’s Office for how we process your data. As a Data Controller we have a set of specific responsibilities towards you, your personal data, and the regulatory authorities, that we spell out in this Privacy & Data Protection Policy.


Personal Data: any information relating to an identified or identifiable natural person (Data Subject) as defined in Data Protection Legislation. Personal Data includes Special Category Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

Pseudonymisation / Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in Data Protection Legislation.

Data Subject / Service User: a Data Subject is an identified or identifiable natural person to whom Personal Data relate, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in Data Protection Legislation. Here we use the terms “Data Subject” or “service user” interchangeably to refer to any individual (whether an IWW member or non-member) who submits their personal data to the IWW WISE-RA in the process of using the services provided by the IWW, communicating with the IWW, conducting business with the IWW, or having services provided on their behalf by the IWW, including, but not limited to: IWW members and membership applicants; IWW Personnel, officers, role holders, staff, employees or contractors; visitors or users of the IWW WISE-RA website; visitors or users of any Information Technology system, service or platform managed by the IWW WISE-RA; and/or any persons for whom the IWW WISE-RA engages to provide services or with whom the IWW WISE-RA enters into a contract for services, support contract, service agreement or data processor agreement (whether as a provider or receiver of the agreed services).

Data Processors / Union or IWW officer(s)/role holder(s)/staff: a Data Processor is a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller, as defined in Data Protection Legislation. Here we use the terms “Data processor” or “role holder” interchangeably to refer to all personnel of the IWW WISE-RA, including any members, volunteers, officers, accredited Worker’s Representatives (“Reps”), contractors, employees, workers, staff, consultants, agents, subcontractors, or any other third parties who have been authorised by the IWW WISE-RA to process the personal data in its care on its behalf.

Data Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in Data Protection Legislation, permutations such as “processing”, “process” or “processed” shall be interpreted accordingly.

Data Processor Agreement: a legally binding document to be entered into between a Data controller and a Data Processor in writing or in electronic form, which regulates the particularities of Data Processing – such as its scope and purpose – as well as the relationship between the Data Controller and the Data Processor.

Applicable Law / Applicable Legislation: unless and until no longer directly applicable in the UK, any court order, or any common law, statute, statutory instrument, order, or regulation issued by a governmental body with authority over the IWW WISE-RA, IWW WISE-RA Data Processors, and/or IWW WISE-RA members and Data Subjects from time to time in the context of their relevant rights and obligations under this Policy including the Data Protection Legislation.

Data Protection Legislation: all applicable data protection laws including, without limitation: (i) the Data Protection Act 2018 (DPA 2018), which encompasses the UK General Data Protection Regulation (UK GDPR), consisting of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (EU GDPR) incorporating the amendments set out in the Keeling Schedule showing changes which would be affected by the Data Protection, Privacy and Electronic Communications (amendments etc)(EU exit) Regulations 2019 made on 28 February 2019 (as amended by the Data Protection, Privacy and Electronic Communications (amendments etc)(EU exit) Regulations 2020 laid on 14 October 2020); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iii), the Regulation of Investigatory Powers Act 2000; and (iv) all other laws, directives, regulations and industry guidelines having the force of law or codes of practice issued by the office of the Information Commissioner relating to the Processing of Personal Data or privacy, and/or any amendments thereto and re-enactments thereof and all rules, regulations and orders made under such legislation.

Regulatory Authority: the Information Commissioner’s Office (ICO), and any and all regulatory authorities that have responsibility for regulating Data Processing by the Union, the Union’s Data Processors, or the Union’s Service Users from time to time.

The Data Protection Officer & other roles involved in data protection

The IWW role holder responsible for overseeing data protection and data security matters is our Data Protection Officer (DPO)

The IWW WISE-RA’s Data Protection Officer is:

Alexander King.

If you have any questions or concerns about our Data Protection and Privacy Policy or would like to request access, deletion or restricted use of your personal data, you can contact our Data Protection Officer as follows:

DATA PROTECTION OFFICER
IWW
PO Box 111,
Minehead,
TA24 9DH


According to the IWW WISE-RA rules and policies, The role and responsibilities of the DPO is by default held by the elected Membership Officer. However, in 2020 the Membership Officer opted to appoint and deputise another IWW WISE-RA member to hold the role of DPO, and the Delegate’s Executive Council decided to deputise the role to an elected role holder starting 2023.

The DPO is the person responsible for overseeing and advising on the IWW’s compliance with this policy, all other relevant IWW WISE-RA Policies concerning data protection, security and processing, and applicable data protection laws.

Other responsibilities of the DPO are to:

  • Monitor or perform specific data protection related processes as set out in this Policy, with the administrative support of the IWW WISE-RA Communications Administrator, such as: Data Protection Impact Assessments (DPIAs); Legitimate Interest Assessments (LIAs); the processing, retention & disposal of records; keeping a Register of Systems; managing Data Processor Agreements with Data Processors; data breach management and reporting, Data Protection Policy enforcement, completion of individual rights requests; reviewing and approving third-party data processors and third-party data processing platforms; completing regular system compliance tests and audits.
  • Act as a point of contact with the Information Commissioner’s Officer as required.
  • Act as a point of contact in responding to questions, requests and complaints relating to data protection and data handling.
  • Develop and regularly review Union data drotection and processing policies, in close coordination with the IWW WISE-RA Communications Administrator, Communications Department, IT Committee, Membership Officer, Administration Department, Organising department and DEC.
  • Increase IWW members’ and role holders’ awareness for data protection and puts in place adequate training tools and guidance papers (in coordination with the Training Committee).
  • Manage responses to data breaches and collaborate with the Information Commissioner’s Officer in the course of investigations.
  • Oversee the data protection and security related work of the IWW WISE-RA Communications Administrator and Membership Administrator as contractors.
  • Oversee and Work closely with the Communications Administrator, IT Committee Secretary, and IT Committee volunteers in maintaining and developing the union’s IT systems in way that safeguards and enhances the security of data held by the IWW.
  • Attend meetings of the IWW WISE-RA Administrative Department.
  • Report to the IWW WISE-RA Administrative Department and Delegates Executive Council on data protection matters.

The DPO is not personally liable for data protection compliance. The IWW WISE-RA as an organisation and as the data controller, remains responsible for complying with data protection laws.

The DPO oversees and works closely especially with the Communications Administrator, who takes care of the day-to-day technical and administrative aspects of handling data, maintaining the Union’s IT systems, and implementing the IWW’s data protection and data processing policies and the DPO’s decisions. The DPO also oversees data protection related aspects of the Membership Administrator’s work of managing member records on the IWW WISE-RA membership database.

The DPO also monitors and works closely with the IT Committee Secretary and IT Committee volunteers regarding technical work they implement on the Union’s IT systems that concern data protection and security.

When to contact the Union’s DPO if you’re a Data Processor.

⚠ If you are an IWW WISE-RA officer or Data Processor, please contact the Union’s DPO with any questions about the operation of this Privacy and Data Protection Policy or any applicable legislation, or if you have any concerns that this Policy is not being or has not been followed. In particular, you must always contact the Union’s DPO in the following circumstances:

  • if you intend to collect or process personal data in any way, whether through IWW WISE-RA controlled platforms or non-IWW WISE-RA platforms (e.g., surveys) (see further details on collecting data here, here, and here);
  • If you intend to collect and process it in any way that implies sharing it with third parties (e.g., using any third-party online app or service not operated by the IWW)(see further details on sharing data here and here);
  • if you are unsure of the lawful basis which you are relying on to collect and process personal data (including the legitimate interests or consent bases used by the Union)(further details here);
  • if you need to rely on consent and/or need to capture explicit consent (further details here, and here);
  • if you need to draft Privacy Notices or Fair Processing Notices;
  • if you are unsure about the retention period for the personal data being processed;
  • if you are unsure about what security or other measures you need to implement to protect personal data;
  • if there has been a personal data breach, or you think this policy has not been complied with in any way;
  • if you are unsure on what basis to transfer personal data outside the UK;
  • if you need any assistance dealing with any rights invoked by a Data Subject (further details here, and here);
  • whenever you are engaging in a significant new, or a change in, processing activity which is likely to require a Data Protection Impact Assessment, or plan to use personal data for purposes other than what it was originally collected for;
  • If you plan to undertake any activities involving automated processing including profiling or automated decision-making;
  • If you need help complying with applicable law when carrying out direct marketing activities (e.g., non-members via mailings to promote the union); or
  • if you need help with any contracts, Data Processor Agreements or other areas in relation to sharing personal data with third parties.

Your personal data rights and how to Update and access your information

You have the right to access the personal data we have kept on record about you.

You also have the right to correct the personal data we hold on you or change how we process your data or contact you.

You are entitled to restrict the data we use about you, and how we use it.

You can also ask us to erase all the personal data we hold about you.

Where you have given consent for the IWW to process your data, you may withdraw it at any time by contacting us, as well as exercise all your data subject rights listed above.

Where we collect and process your data on the basis of pursuing our legitimate interest as a trade union (namely, for members), you likewise can exercise all of your rights listed above, but keep in mind that as a Trade Union, we have statutory requirements as well as other lawful bases to hold and process certain essential elements of members’ personal data, without which their membership in the IWW cannot be maintained.

Likewise, where we collect and process personal data on the basis of fulfilling our contractual obligations, continued validity of the contract may be contingent upon the continued retention and processing of certain essential elements of personal data.

You can opt-out/unsubscribe from receiving emails and communications from us at any time. Opt-out/unsubscription methods will be accessibly signposted in our regular communications. However, we will retain the right to send you a minimal number of critical communications for the purposes of pursuing the legitimate interests or meeting the statutory requirements of the IWW as a trade union (namely for union ballots and communicating our Annual Returns Statement).

IWW members can view, modify and download their membership data record as well as their Wobchat, InterWob Forum, IWW Owncloud file repository and IWW Email account data directly by visiting the ‘My Membership’ page of the IWW Members’ Area website (access to this area is restricted to members only and requires a password).

Members can also change the amount they are paying for their monthly dues by direct debit by visiting the ‘Change your direct debit’ page of the Members’ Area website, or they can cancel their direct debit by visiting the ‘Cancel your direct debit’ page (members can also cancel direct debit payments directly with their bank or via internet banking). (Access to the Members’ Area website is restricted to members only and requires a password).

You can also contact our Data Protection Officer to view or modify the data we have about you, or make any requests, enquiries, objections or complaints with regard to your personal data, how we process it, and your rights under data protection legislation. Links and methods for contacting the Data Protection officer are provided in the section of this policy just above, titled ‘who we are’ (click here).

Subject access requests, the provision of data portability, or requests of erasure, rectification, or to restrict or object to processing of your data may be refused or partially refused by the Data Protection Officer in certain cases as provided by the relevant legislation or regulatory authorities. These grounds for refusal are outlined for each type of request on the Information Commissioner’s Office Website. Data erasure requests and subject access requests, in particular, may be refused in part or in whole if the data are relevant to, or if you are subject to, any formal internal process reasonably requiring the data to be retained, such as a formal complaint or investigation, or if the Data Protection Officer decides the data needs to be retained for any reason compatible with the present Privacy Policy or as provided by the relevant legislation or regulatory authorities.

You have the right to complain to the Information Commissioner’s Office if you think the IWW has breached your Data Protection and Privacy rights.


The IWW WISE-RA will ensure that we respect and fulfil the rights given to Data Subjects under the applicable legislation, regarding how we handle their personal data. These include rights to:

  • withdraw consent to processing at any time;
  • receive certain information about our processing activities as the Data Controller;
  • request access to their personal data that we hold;
  • prevent our use of their personal data for direct marketing purposes;
  • ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
  • restrict processing in specific circumstances;
  • challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
  • request a copy of an agreement under which personal data is transferred outside of the EEA;
  • object to decisions based solely on automated processing, including profiling;
  • prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
  • be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  • make a complaint to the ICO; and
  • in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format;


the Union and its Data Processors will fulfil Data Subjects’ legitimate requests / Subject Access Requests (SARs) In compliance with the applicable legislation.

In the first instance, after receiving a Data Subject’s request or SAR, the Union’s Data Processors should refrain from immediately responding. Only the DPO is authorised to make decisions concerning such requests. Prior to taking any action regarding the Data Subject’s request or SAR, Data Processors must immediately forward any request they receive to the Union’s DPO and comply with the DPO’s instructions regarding the request/SAR response process. in most cases, the response process will be implemented by the Communications Administrator under direct instructions from the DPO.

The Union’s DPO must verify the identity of an individual requesting data under any of the rights listed in this section (Data Processors must not allow third parties to persuade them into disclosing personal data without proper authorisation).

Data Subjects shall have the right to obtain from the Union, as the Data Controller, confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, obtain access to their personal data.

Information on how to access one’s personal data should be detailed in the Union’s relevant Privacy Notice or Data Protection Policy.

Data Subjects shall have the right to require the Union, without undue delay, to rectify any inaccurate or incomplete personal data concerning them.

Except where the data is held for purposes of legal obligation, Data Subjects shall have the right to require the Union, without undue delay, to erase any personal data concerning them. As a Trade Union, the IWW must meet statutory requirements to retain certain types of data on members, without which continued membership in the Union is not possible.

Where there is a dispute between the Data Subject and the Union about the accuracy, validity or legality of data held by the Union, the Data Subject shall have the right to require the Union to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

Where data is held for purposes of consent or contract the Data Subject shall have the right to require the Union to provide them with a copy, in a structured, commonly used and machine-readable format, of the data which they have provided to the Union, and have the right to transmit that data to another Data Controller without hindrance.

the Union shall ensure that the IT platforms it provides will enable the provision of copies of personal data in commonly used and machine-readable file formats for the purposes outlined in the previous paragraph.

Data Subjects shall have the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them which is based on Legitimate Interest, including profiling based on those provisions. the Union shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Where personal data is Processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing

Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the Data Subject, the right referred to in the preceding two paragraphs shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.

Except where it is: a) based on the Data Subject ‘s explicit consent, or b) necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller; the Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Where the Union acts as the Data Processor for a third party Data Controller of the personal data concerned by the Data Subject’s request, the Union’s DPO will immediately notify the Data Controller and act in compliance with the Data Controller’s instructions.



Personal data we may collect and the purposes for which we process it

The IWW collects and processes personal data on members, and occasionally non-members, for the purposes of administering itself as an organisation and organising as a union.

‘Personal data’, or ‘personal information’, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The personal data we collect, via our websites or via any other online or offline method, will only be used for the stated purposes (or closely related purposes) for which it was collected and according to the principles laid out in this Policy.


We may collect your personal information in the following ways:

  • Via website cookies, analytics tools, site logs, server logs, or other similar methods (see ‘Cookies’ section below).
  • Via our online or paper membership application forms.
  • Via online contact forms for submitting queries.
  • Via postal, email, SMS, mobile/online instant messaging, phone communications, or any other forms of communication you have with IWW role holders.
  • Via online or offline survey forms, questionnaire forms, email contact submission forms, casework consent forms, crowdsourcing or crowdfunding campaign forms, or petitions.
  • Via meetings or training sessions we may have with you, whether face to face or via video/voice teleconference.
  • Via any form of communication and documentation relating to payment processing for sending or receiving payments (for example, invoices, online payment forms, or phone calls where we collect payment details or bank account information), and via any online or offline payment platforms or payment methods, including third-party financial institutions such as banks and payment processors.
  • If you are an IWW staff member or contractor, or if you work for us in any other capacity, we may collect and process your relevant personal information as part of the normal purposes of administering your work for us.
  • When you log into and use the functionalities of the online platforms that we maintain for our members and role holders, and when you view, search, alter, post, send, save, or upload content containing personal or personally identifying information on/via those platforms. This includes usage logs, analytics data, or any messages or content that you post, upload, send or edit on/via:
    • The IWW.org.uk website and WordPress administration/editing platform for the website;
    • our online Members’ Area;
    • our chat.iww.org.uk Wobchat platform;
    • our forum.iww.org.uk Interwob forum platform;
    • our email accounts, webmail client site, email server, and email server management system;
    • our mailing lists;
    • our cloud.iww.org.uk cloud file storage platform;
    • our CiviCRM membership database site (and the Drupal Content management System used for the database user interface) and any online forms or data input sites linked to the database;
    • Our Matomo analytics system;
    • Any other online tool or platform we may use for our activites.
  • When you purchase items from our online shop.
  • From other unions or organisations with which we share formal organisational or collaborative ties with around the world, for example: if we have membership transferral agreements; or so that we can administer shared communications platforms (e.g., the Interwob forum). This will always be done in a manner that respects your data rights and privacy, and complies with UK and EU Data Protection laws as well as the data protection laws and standards of your organisation and country, if you reside outside the UK or EU.
  • From other potential third-party sources such as:
    • Your current or past employer (as part of the recruitment process for persons who work for the IWW or may potentially work for the IWW as staff, contractors or service providers; or in the case of our union members, only if and when the IWW supports you with casework or represents you to defend your rights and interests as a worker; we will never share your status as an IWW member with any third party without your prior consent).
    • Your current or past clients, other people you do business with, or your agent or representative, if you are a contractor or service provider we are looking to work with.
    • Public authorities, only if and when we must deal with public authorities to fulfil legal obligations.
    • Publicly available sources, only if strictly required to meet our legitimate interests as a trade union, or to fulfil our legal or contractual obligations. 

We may collect and process information about the following categories of persons or organisations: 

  • Visitors to our websites and users of our online platforms
  • IWW members and membership applicants
  • Current or prospective IWW staff members, employees, contractors, service providers, advisers, consultants, or other persons working for the IWW.
  • Employers of IWW members. (We will never inform your employer about your IWW membership, or interest in the IWW, or interactions with the IWW (including of non-members), without your prior agreement or consent.)
  • Enquirers and complainants.

We may collect and process personal information in the following broad contexts:

  • Membership administration: As part of the membership application process and as part of administering union membership. We will refer to this context with the shorthand notation: “Membership“. Where we make it optional for members to provide the data in this context, we denote it with the additional shorthand notation: “[optional]“.
  • Communications: in contexts where persons may willingly provide those categories of personal data to us by communicating with us, or by using or posting or sending information via our online platforms. This includes responses to surveys or petitions, customers buying items from our online shop, and members using our members-only online spaces/platforms. We will refer to this context with the shorthand notation: “Communications“. Not all the categories of personal data listed in the next sub-section as collected in the “Communications” context are necessarily always collected in that context.
  • Union organising and representation: In contexts where the IWW provides organising support, advice and/or representation to our union members in individual or collective cases or campaigns regarding work issues. In particular, it is often necessary to collect detailed personal data for the casework involved in accompanying, representing and defending individual workers (e.g., at meetings with employers, supporting members’ workplace grievances, supporting members facing disciplinary processes). We will refer to this organising and representation context with the shorthand notation: “Representation“. Not all the categories of personal data listed in the next sub-section as collected in the “Representation” context are necessarily always collected in that context.
  • Staff administration: in the context of managing persons who work for the union as elected officers, role holders, accredited workers’ representatives, or as paid personel, including contractors and third-party service providers or data processors. We will refer to this context with the shorthand notation: “Staff“. Not all the categories of personal data listed in the next sub-section as collected in the “Staff” context are necessarily always collected in that context.

We may collect the following categories of personal information, in the following contexts:

  • IP addresses of visitors and users on our online platforms. We may also retain server logs that include the IP address of every request to our servers. (Communications).
  • Information about users’/visitors’ use of IWW information and communications systems and online platforms, including but not limited to: cookies, usage logs, analytics logs, and any messages and other content and media that users post, upload, send or edit via IWW communications systems, websites or online platforms. (Communications).
  • The contents of any personal information that is provided to the IWW and/or Processed via IWW digital information and communications systems (via joining forms, correspondence, email, messaging, voice calls, teleconferencing, meetings, training sessions, online chat or forum posts, online file sharing, information or queries or complaints submitted via online contact forms, surveys, questionnaires, petitions, payment processing). (Communications).
  • Personal contact details for example: name, addresses (postal/residential address and country of residence), telephone numbers, and personal or work email addresses. (Membership; Communications; Representation; Staff).
  • Date of birth, age. (Communications; Representation; Staff).
  • Gender. (Membership [optional]; Communications; Representation; Staff).
  • Contact details of next of kin, guardian, carer, lawyer, representative or emergency contacts. (Communications; Representation; Staff).
  • IWW Membership details, including membership number, type of membership, membership commencement and end dates, union sections. (Membership; Communications; Representation; Staff).
  • Membership in other unions, including type of membership, membership commencement and end dates, name of union and union sections. (Membership [optional]; Communications; Representation; Staff).
  • Bank account, debit/credit card, or other details about means of payment. (Membership [optional]; Communications; Staff).
  • Information about general income bracket after tax. (Membership; Communications, Representation, Staff).
  • Information about income, salary or payments for services, payroll/invoice records, tax status information, annual leave, pension and benefits information. (Communications; Representation; Staff).
  • Compensation history. (Communications; Representation; Staff).
  • Information about attendance at IWW meetings, trainings, seminars, webinars, conferences, etc. (Membership; Communications; Staff).
  • IWW or other unions’ training certifications. (Membership; Communications; Representation; Staff).
  • Employment/work status; employer; job title; employer’s names and addresses (Membership; Communications; Representation; Staff).
  • Work contract type and terms. (Membership [optional]; Communications; Representation; Staff).
  • Start and end date of employment/work. (Communications; Representation; Staff).
  • Location of employment or workplace. (Membership [optional]; Communications; Representation; Staff).
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter). (Communications; Representation; Staff).
  • Immigration status. (Communications; Representation; Staff).
  • Copies of or data from identity documents, driving licence, passport, birth and marriage certificates. (Communications; Representation; Staff).
  • Work performance and appraisal information. (Communications; Representation; Staff).
  • Workplace disciplinary and grievance information. (Communications; Representation; Staff).
  • Secondary employment and volunteering information. (Membership [optional]; Communications; Representation; Staff).
  • Skills and qualifications. (Membership [optional]; Communications; Representation; Staff).
  • Family, lifestyle and social circumstances. (Communications; Representation).
  • Goods and services provided. (Communications, Representation, Staff).

We may also collect the following categories of more sensitive personal information, in the following contexts (cf. definition for ‘Special Category data’ by clicking here, then clicking collapsed section on definitions of key terms):

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions. (Communications; Representation; Staff).
  • Trade union membership, including membership and roles in other trade unions than the IWW. (Membership [giving information about membership in other trade unions is optional]; Communications; Representation; Staff).
  • Information about your health, including any medical condition, health and sickness records, disability or accessibility requirements, accident book, first aid records, injury at work and third-party accident information. (Membership [information about disability status or accessibility requirements is requested but optional]; Communications; Representation; Staff).
  • information about criminal convictions/allegations and offences. (Membership [only in the context of Incarcerated members of our Prisoner Solidarity Network]; Communications; Representation; Staff).

We may use the personal data we collect for the following purposes:

  • To administer our websites and online platforms.
  • To enable your use of the services available on the IWW websites and online platforms.
  • To enable the functionalities available on our websites and online platforms.
  • To improve your browsing experience.
  • To prevent or detect any abuse of our websites and data processing systems and ensure data security.
  • To enable us or third parties to carry out technical or other functions on our behalf to improve our data processing systems.
  • To deal with enquiries and complaints made by you.
  • To process membership applications and membership data/records.
  • To provide IWW members with information and updates about the IWW’s activities, campaigns, and services.
  • To conduct our organising activities and campaigns as a union.
  • To conduct union elections and ballots.
  • to administer IWW branches, departments, committees and other IWW bodies.
  • To provide support, advice and/or representation in an individual or collective case regarding work issues (e.g., meetings with employers, supporting our members’ workplace grievances, supporting members facing disciplinary processes at work).
  • To perform the Union’s administrative work, and to administer our role holders and staff, including third party contractors or service providers.
  • To fulfil our contractual obligations with our members and users of our services.
  • To fulfil our contractual agreements with our staff, contractors or with third party service providers, data processors, or other organisations.
  • To serve or support our rights, property, legal obligations, contractual obligations and legitimate interests as a trade union organisation, as well as to serve or support the legitimate interests, legal obligations, contractual obligations, legal rights, property, and personal safety of our members, service users, role holders, staff, contractors, third party service providers, data processors or third party organisations with which we conduct business as part of pursuing our legitimate interests as a trade union.
  • To communicate with our members, service users, role holders, staff, contractors, third party service providers, data processors or third party organisations with which we conduct business as part of our legitimate interests as a trade union.
  • To process membership subscription/dues payments.
  • To conduct an official IWW WISE-RA internal complaints process, mediation process or investigation.
  • To make and receive payments.
  • To process and ship anything you purchase from our shop.
  • To comply with legal requirements (e.g., ballots, annual audits of the union’s finances).
  • For research purposes to further the legitimate interests of the IWW.
  • To record any contact we have with persons whose data we process.
  • To process your personal data where we have collected your explicit and informed consent to do so.
  • For other trade union related purposes, objects or activities, including those set in the IWW Rule Book and Manual of Policies and Practices.

⚠ IWW role holders, staff, Data Processors, members and service users must never use the personal data under the IWW WISE-RA’s care to:

  • to canvass for particular candidates, policies, or political aims within the
    IWW or outside it;
  • to recruit for non-IWW organisations;
  • to recruit for events and causes not endorsed by the IWW; or
  • to build up contact lists for such activities at a later date.

By joining or working with the IWW you should understand that we may use some or all of the personal data you have provided for the above purposes. Where other purposes apply, we will notify you when you provide your data.

Lawful bases for the collection and processing of personal data, and Privacy Notices specifying the purpose and lawful basis of data collection/processing

The lawful basis for collecting, storing and processing this data is the IWW pursuing our legitimate interests as a trade union.

This principal lawful basis subsumes further lawful bases such as meeting our legal or contractual obligations (or in rare cases, where we may need to process data to protect someone’s life, i.e., on the lawful basis of vital interests).

The lawful basis of consent may be used instead in specific cases outlined further below.

We will collect, store and process any personal data we collect according to the principles set out in this Privacy Policy.

We will only collect and process any of the personal information listed above if it is necessary to fulfil our legitimate purposes, or if we have obtained your explicit consent in specific cases set out further below, especially for sensitive categories of personal data. This means that we will avoid using any personal data, or minimise, or pseudonymise the personal data that we process, if that is sufficient to adequately achieve our purposes. It furthermore means that we will only collect or process personal data if one or more of the following apply:

  • It is necessary to administer the union and fulfil our legitimate interests as a trade union; or
  • We are required to do so by law; or
  • it is necessary to comply with our contractual obligations; or
  • we have your explicit consent to do so; or
  • we have taken reasonable steps to make you aware of this Privacy Policy and you willingly provide the information to us, for example, through your correspondence and communications with us, or by transmitting, posting, sending, or uploading it on/via/to any of the websites, communications systems, or online web services that we maintain; or
  • it is necessary to protect someone’s life.

Whenever you submit your personal information to our role holders via postal, email, SMS, messaging applications, voice calls, or any other form of communication, we will assume that you consent to the IWW collecting and processing your personal information according to this Privacy Policy and on the lawful basis of the IWW’s legitimate interests as a trade union.

All emails sent by IWW role holders or persons contacting you on our behalf will contain a footer with a link clearly referring to this Privacy Policy.

Whenever we solicit personal information (whether from members or non-members) via forms, we will clearly explain our purposes for collecting the data, include a Privacy Notice, and explicitly refer to this Privacy Policy.

When we solicit personal data from non IWW members for the purposes of research, promoting the union (‘marketing’), surveys or petitions, we will ask the respondent to explicitly consent to the IWW processing their personal data according to this Privacy Policy and will therefore process their data on the lawful basis of consent.

When we solicit, collect and process data for those same purposes but from existing union members or staff (including role holders, contractors and any third party service providers or data processors), we will process the data on the lawful basis of our legitimate interests as a trade union. 

Whenever we solicit personal data from IWW members or non-IWW members to subscribe them, share their data with, or process their data using third-party data processing platforms, we will clearly explain our purposes for collecting the data and ask the respondent to explicitly consent to the IWW processing and sharing their personal data according to this IWW Privacy Policy and the Privacy Policies of the third-party platform. In this context, we process the data on the lawful basis of consent.


Purpose limitations:

The applicable law restricts our actions regarding the processing of personal data to specified lawful purposes or bases. These restrictions are not intended to prevent processing, but rather to ensure that we process personal data fairly and without adversely affecting the Data Subject.

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be processed in any manner incompatible with those purposes.

IWW Data Processors cannot use personal data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.

We should document our decision to rely on any specific lawful basis and ensure that we can justify our reasoning.

Legitimate Interest:

The IWW’s principal lawful basis for collecting, storing and processing data is the IWW pursuing our legitimate interests as a trade union for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of Data Subjects.

These legitimate interests and purposes are set out in the data processing purposes listed in this section, and are further characterised in the IWW WISE-RA’s wider set of rules, policies, activities and reasonable interests as a Union, and also by common, reasonable expectations regarding Trade Union activities, and as further defined by applicable laws relating to Trade Unions’ activities.

The processing must be necessary. If we can reasonably achieve the same result in another less intrusive way, Legitimate Interests will not apply.

We must balance our interests against the Data Subject’s. If they would not reasonably expect the Processing, or if it would cause unjustified harm, their interests are likely to override our Legitimate Interests.

Legitimate Interests also include serving or supporting the legitimate interests of our members, service users, role holders and staff, particularly in meeting our contractual or legal obligations towards them.

We performed a Legitimate Interest Assessment (LIA) in 2018, prior to producing the first iteration of this Privacy and Data Protection Policy. Before we start Processing any Personal Data on the basis of Legitimate Interest, we perform and record an LIA. An LIA is a type of risk assessment used to determine whether Legitimate Interest can lawfully apply. In performing the LIA we employ the three-part-test approach as described in the ICO’s website guidance on GDPR and Legitimate Interests. This three-part test consists in:

  • Identifying a legitimate interest;
  • showing that the Processing is necessary to achieve it; and
  • balancing it against the individual’s interests, rights and freedoms.

Consent:

Here, “consent” means an agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal data relating to them. A Data Subject consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are not sufficient.

The IWW WISE-RA and its Data Processors must record evidence of consent captured and keep records of all consents on the IWW WISE-RA Membership Database.

Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

Data Subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured.

Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Union’s systems.

Consent may need to be refreshed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.

For IWW members, while we can rely on Legitimate Interest as the basis of data processing, it is mandatory to clearly explain the purposes for collecting the data, and collecting explicit consent is strongly recommended for any supplementary/additional collection and processing of sensitive Special Category Data beyond and after the initial collection of personal data via the IWW WISE-RA membership (joining) form. The same applies for Automated Decision-Making and for cross border data transfers outside of the European Economic Area.

Clearly explaining the purposes for collecting the data, and collecting consent are mandatory whenever we solicit personal data from non-IWW IWW members for the purposes of research, promoting the union (‘marketing’), surveys or petitions.

For both IWW and non-IWW members, whenever we solicit personal data with the intention of subscribing them, sharing their data with, or processing their data using third-party data processing platforms, it is mandatory to collect consent after clearly explaining the purposes for collecting the data and informing them of the Privacy Policies of the third-party platforms.

Contract, Legal Obligation, or Vital Interest:

We consider these three further legal bases for data processing as subsumed under the principal lawful basis of Legitimate Interest on the basis of which we collect and process most personal data in our care.

By Contract: the Processing is necessary for the performance of a contract with the Data Subject. We can rely on this lawful basis if:

  • The Union has a contract with an individual or organisation and we need to process personal data to comply with our obligations under the contract.;
  • we have a contract with an individual or organisation and we need to process personal data so that we or they can comply with specific counter-obligations under the contract (e.g., processing payment details);
  • because an individual or organisation has asked us to do something before entering into a contract that is essential to the implementation of the contract (e.g., provide a quote); or
  • We have a contract or Data Processing Agreement with an individual or organisation that makes the IWW WISE-RA a Data Processor that processes the personal data of Data Subjects for which that individual or organisation acts as a Data Controller or higher-level Data Processor.

  • The processing on the basis of a contract must be necessary. If we could reasonably achieve the same ends by processing less data, or using personal Data in a less intrusive way, this basis will not apply.

By Legal Obligation: to meet our legal compliance obligations. This may include, but is not limited to:

  • Our legal and statutory obligations under laws applying to Trade Unions or labour and employment, including any obligations to share data with the Certification Officers of the UK or Northern Ireland, or with companies we hire to perform obligatory annual financial audits of the Union; or
  • legal obligations to collect, process and share personal data with HM Revenue & Customs that are relevant to the payment or payroll information on Union contractors, paid staff or employees; or
  • obligations to comply with any legally binding request for disclosure of the personal data by a judicial or law enforcement authority.

By Vital Interest: where it is necessary to protect a person’s vital interests.

The data protection legislation also defines Public Tasks as a possible lawful basis for data processing. The Union undertakes no Public Tasks that require the collection, holding and/or processing of personal data.

Transparency & Privacy Notices:

The applicable legislation requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices or Fair Processing. This Privacy and Data Protection Policy text, and more specifically, the top section providing the summary of this policy, constitutes an example of such a Privacy Notice.

The Privacy Notice must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand it.

Whenever we collect personal data from Data Subjects, we must provide the Data Subject with all the information required by the data protection laws, including the identity of the Data Controller and the Union’s DPO, how and why we will use, Process, disclose, protect and retain that Personal Data through a Fair Processing Notice which must be presented when the Data Subject first provides the personal data.

When personal data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by the applicable legislation as soon as possible after collecting/receiving the data (within one month) or if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

When personal data is collected indirectly, we must also make sure it was collected by the third party in accordance with the law and on a basis which is compatible with our proposed processing of that personal data.

For all the above purposes, the IWW WISE-RA and its Data Processors will present the contents of the Summary section of this policy as our Privacy Notice (or in the case of emails sent by IWW role holders from IWW email accounts, a link to this policy webpage, in the email’s footer). The Privacy notice will be provided free of charge, to everyone from whom we collect, or on whom we hold and processes personal data. In addition, when it is presented in this way, the following information will be added within the Policy summary text or in any adjacent text that forms part of the Privacy Notice or data collection medium:

  • A link to this webpage containing the full policy.
  • the purpose of the data collection and processing, and any additional purposes, and specify the lawful basis used for the collection of data, as required.
  • Any intention to share the personal data with any third party, with a link to any third party’s Privacy Notice.
  • The source the personal data originates from and whether it came from publicly accessible sources (Not applicable if the data are being obtained directly from the data subject).
  • The categories of personal data concerned (not applicable if the data are obtained directly from the data subject).
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (not applicable if the data are not obtained directly from the data subject).
  • Any signature field or tick box and accompanying explanation statement required for the collection of consent.

Data minimisation

The Union and its Data Processors must ensure that only necessary personal data is collected, stored or processed; and personal data is not accessible to an indefinite number of people, but instead access to personal data is granted on a need-to-know basis. This is known as privacy by default.

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Data Processors may only process personal data where the performance of their role requires it. They cannot process personal data for any reason unrelated to their role.

The Union’s Data Processors can only collect personal data that they require for their job: do not collect excessive data. Ensure any personal data collected is adequate and relevant for the intended purposes.

The Union, its DPO and its Data Processors must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Union’s data retention guidelines.

Accuracy

Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

The Union’s Data Processors must ensure that the personal data we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it.

The Union’s Data Processors must check the accuracy of any personal data at the point of collection and at regular intervals afterwards.

The Union, its DPO and its Data Processors must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.

Register of Systems

The applicable legislation requires us to keep full and accurate records of all our data processing activities. The Union and its Data Processors must keep and maintain accurate records reflecting our processing, including records of Data Subjects’ consents and procedures for obtaining consents.

The IWW WISE-RA Membership Database and other internal IT systems (e.g., the Interwob Forum, Members’ Area, Wobchat, Next Cloud, etc.) should serve as that record, or Register of Systems. This is why IWW WISE-RA Data Processors should keep as much of the data processing activities as they can within IWW WISE-RA’s own data processing systems (namely, the Membership Database, Interwob Forum, Members’ Area, Wobchat, and Next Cloud) where possible, and keep a record on the Membership Database detailing any data processing that occurs outside those internal systems.

The DPO shall be responsible for keeping the Register of Systems up to date with the administrative and technical help, namely, of the Communications Administrator and Membership Administrator.

The Union shall record the appropriate lawful basis upon which personal data or sets of personal data are processed in the Register of Systems.

The Register of Systems should include, at a minimum, the name and contact details of the Data Controller and the Union’s Data Protection Officer, clear descriptions of the personal data types, data subject types, processing activities, processing purposes (i.e., lawful bases for Processing), third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period, any related Data Processor Agreements governing the processing, and a description of the security measures in place. In order to create such records, data maps should be created which should include the detail set out above together with appropriate data flows.

 ‘Privacy by Design’ 

We are required to implement ‘privacy by design’ measures when processing personal data by implementing appropriate Technical and Organisational Measures TOMs (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.

In particular the TOMs should ensure that the security and privacy of people’s personal data are embedded into the lifecycle of the Union’s services, applications, and procedures.

We must assess what ‘privacy by design’ measures can be implemented on all programs/systems/processes we deploy to process personal data, by taking into account the following:

  • the state of the art;
  • the cost of implementation;
  • the nature, scope, context and purposes of Processing; and
  • the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.

Data Protection impact Assessments (DPIAs) 

Data Protection Impact Assessment (DPIA), definition: an assessment of the impact of the envisaged processing operations on the protection of personal data where, taking into account the nature, scope, context and purposes of the processing, the processing is likely to result in a high risk to the rights and freedoms of natural persons, as defined in the data protection legislation.

Data controllers must also conduct Data Protection impact Assessments (DPIAs) in respect to high-risk processing. We should conduct a DPIA when implementing major system or procedure change programs involving the processing of personal data including:

  • use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
  • Automated Processing including profiling and automatic decision making;
  • large scale Processing of special category data; and
  • large scale, systematic monitoring of a publicly accessible area.

A DPIA must include:

  • a description of the Processing, its purposes and the lawful basis used for the processing (including the Data Controller’s legitimate interests if appropriate);
  • an assessment of the necessity and proportionality of the Processing in relation to its purpose;
  • an assessment of the risk to individuals; and
  • the risk mitigation measures in place and demonstration of compliance.


Statutory data requirements

As a trade union, we have a statutory requirement to keep an accurate register of members’ names and addresses. If you wish to be an IWW member, you must provide this information to us.

If you choose to opt out from general information emails, we will retain the right to send you a minimal number of critical communications for the purposes of pursuing the legitimate interests or meeting the statutory requirements of the IWW as a trade union (namely information that we are legally required to send to our members: about union ballots and our Annual Returns Statement).


Cookies

Click here to see our full cookies policy.

Like most websites, the IWW uses cookies to improve our users’ experience. Our cookies policy explains which cookies we use and why, along with where you can find more information about cookies.

On our websites, data may be stored on a ‘cookie’. This is a tiny element of data that our site can send to your browser, which may then be stored on your hard drive. This small amount of information does not contain any private information stored on your computer.

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of websites. Therefore it is recommended that you do not disable cookies. 


Storage of data & data retention

We retain your data only for the period necessary to enable us to fulfil the purpose(s) for which we collected it, to comply with our legal obligations and/or whilst we maintain your consent or a legitimate interest in retaining it.

Personal data about members in good standing and any personal data we hold about non-members will be retained in our Membership Database and/or organising and casework records for as long as members remain in good standing or we maintain a lawful basis and purpose to retain it according to our Privacy and Data Protection Policy and the applicable legislation.

Additionally, the standard retention period is 7 years, In the IWW WISE-RA Membership Database and/or in our organising and casework records, for personal data about lapsed, cancelled or deceased members, and for personal data about non-members, where we no longer maintain a lawful basis and purpose for retaining the data longer according to our Privacy and Data Protection Policy or applicable laws. At the end of this standard retention period, the personal data will be erased (either deleted, or anonymised so that it is no longer personally identifiable), except in rare cases where we maintain a lawful basis and purpose for retaining it for longer. If you make a legitimate personal data erasure request, your personal data may be erased (deleted or anonymised) sooner than this.

By default, contents that you have emailed, posted or uploaded yourself via IWW communications services (email accounts, email lists, internal chat, forum, file repository, etc.) will remain indefinitely stored and visible to users on those platforms, even if you are no longer a member, unless you delete them yourself or explicitly request their erasure (the default, when we apply such requests, is anonymisation).

Likewise, on third-party communications (or data processing) platforms where you have given your consent to the IWW to share your personal data in order to connect/subscribe you and communicate with you (e.g., Whatsapp or Signal chat groups, Slack Channels, Loomio, etc.), contents that you post may remain indefinitely stored there unless you take action to delete them yourself or request their erasure by that third party Data Controller. You can ask us us to remove the subscription/connection/contact-data, that you had initially given us to add/subscribe you to a third-party platform, and we will comply with your request (except in rare cases where we maintain a lawful basis to delay or refrain from doing so), but we cannot, on your behalf, erase the content you posted yourself from those platforms, and it is your responsibility to do so.


Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

The Union and its Data Processors must not keep personal data in a form which permits the identification of the Data Subject for longer than needed for the legitimate purposes or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements.

The Union will maintain retention policies and procedures, including Data Retention Schedules, to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. IWW Data Processors must comply with the Union’s guidelines on Data Retention.

Where the Union acts as the Data Processor for a third party Data Controller or for a third-party, higher-level Data Processor, the terms and conditions of the Personal Data Retention period, Storage Limitation, and Data Disposal may be specified in a Contract for Services, Support Agreement, Service Agreement and/or Data Processor Agreement between the Union and that third-party.

To ensure that personal data is kept for no longer than necessary, the Union shall put in place an archiving policy for each area in which personal data is processed and review this process annually.

The Union and its Data Processors will take all reasonable steps to destroy or erase from our systems all personal data that we no longer require in accordance with the Union’s applicable records retention schedules and policies. This includes requiring the Union’s Data Processors, including third-party Data Processors, to delete such data where applicable.

The Union and its Data Processors will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice or Fair Processing Notice.



Data security

We will keep your personal data confidential and will take appropriate measures to protect it against loss, theft or misuse and to safeguard your privacy.

IWW uses industry standard efforts to safeguard the confidentiality of your personally identifiable information, such as using robust access authentication methods, Access Control Lists, firewalls and SSL (secure socket layers). We make every effort to protect the loss, misuse and alteration of information under our control. However, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. Your IWW membership information is password protected so that only you can access it and view the information contained in your account. You are responsible for maintaining the secrecy of your passwords.


Data Security and TOMs principles and general terms.

Technical and Organisational Measures (TOM), definition:  the functions, processes, controls, systems, procedures and measures taken to protect and secure the Personal Data, Service User Data and any other sensitive general data that the Society processes.

Personal data must be secured by appropriate Technical and Organisational Measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We will develop, implement and maintain safeguards based on a Technical and Organisational Measures Policy appropriate to our size, scope and business, our available resources, the amount of Personal data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). Our TOMs will be outlined in this section of the Policy.

The objectives of the TOMs Policy are to:

  • Ensure that all Union Data Processors are aware of, and implement all the Technical and Organisational Measures required to effectively comply with this Policy and all applicable legislation.
  • Provide a concrete framework of procedures for establishing suitable levels of information security for the Union’s information systems and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
  • Provide the principles and methods by which a safe and secure information systems working environment can be established for Data Processors and service users.
  • Ensure that Data Processors understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  • Protect the Union from liability or damage through the misuse of its IT facilities and other information processing media.
  • Maintain research data and other confidential information provided by suppliers and other third parties at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
  • Respond to changes in the context of the Union as appropriate, and to implement improved security and organisational measures as and when required.

The following information security principles provide overarching governance for the security and management of information within the Union:

  • Information will be classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.
  • Data Processors will handle information in accordance with its classification level, and will comply with any policies, procedures, systems or contractual / Data Processor Agreement requirements put in place by the union to meet those responsibilities.
  • Information will be both secure and available to those with a legitimate need for access in accordance with its classification level. Therefore, access to information will be assigned to Data Processors on a need-to-know

We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

IWW WISE-RA Data Processors are responsible for protecting the personal data we hold. They must implement reasonable and appropriate security measures against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. They must exercise particular care in protecting Special Category Data from loss and unauthorised access, use or disclosure.

Our Data Processors must follow all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction. They may only transfer personal data to third-party service providers who have signed a Data Processor Agreement with us, agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested by us (via our DPO).

Data Processors must maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

  • Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it.
  • Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
  • Availability means that authorised users are able to access the personal data when they need it for authorised purposes.

⚠ TOMs General Provisions

Data Processors must comply with all applicable aspects of our Technical and Organisational Measures Policy and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the applicable legislation and relevant standards to protect personal data.

With regard to personal data for which IWW WISE-RA is the Data Controller, or general internal IWW WISE-RA business, as far as possible, only IWW-WISE-RA-controlled or mandated internal communications platforms and tools should be used for core data processing functions of the Union at the IWW WISE-RA Regional Administration and ROC levels, such as membership data and database management, the discussion and practice of internal union business, deliberations and democracy, democratic decision making and elections, complaints processing and data retention, the long term retention and processing of personal data and casework / worker’s representation / organising data, and email communications from and between IWW officers, role holders and data processors about IWW WISE-RA business or containing any personal information processed on behalf of the IWW.

Where possible, non-commercial, open-source platforms, and/or highly secure platforms that minimise the sharing of IWW business data and IWW-processed personal data with third party sources, should be given preference for use as IWW controlled and mandated data processing and communications platforms.

For the IWW NARA (North American Regional Administration) role holders who sign the IWW WISE-RA Data Processor Agreement, all of the terms and conditions described in this document only apply to the processing of the personal data of Data Subjects for which IWW WISE-RA is the Data Controller (i.e., personal data, including the personal data of NARA members, when it is processed within the Interwob forum or other WISE-RA controlled data processing platforms), and excludes NARA members’ personal data where it is processed by IWW NARA outside of the Interwob forum (and outside of any other WISE-RA controlled data processing platforms), and NARA union business excluding personally identifying data in any context or platform, which are governed by the laws, rules, policies and procedures relevant and applicable to and within NARA.

Agents of third party organisations authorised as IWW WISE-RA Data Processors must only use the communications and data processing platforms and tools (e.g., organisational email accounts and other data processing tools and platforms) provided by IWW WISE-RA or by that authorised third party Data Processor organisation when processing data on the IWW’s behalf.

Going forward in this document ‘IWW’ will stand for ‘IWW WISE-RA’, and ‘IWW Data Processors’ will be taken to include all IWW WISE-RA members; IWW WISE-RA role-holders, staff, or employees; IWW NARA members; individual contractors; or agents of third party organisations, who sign a Data Processor Agreement with IWW WISE-RA in order to process data controlled by IWW WISE-RA.

When required for their role, IWW officers, role holders and Data Processors will be given an email account hosted on an IWW controlled email server and/or any access their role may require to other IWW controlled or authorised data processing platforms (e.g., the Membership Database, the Interwob forum administrator or moderator tools and interfaces, any IWW-approved data processing or communications accounts, platforms or tools managed by IWW-authorised third party Data Processors).

IWW officers, role holders and Data Processors (including agents and staff of authorised third party Data Processors) must only use the data processing and communications tools/platforms/accounts assigned to them by the IWW, or by third party organisations authorised by IWW as Data Processors, for all processing or communications of business data or of personal information for which the IWW WISE-RA is the Data Controller. They must never use personal emails or unauthorised/unmandated personal or third party data processing platforms for these purposes, unless the Data Subjects whose personal data is processed provide explicit and informed written and recorded consent.

Explicit and informed consent means that, before they consent, the Data Subject must be informed of what data will be processed and/or shared, for what purposes it will be processed and/or shared, how it will be processed and/or shared, and with whom it will be shared. The personal data must never be processed or shared in a manner that differs from the purposes and methods that informed that consent unless further consent is obtained to include those new methods and purposes.

Internal IWW officers, role holders who have signed an IWW DPA, and the IWW Communications Administrator(s), Membership Administrator(s) and Finance Administrator(s), but no other third party Data Processors, can use their personal telephones and telephone numbers to make regular (phone number to phone number) voice calls and send SMS messages directly to IWW Data Subjects on behalf of the IWW, for the Data Processing purposes of running the IWW as a Trade Union, as outlined in the section of the “IWW Privacy and Data Protection Policy” titled “Personal data we may collect and the purposes for which we process it”. the Signal app may also be used for end-to-end encrypted messaging and voice-over-internet calls for the same purposes. Where possible, the Signal app should be given preference over unencrypted voice calls and messaging.

All IWW role holders and data processors may also use Signal end-to-end encrypted messaging and voice-over-internet calls to communicate amongst themselves about IWW business and IWW Data Subjects’ personal Data.

No mobile messaging or voice-over-internet apps other than Signal should be used unless explicitly authorised by the IWW Data Protection Officer (DPO) and mandated by a relevant body of the IWW, or unless the Data Subject provides their explicit and informed consent to do so.

IWW data processors must not keep the contact details of call, SMS, Signal-messaging or Signal-call recipients or the contents of SMS or Signal messages saved on their devices longer than is necessary for fulfilling their IWW mandated work, unless they have the explicit and informed consent of the recipient to retain the data for longer on their devices.

⚠ Organisational TOMs Applying to IWW WISE-RA Data Processing

⚠ This section specifies the Technical and Organisational Measures that IWW WISE-RA as an organisation is required to implement when processing IWW WISE-RA data and IWW Data Subjects’ Personal Data:

1. Information Security Policies
  • Policy Maintenance: Maintain and implement a documented information security policy that includes guidelines to safeguard the confidentiality, integrity, and availability of Union Data.
  • Documented Procedures: Ensure that these policies include specific and formally documented provisions and procedures for access control management, systems configuration and maintenance, data encryption, maintenance of information systems’ physical security, systems and network security and functionality monitoring, vulnerability and patch management, security incident management, and backup and recovery protocols.
    • The Union’s Data Protection Officer, IT Committee and Communications Administrator maintain a full set of policies & procedures, inventory, and guidance documentation covering all aspects of the Union’s IT Infrastructure and its administration in an IT Committee folder of the Nextcloud file repository and in the ‘IT Documentation’ and ‘IT Access & Privileges’ subsections of the ‘WISE-RA Wikis’ Section of the Interwob forum.
  • Enhanced Confidentiality Measures: Implement specific measures to protect all confidential information, ensuring it is not disclosed without prior written consent from the Data Controller.
    • These measures are implemented via standard IWW WISE-RA Data Protection Agreement contracts which are maintained by the IWW WISE-RA Data Protection Officer. The IWW DPA for individual Data Processors (Union role holders and Union administration contractors) is an online form which can be found at https://nudb.iww.org.uk/node/1268; the template for the Organisational DPA to be signed with third party Data Processor organisations is stored in the Data Protection folder of the Union’s Nextcloud file repository. Both DPA documents are regularly updated as requirements change.
  • Regular Reviews: Review and update policies regularly, especially in response to changes in Union requirements or the Data Processor’s role.
    • The Union’s Data Protection Officer works with the IT Committee and the Communications Administrator to review the “IWW Privacy and Data Protection Policy” document and all related sub-Policies and documents, including DPAs. The Union’s IT Committee holds regular twice-monthly meetings during which it ensures that all policy and procedure, inventory and guidance documentation relating to the administration of the Union’s IT infrastructure are maintained up-to-date. The Union’s Data Protection and Data Security related policies are reviewed at least annually by the Data Protection Officer as provided in the section titled “Policy updates, system audits and training” in the “IWW Privacy and Data Protection Policy”<
2. GDPR Compliance / Regular Audits and Compliance Reviews
  • Designated Data Protection Officer: Designate a Data Protection Officer responsible for overseeing and implementing these security measures. Provide the name and contact information of this individual to the Information Commissioner’s Office (ICO), the union membership, the public, IWW Data Subjects, and IWW Data Processors.
    • The IWW WISE-RA Rulebook designates the union’s mandated Membership Officer as nominally holding the role of Data Protection Officer (or in the absence of a Membership Officer, the Union Secretary). The role may be delegated/deputised by the nominal DPO (or by a decision of the Union’s Delegates Executive Council) to an acting or elected DPO. The name, contact details and responsibilities of the current IWW WISE-RA DPO are detailed in the “IWW Privacy and Data Protection Policy” section titled “The Data Protection Officer & other roles involved in data protection”. This Policy document is accessible to the public on the IWW’s website. The current DPO is also named in all Data Processor Agreements.
  • Compliance with Standards: Comply with security standards as required by the Data Protection Legislation and ICO.
    • The Union’s data security policy is detailed in the section titled “Data Security” in the “IWW Privacy and Data Protection Policy”
  • Internal Audits: Conduct regular internal audits of security practices and controls, particularly regarding the processing of Union Data.
    • The DPO is responsible for conducting & coordinating these regular audits. The DPO works with the IT Committee and Communications Administrator at regular IT Committee meetings to coordinate regular systems security audits, or audits of organisational-processes related to data processing. The Union’s data systems audits policy is detailed in the section titled “Policy updates, system audits and training” in the “IWW Privacy and Data Protection Policy”
  • Audit Reporting: Provide the Delegates Executive Council with the results of security audits or compliance reviews.
    • The IT Committee and Data Protection Officer each issue a quarterly report of their activities for each quarterly Delegates Executive Committee meeting which include the results of any audit or compliance review conducted.
  • Third-Party Audits: All IWW role holders and Data Processors must allow for and contribute to audits and inspections conducted by the DPO or an auditor mandated by the DPO.
    • This obligation is stipulated in “IWW Privacy and Data Protection Policy” and the DPA that all IWW Data Processors must sign, and enforced by the DPO.
  • Documentation Provision: All IWW role holders and Data Processors must provide documentation and evidence upon request to the DPO to demonstrate compliance with the IWW’s Technical and Organisational Measures.
    • This obligation is stipulated in “IWW Privacy and Data Protection Policy” and the DPA that all IWW Data Processors must sign, and enforced by the DPO.
  • Records of Processing Activities & Register of Systems: Maintain an accurate and regularly updated Register of Systems, including records of all categories of Processing activities carried out on behalf of the Data Controller, Processing purposes, third-party recipients of the Personal Data, data storage locations, Personal Data transfers, data retention period, any related Data Processor Agreements governing the processing, and a description of the security measures in place.
  • The IWW’s Register of Systems is distributed across multiple documents and repositories, namely the “IWW Privacy and Data Protection Policy” and the included TOMs, the Union’s “IT Tools and Resources” document, the Union’s membership database system, and the Union’s Access Control List systems.
  • Assistance with DPIAs: All IWW role holders and Data Processors must assist the DPO in conducting Data Protection Impact Assessments when required under Article 35 of the UK GDPR, providing necessary information to the DPO about processing activities and potential risks.
  • Data Subject Rights Assistance: All IWW role holders and Data Processors must assist the DPO in responding to Data Subject requests under the UK GDPR, ensuring timely provision of information required to fulfil such requests.
  • DPO Cooperation: All IWW role holders and Data Processors must Cooperate with the DPO, providing access to necessary information to perform their duties effectively.
    • This obligation is stipulated throughout the “IWW Privacy and Data Protection Policy” and in the DPAs that all IWW Data Processors must sign, and enforced by the DPO.
  • Regulatory Cooperation: The DPO and all IWW role holders and Data Processors must cooperate fully with the Information Commissioner’s Office (ICO) or other relevant Regulatory Authorities in the performance of their tasks. IWW Role holders and Data Processors must provide the DPO with rapid (and if possible, prior) notice of all communications from or investigations by the ICO or Regulatory Authorities unless otherwise mandated by legislation or the Regulatory Authority. IWW Role holders and Data Processors must keep the DPO informed at all times of ongoing communications or cooperation with Regulatory Authorities.
    • This obligation is stipulated throughout the “IWW Privacy and Data Protection Policy” and the DPAs that all IWW Data Processors must sign, and enforced by the DPO.
  • 3. Personnel and Data Access Policies
    • Security Awareness Training: Provide basic security awareness training as well as Security Incident response training for all personnel during onboarding and periodically thereafter.
      • The DPO will work with the IT Committee and Training Committee to produce and regularly update a data protection training course for the Union’s role holders. The DPO will ensure that these trainings are held at least annually. The Union’s data protection training policy is detailed in the section titled “Policy updates, system audits and training” in the “IWW Privacy and Data Protection Policy”
    • Termination Procedures: Implement appropriate access control and access termination procedures for personnel with access to information systems, ensuring access rights are promptly revoked upon termination or role change.
      • Commencement and termination of data access for IWW role holders and Data Processors is robustly managed through the Union’s Access Control List systems, which are automatically and electronically linked to a registry of role holders on the IWW Membership Database which is actively maintained up to date by the IWW Communications Administrator. Only persons who are bound by a DPA are granted access to Personal Data under the IWW’s care.
    • Third-Party Access Control: Implement appropriate access control procedures for external parties granted access to information systems.
    • The same Access Control system as described above is used, and additionally. The IT Committee and Communications Administrator only grants credentials for systems access to authorised external parties who have signed DPAs and Service Contracts with the IWW.
  • Confidentiality Agreements: Require all personnel, including employees and subcontractors, to sign confidentiality agreements to protect union data and ensure compliance with UK GDPR.
    • The “Privacy and Data Protection Policy” stipulates that all Union Data Processors are required to sign IWW WISE-RA Data Protection Agreement (DPA) contracts which are maintained by the IWW WISE-RA Data Protection Officer with the help of the Communications Administrator, and recorded on the IWW Membership Database (for the online Data Processor Agreements signed by individual Data Processors) or the Data Protection folder of the Union’s Nextcloud file repository (for Organisational DPAs signed by third party Data Processor organisations).
  • Outsourcing Restrictions: Do not outsource information security functions or data processing functions to third parties without prior approval from the DPO.
  • Liability Insurance: Maintain appropriate liability insurance, including cyber liability insurance, in addition to general liability insurance. The union maintains appropriate liability insurance.
    • The Union maintains a liability insurance policy which includes cyber liability insurance.
  • Geographical Compliance: Ensure that all employees and physical office locations comply with UK Data Protection Legislation.
    • The “Privacy and Data Protection Policy”, particularly the section titled “Transfers overseas” in the “IWW Privacy and Data Protection Policy”, as well as all Union DPAs outline geographical compliance requirements and the DPO regularly monitors for compliance.
  • 4. Access Control
    • User Access Management: Ensure that access to Union Data is granted strictly based on role and necessity, particularly for sensitive Personal Data and Special Category Data.
    • Authentication/Verification Protocols: Use robust authentication methods, including multi-factor authentication (MFA), combined with Access Control Lists for systems that contain or control access to Union Personnel and Members’ Personal Data and platform permissions, preventing unauthorized actions.
    • Access Reviews: Regularly audit user access levels to ensure that only authorised Union personnel, members, and Data Processor staff have appropriate access to sensitive areas.
    • Activity Logging and Monitoring: Log all administrative activities related to user permissions, data access, and system changes. Monitor these logs for unusual or unauthorised access.
    5. Data Minimisation and Retention
    • Data Limitation: Ensure that Personal Data Processed within the Union’s systems or the Data Processor’s systems is limited to what is necessary for the specific tasks defined in the contract.
    • Retention Policies: Implement appropriate data retention and deletion policies to ensure Personal Data is only retained for as long as necessary.
    • Secure Disposal: Securely delete or anonymize Personal Data when no longer required.
    • Data Return or Deletion: Upon termination of services, return all Union Data & Personal Data to the Data Controller or securely delete it as instructed, providing confirmation of deletion.
    6. Pseudonymisation and Anonymisation
    • Data Protection Techniques: Where applicable, implement pseudonymisation and anonymisation techniques for Personal Data within Union or Data Processor systems or during any data extraction, especially if used in analytics or reporting.
    7. Data Encryption
    • Data at Rest: Encrypt all Union Data including data stored on servers and backups, using strong encryption standards (e.g., AES-256).
    • Data in Transit: Ensure all data transmitted between systems is protected using secure communication protocols such as TLS 1.2 or higher.
  • Cryptographic Protocols: Issue public key certificates and/or obtain them from approved service providers.
  • 8. Physical Security
    • Access Restrictions: For physical infrastructure managed by the Data Processor (e.g., data centres), ensure access is restricted to authorised personnel only. Use mechanisms like key cards, biometric access controls, and physical surveillance.
    • Secure Off-Site Backups: Maintain off-site backups in physically secure locations to protect against physical threats like theft, fire, or damage.
    9. System Configuration
    • System Inventory: Maintain an accurate and current documented inventory of system components. Review and update this inventory regularly.
    • Configuration Management: Document and approve deviations from established configuration settings. Restrict or prohibit the use of non-essential functions, ports, protocols, and services.
    10. System Maintenance
    • Maintenance Monitoring: Monitor all maintenance activities.
    • Tool Control: Control and monitor all information system maintenance tools.
    • Activity Records: Maintain records for all maintenance and diagnostic activities.
    • Authorized Personnel: Maintain a list of authorised maintenance personnel. Ensure they have the required access authorisations.
    11. Systems and Network Security Monitoring and Vulnerability and Patch Management
    • Risk Mitigation: Implement measures to mitigate any identified risks as determined by Data Processing Impact Assessments (DPIAs), in coordination with the Data Controller.
    • Regular Security Testing: Regularly test, assess, and evaluate the effectiveness of Technical and Organisational Measures to ensure processing security.
    • Protective Measures: Implement firewalls, anti-virus software, and intrusion detection/prevention systems to safeguard the Union’s Data and IT infrastructure.
    • Continuous Monitoring: Utilize a continuous monitoring strategy for information systems to detect attacks, potential attacks, and unauthorized use.
    • Network Monitoring: Ensure all network connections are monitored for suspicious activity.
    • Result Analysis: Analyze continuous monitoring results to identify and address security issues.
    • Vulnerability Assessments and Testing: Regularly assess systems for vulnerabilities, particularly systems where Union Data is stored/Processed, to prevent exploitation. Regularly test systems for vulnerabilities to prevent exploitation with periodic vulnerability scans and penetration tests on systems handling Personal Data, addressing any identified issues promptly.
    • Software Testing: Test software and firmware updates for effectiveness and potential side effects before installation.
    • Compliance Monitoring: Monitor security controls for compliance and take actions if components are deemed non-compliant.
    • Timely Patching: Apply security patches and updates in a timely manner. Implement patches categorized as “critical” within 72 hours of release.
    • Patch Management Process: Use Development, Test, QA, and Production environments during the patch management process.
    12. Vulnerability Awareness
    • Anti-Virus Protection: Ensure that systems have anti-virus software running with current, updated virus definition files.
    • Threat Intelligence: Subscribe to external security alerts, lists, and bulletins related to the information systems used.
    • External Security Alerts: Subscribe to external security alerts and advisories related to information systems.
    • Internal Security Alerts: Generate and disseminate internal security alerts, advisories, and directives as deemed necessary.
    13. Backup and Recovery
    • Regular Backups: Perform regular backups of critical systems, especially those containing Union Data.
    • Backup Security: Protect the confidentiality, integrity, and availability of backup information at storage locations.
    • Recovery Procedures: Regularly test recovery procedures to validate the ability to restore systems in the event of data loss, corruption, or breach.
    • Contingency Planning: Ensure recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
    • Alternate Storage Site: Utilize an alternate storage site to permit the storage and recovery of backup information, providing equivalent security safeguards as the primary site.
  • Alternate Communication Means: Ensure alternate forms of telecommunication are available should primary means be unavailable.
  • 14. Incident Management and Breach Notification
    • Incident Response Plan: Implement an incident response plan to manage Security Incidents or Personal Data breaches involving Union Data.
    • Incident Response Training: Provide staff with incident response training to respond appropriately and immediately to information spillages.
    • Immediate Reporting: Ensure that any Security Incident or Personal Data Breach related to Union Data or Union/Data Processor system functionality are reported to the Union’s Data Protection Officer, where feasible, within 24 hours of becoming aware of it, pursuant to DPA and Union Data Policy requirements.
    • Assistance: Provide all necessary assistance for breach reporting to the Information Commissioner’s Office (ICO) or notification to members as required by law.
    • Incident Tracking: Track and document all Security Incidents as part of continuous improvement.
    15. Sub-processor Management
    • Approval for Subprocessors: Obtain the Union’s approval before engaging any sub-processors to Process Union Data or administer the Union’s IT infrastructure pursuant to DPA and Union Data Policy requirements.
    • Equivalent Obligations: Ensure that any sub-processors are bound by equivalent security measures and Data Protection obligations as per DPA and Union Data Policy requirements.
    • Regular Audits: Regularly audit sub-processors to ensure compliance and keep the Union informed of any relevant audit results or findings.
    16. International Data Transfers
    • Specific Conditions for International Transfers: The general policy and specific conditions to be met for authorising International Data Transfers are detailed in the “IWW Privacy and Data Protection Policy” section titled “Transfers Overseas” and the subsection titled “Further details about our policy for transfers of personal data to countries outside the UK and EEA”.
    • DPIA for International Transfers: Additionally, a it is necessary to conduct a Data Protection Impact Assessment (DPIA) prior to approving International Transfers. The procedures for conducting such DPIAs are detailed in the “IWW Privacy and Data Protection Policy” section titled “Using, and sharing data with third-party communications/data-processing platforms and services”. International Transfers should not be performed if the DPIA’s conclusions are negative.
    • Approval for International Transfers: Obtain the Data Protection Officer’s approval before engaging in international transfers of Union Data.
    • Transfer Compliance: Ensure that any transfer of Personal Data outside the UK or EEA complies with Chapter V of the UK GDPR, using approved transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
    • Data Transfer Agreements: Enter into data transfer agreements as required to lawfully transfer Personal Data internationally.

    ⚠ Specific Technical Security Measures Applying to Individual Data Processors (physical persons)

    ⚠ This section specifies the technical security measures that individual data processors (i.e., physical persons, whether internal IWW role holders, individual IWW contractors, or individual agents or personnel of third party organisations authorised as IWW Data Processors), are required to implement whenever accessing and processing IWW WISE-RA data and IWW Data Subjects’ Personal Data:

    Throughout this sub-section, ‘IWW’ will stand for ‘IWW WISE-RA’.

    As an individual IWW Data Processor or as an agent / personnel member of an authorised third party Data Processor of the IWW:

    • I will use firewalls to protect my internet connection. This will be my first line of defence against an intrusion from the internet.
    • I will choose the most appropriate secure settings for my devices and software. Most hardware and software will need some level of set-up and configuration in order to provide effective protection.
    • I will keep my software and devices up-to-date. Hardware and software needs regular updates to fix bugs and security vulnerabilities.
    • I will install up-to-date, industry standard anti-virus and anti-malware software on all my devices to optimally protect my devices from viruses and other malware. I will choose the most appropriate settings of this software to optimise security. I will keep my anti-virus and anti-malware software updated to the latest version at all time. I will keep my anti-virus/anti-malware definition files fully and regularly updated. I will perform regular virus/malware scans on my devices at least once a week.
    • I will ensure that no one other than myself can access IWW data and online platforms via my devices or using my IWW login credentials, unless otherwise authorised by the IWW. I will not allow other users to use my devices while my devices remain logged in to any IWW platforms, unless otherwise authorised by the IWW. I will restrict access to my devices to users and sources I trust.
    • I will ensure that my login passwords for IWW systems are as strong as possible — at least 16 characters and including random strings of: numbers, small and capital letters, and special characters such as %,^,&,*,(,),$,#,@, or !.
    • I will keep my passwords stored securely in password management applications (and use two factor authentication to secure my password management application). (We recommend using the open source KeepassXC password manager (https://keepassxc.org/)).
    • I will never share my passwords for accessing IWW data processing platforms (e.g., the membership database, members’ area, Interwob Forum, Wobchat, IWW Nextcloud) or any other password-based access that is not intended for use by anyone other than myself. IWW email account passwords may sometimes need to be shared with a co-officer or co-role-holder for shared use; in such cases I will only ever share those passwords using secure, encrypted communications (see step-by-step instructions for this.).
    • Excluding some exceptions detailed in this Policy, I will never share or send my passwords or share, send or process any personal data under the IWW’s responsibility over unencrypted internet connections, email, messaging, voice calls or any other mode of unencrypted/unsecured communications. I will not send unencrypted emails or messages containing IWW passwords or any personal data under the IWW’s responsibility, even to myself as a “note to self.”
    • I will only use the data processing or communications tools/platforms/accounts that the IWW has assigned and/or authorised me to use for all my processing/communications of IWW business or of personal data for which the IWW is the Data Controller. I will only use other data processing and communications methods if I obtain authorisation from the IWW Data Protection Officer (DPO), or obtain the explicit and informed (written and recorded) consent of the Data Subject. If I am an agent of an IWW authorised third party data processor organisation, I will only use the data processing and communications tools and platforms provided by the IWW or by that organisation. This means, for example, that if I am only given access to the Interwob moderator tools, I will only process the personal data within Interwob and will not export it or communicate it outside of the Interwob platform without further authorisation from the IWW DPO or the Data Subject’s consent; or, for example, if I am given access to the IWW membership database and an IWW email account, I will only use those tools to process the personal information and will not process it outside of those platforms; unless otherwise allowed in a manner described further below, or allowed by further authorisation by the IWW DPO or through consent of the Data Subject.

    • If I am given an IWW email account, I will not set a forwarder from my IWW email account to an email account belonging to a third party platform or organisation that is not an IWW-authorised Data Processor (e.g., my personal gmail account), and I will never use such an unauthorised email account to send emails using an IWW email alias. The IWW IT Committee does not allow the use of aliases or forwarders linking with any unmandated/unauthorised external email accounts, for data protection reasons. Likewise, if I am an agent or personnel member of an IWW-authorised third party Data Processor organisation and I am given an official email account by that organisation, I will not set a forwarder from that official email account to an email account belonging to a third party platform or organisation that is not an IWW-authorised Data Processor, and I will never use such an unauthorised email account to send emails using an alias of an official and authorised email account’s address.
    • If I am given access to the IWW Membership Database, when sending emails to multiple recipients who are IWW Data subjects (i.e., “bulk emails” or “mass emails”) I will normally use the IWW Membership Database bulk mailer. Otherwise when using an authorised email client and email account, I will use the BCC field for the personal email addresses of all recipients; never the “To:” field; to prevent recipients being able to see other recipients’ personal email addresses.
    • I will not include the personal data of any IWW Data Subject in emails sent to persons who are not bound by an IWW DPA without the explicit and informed (written and recorded) consent of the Data Subject in question.
    • Except where other sections of this document allows alternative methods (e.g., using my personal phone or the Signal app), I will only use IWW email accounts (or official email accounts provided by IWW-authorised third party Data Processor organisations) for all casework-related or complaints-process-related messages, or any communications relating to IWW internal business or an IWW Data Subject’s personal data; whether it is for communicating with any person on behalf of the IWW about their case or their personal data; communicating with their employer or co-workers about their case or personal data; or communicating with other IWW role holders about their case or personal data. I will never email any personal data of IWW Data Subjects from unmandated/unauthorised personal email accounts or email accounts provided by third party platforms or organisations that are not authorised as IWW Data Processors without the Data Subject’s explicit and informed (written and recorded) consent. I will never email any personal data of IWW Data Subjects to non-IWW-authorised email accounts, including the non-official / personal email addresses belonging to authorised IWW Data Processors, except with the explicit and informed (written, recorded) consent of the Data Subject, and will only ever do so if strictly necessary.
    • If I am an internal IWW WISE-RA officer/role-holder who has signed an IWW DPA, or I am an authorised IWW WISE-RA Communications Administrator, Membership Administrator or Finance Administrator and bound by an IWW DPA, I can use my personal telephones and telephone numbers to make regular (phone number to phone number) voice calls and send SMS messages directly to IWW Data Subjects on behalf of the IWW, for the Data Processing purposes of running the IWW as a Trade Union, as outlined in the section of the “IWW Privacy and Data Protection Policy” titled “Personal data we may collect and the purposes for which we process it”. the Signal app may also be used for end-to-end encrypted messaging and voice-over-internet calls for the same purposes. Where possible, the Signal app should be given preference over unencrypted voice calls and messaging.
    • If I am bound by an IWW DPA, I may use Signal end-to-end encrypted messaging and voice-over-internet calls to communicate only with other authorised IWW Data Processors about IWW business and IWW Data Subjects’ personal Data.
    • I may not use any mobile messaging or voice-over-internet apps other than Signal for the purposes outlined above unless explicitly authorised by the IWW Data Protection Officer (DPO) and mandated by a relevant body of the IWW, or unless the Data Subject provides their explicit and informed consent to do so.
    • I must must not keep the personal Data of IWW Data Subjects, including the contact details of call, SMS, Signal-messaging or Signal-call recipients or the contents of SMS or Signal messages stored on my devices longer than is necessary for fulfilling my IWW mandated work, unless I have the explicit and informed (written and recorded) consent of the Data Subject to retain the data for longer on my devices.
    • I will avoid, where possible, storing any IWW Data Subject’s personal data and/or IWW business data on my devices unless reasonably necessary to perform my assigned role and for the strict data processing purposes assigned to me by the IWW, and if I do so, I will only store such data on password-protected, encrypted hard drives and storage systems/devices, or in encrypted files. I will delete this data from my devices as soon as I no longer require it. IWW Data Subjects’ Personal Data and IWW business data should best be stored on the Interwob forum (only in so far as it is data generated on Interwob), or the IWW Membership Database or Nextcloud file repository rather than on personal devices. If I run the IWW’s Nextcloud app on my devices to synchronise file storage between the IWW Next Cloud and my device, I will do so securely and only on password-protected and encrypted devices.
    • I will regularly back-up my data to password protected, encrypted storage (for any IWW Data, only on personal or authorised Data Processor organisations’ hard disks, thumb drives, SD cards, etc, NOT on cloud based storage except the IWW Nextcloud file repository or other IWW-authorised/mandated cloud storage solutions or if using encrypted containers as outlined further below). Regular backups of important data will ensure it can be quickly restored in the event of disaster or ransomware infection. I will NOT and will NEVER use third-party cloud based storage/backup services that are not IWW-authorised/mandated for backing up IWW data unless the data is stored in robustly encrypted containers. The encrypted containers must be created and encrypted directly by myself or an authorised IWW Data Processor prior to storage, not created or encrypted by the cloud service provider or directly on the cloud service, and the encryption keys must be known only to me or other authorised IWW Data Processors and not known or accessible to the cloud service provider. (You can freely use third-party cloud storage to back up your own devices’ systems and files, but should always ensure your backups are password protected/encrypted on those platforms).
    • I will never share or send IWW business data or IWW Data Subjects’ personal data under my care with/to anyone who is not bound by an IWW Data Processors’ Agreement, except where formally authorised/mandated by the IWW (namely the IWW DPO) or done with the concerned Data Subject’s explicit and informed (written and recorded) consent. If I do share or send IWW Data with an authorised recipient, I will only do so on a strictly need-to-know basis and only for the purposes for which the data has originally been collected (as explained to the Data Subject when it was collected). In all cases I will send/share only the data that is strictly necessary for the task, only for the stated purposes it was collected, minimising the data I send, and pseudonymising or anonymising it whenever possible.
    • When sharing or sending IWW data, especially an IWW Data Subject’s personal data to an authorised recipient: I will only send it from/via communications accounts/platforms/channels authorised and/or issued by the IWW (e.g., an IWW-issued email account or phone number, or a phone number or email account issued by an IWW-authorised Data Processor organisation), and will only transmit it to a recipient address/number/platform/channel that is authorised by the IWW or by informed (written, recorded) consent of the Data Subject concerned.
    • I will never process or collect IWW Data Subjects’ personal information on any third-party data processing, social networking or cloud platform that is not explicitly authorised by the IWW via a formal Data Processing Agreement with that third party, or authorised by the IWW DPO and formally mandated for use by the IWW WISE-RA body that the data corresponds to, and/or the Data Subject has provided explicit, informed (written, recorded) consent to their data being used in this way. For example, I will never collect personal data on, nor copy personal data to, Google Spreadsheets, Survey Monkey surveys, Dropbox, Google Drive or any other online/cloud data processing/data-collection/survey/file-sharing/storage application, nor use such applications to share the data or collaborate on data processing with other persons (unless the IWW WISE-RA Data Protection Officer has authorised it, AND there is explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND/OR explicit, informed, recorded consent by all the Data Subjects whose data is concerned, which allows me to do so. cf. the IWW Privacy and Data Protection Policy for more details on the procedures required to use third party data processing platforms). The only allowed exception for the use of third-party cloud storage/backup of IWW business data and IWW Data Subjects’ personal information is where the data is stored in robustly encrypted containers, created and encrypted independently of the cloud service, as detailed above in this Policy.
    • If an authorised and mandated third-party platform is used to process personal data, I will use strong passwords, secured with an appropriate password management system, and employ two factor authentication to secure my access to that platform. I will furthermore ensure that Data Subjects can have their data removed from that platform at any time and that they know how to do so.
    • I will never share, post or cross-reference the personal data under my care using any social media or social networking platform such as Facebook, Discord, Twitter, etc. in a manner that directly or indirectly reveals/shares the data with third parties (unless this is authorised via an IWW Data Processor Agreement with that third party, or there is an explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND formal authorisation by the IWW DPO, AND/OR explicit, informed and recorded consent by all the Data Subjects whose data is concerned, which allows me to do so).

    ⚠ Minimal Organisational TOMs we Require our Third Party Data Processor Organisations to Implement

    ⚠ This section specifies the minimal Technical and Organisational Measures that third party Organisational Data Processors authorised by the IWW WISE-RA are required to implement whenever accessing and processing IWW WISE-RA data and IWW Data Subjects’ Personal Data:

    The Data Processor agrees to implement and maintain the following Technical and Organisational Measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR and the specific requirements of the Union’s IT infrastructure. These measures are designed to protect the confidentiality, integrity, and availability of personal data processed on behalf of the IWW.

    1. Information Security Policies
    • Policy Maintenance: Maintain and implement a documented information security policy that includes guidelines to safeguard the confidentiality, integrity, and availability of Union Data.
    • Documented Procedures: Ensure that these policies include specific and formally documented provisions and procedures for access control management, systems configuration and maintenance, data encryption, maintenance of information systems’ physical security, systems and network security and functionality monitoring, vulnerability and patch management, security incident management, and backup and recovery protocols.
    • Enhanced Confidentiality Measures: Implement specific measures to protect all confidential information, ensuring it is not disclosed without prior written consent from the Data Controller.
    • Regular Reviews: Review and update policies regularly, especially in response to changes in Union requirements or the Data Processor’s role.
    2. GDPR Compliance / Regular Audits and Compliance Reviews
    • Designated Security Leader: Designate an Information Security Leader / Data Protection Manager / Data Protection Officer responsible for overseeing and implementing these security measures. Provide the name and contact information of this individual to the Union.
    • Compliance with Standards: Comply with specific security standards as required by the Data Controller, such as ISO 27001 or other relevant certifications. Provide evidence of compliance, including certificates or audit reports.
    • Internal Audits: Conduct regular internal audits of security practices and controls, particularly regarding the processing of Union Data.
    • Audit Reporting: Provide the Union with the results of security audits or compliance reviews.
    • Third-Party Audits: Allow for and contribute to audits and inspections conducted by the Data Controller or an auditor mandated by the Data Controller.
    • Documentation Provision: Provide documentation and evidence upon request to the Data Controller to demonstrate compliance with the Technical and Organisational Measures.
    • Records of Processing Activities & Register of Systems: Maintain an accurate and regularly updated Register of Systems, including records of all categories of Processing activities carried out on behalf of the Data Controller, Processing purposes, third-party recipients of the Personal Data, data storage locations, Personal Data transfers, data retention period, any related Data Processor Agreements governing the processing, and a description of the security measures in place. The Register of Systems should be made available upon request.
    • Assistance with DPIAs: Assist the Data Controller in conducting Data Protection Impact Assessments when required under Article 35 of the UK GDPR, providing necessary information to the Data Controller about processing activities and potential risks.
    • Data Subject Rights Assistance: Assist the Data Controller in responding to Data Subject requests under the UK GDPR, ensuring timely provision of information required to fulfill such requests. Refrain from responding directly to Data Subjects unless authorized by the Data Controller.
    • DPO Cooperation: Cooperate with the Data Controller’s Data Protection Officer, providing access to necessary information to perform their duties effectively.
    • Regulatory Cooperation: Cooperate fully with the Information Commissioner’s Office (ICO) or other relevant Regulatory Authorities in the performance of their tasks. Provide the Data Controller with prior notice unless otherwise mandated by legislation or the Regulatory Authority. Keep the Data Controller informed at all times of ongoing communications with Regulatory Authorities.
    3. Personnel and Data Access Policies
    • Security Awareness Training: Provide basic security awareness training as well as Security Incident response training for all personnel during onboarding and periodically thereafter.
    • Termination Procedures: Implement appropriate termination procedures for personnel with access to information systems, ensuring access rights are promptly revoked upon termination or role change.
    • Third-Party Access Control: Implement appropriate access control procedures for external parties granted access to information systems.
    • Confidentiality Agreements: Require all personnel, including employees and subcontractors, to sign confidentiality agreements to protect union data and ensure compliance with UK GDPR.
    • Outsourcing Restrictions: Do not outsource information security functions or data processing functions to third parties without prior approval from the Union.
    • Liability Insurance: Maintain appropriate liability insurance, including cyber liability insurance, in addition to general liability insurance.
    • Geographical Compliance: Ensure that all personnel and physical office locations comply with UK Data Protection Legislation.
    4. Access Control
    • User Access Management: Ensure that access to Union Data is granted strictly based on role and necessity, particularly for sensitive Personal Data and Special Category Data.
    • Authentication/Verification Protocols: Use robust authentication methods, including multi-factor authentication (MFA), combined with Access Control Lists for systems that contain or control access to Union Personnel and Members’ Personal Data and platform permissions, preventing unauthorized actions.
    • Access Reviews: Regularly audit user access levels to ensure that only authorised Union personnel, members, and Data Processor staff have appropriate access to sensitive areas.
    • Activity Logging and Monitoring: Log all administrative activities related to user permissions, data access, and system changes. Monitor these logs for unusual or unauthorised access.
    5. Data Minimisation and Retention
    • Data Limitation: Ensure that Union Data Processed within the Union’s systems or the Data Processor’s systems is limited to what is necessary for the specific tasks defined in the contract.
    • Retention Policies: Implement appropriate data retention and deletion policies to ensure Personal Data is only retained for as long as necessary.
    • Secure Disposal: Securely delete or anonymize Personal Data when no longer required.
    • Data Return or Deletion: Upon termination of services, return all Union Data & Personal Data to the Data Controller or securely delete it as instructed, providing confirmation of deletion.
    6. Pseudonymisation and Anonymisation
    • Data Protection Techniques: Where applicable, implement pseudonymisation and anonymisation techniques for Personal Data within Union or Data Processor systems or during any data extraction, especially if used in analytics or reporting.
    7. Data Encryption
    • Data at Rest: Encrypt all Union Data including data stored on servers and backups, using strong encryption standards (e.g., AES-256).
    • Data in Transit: Ensure all data transmitted between systems is protected using secure communication protocols such as TLS 1.2 or higher.
    • Cryptographic Protocols: Issue public key certificates and/or obtain them from approved service providers.
    8. Physical Security
    • Access Restrictions: For physical infrastructure managed by the Data Processor (e.g., data centres), ensure access is restricted to authorised personnel only. Use mechanisms like key cards, biometric access controls, and physical surveillance.
    • Secure Off-Site Backups: Maintain off-site backups in physically secure locations to protect against physical threats like theft, fire, or damage.
    9. System Configuration
    • System Inventory: Maintain an accurate and current documented inventory of system components. Review and update this inventory regularly.
    • Configuration Management: Document and approve deviations from established configuration settings. Restrict or prohibit the use of non-essential functions, ports, protocols, and services.
    10. System Maintenance
    • Maintenance Monitoring: Monitor all maintenance activities.
    • Tool Control: Control and monitor all information system maintenance tools.
    • Activity Records: Maintain records for all maintenance and diagnostic activities.
    • Authorized Personnel: Maintain a list of authorised maintenance personnel. Ensure they have the required access authorisations.
    11. Systems and Network Security Monitoring and Vulnerability and Patch Management
    • Risk Mitigation: Implement measures to mitigate any identified risks as determined by Data Processing Impact Assessments (DPIAs), in coordination with the Data Controller.
    • Regular Security Testing: Regularly test, assess, and evaluate the effectiveness of Technical and Organisational Measures to ensure processing security.
    • Protective Measures: Implement firewalls, anti-virus software, and intrusion detection/prevention systems to safeguard the Union’s Data and both the Union’s and the Data Processor’s IT infrastructure.
    • Continuous Monitoring: Utilize a continuous monitoring strategy for information systems to detect attacks, potential attacks, and unauthorized use.
    • Network Monitoring: Ensure all network connections are monitored for suspicious activity.
    • Result Analysis: Analyze continuous monitoring results to identify and address security issues.
    • Vulnerability Assessments and Testing: Regularly assess systems for vulnerabilities, particularly systems where Union Data is stored/Processed, to prevent exploitation. Regularly test systems for vulnerabilities to prevent exploitation with periodic vulnerability scans and penetration tests on systems handling Personal Data, addressing any identified issues promptly.
    • Software Testing: Test software and firmware updates for effectiveness and potential side effects before installation.
    • Compliance Monitoring: Monitor security controls for compliance and take actions if components are deemed non-compliant.
    • Timely Patching: Apply security patches and updates in a timely manner. Implement patches categorized as “critical” within 72 hours of release.
    • Patch Management Process: Use Development, Test, QA, and Production environments during the patch management process.
    12. Vulnerability Awareness
    • Anti-Virus Protection: Ensure that systems have anti-virus software running with current, updated virus definition files.
    • Threat Intelligence: Subscribe to external security alerts, lists, and bulletins related to the information systems used.
    • External Security Alerts: Subscribe to external security alerts and advisories related to information systems.
    • Internal Security Alerts: Generate and disseminate internal security alerts, advisories, and directives as deemed necessary.
    13. Backup and Recovery
    • Regular Backups: Perform regular backups of critical systems, especially those containing Union Data.
    • Backup Security: Protect the confidentiality, integrity, and availability of backup information at storage locations.
    • Recovery Procedures: Regularly test recovery procedures to validate the ability to restore systems in the event of data loss, corruption, or breach.
    • Contingency Planning: Ensure recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
    • Alternate Storage Site: Utilize an alternate storage site to permit the storage and recovery of backup information, providing equivalent security safeguards as the primary site.
    • Alternate Communication Means: Ensure alternate forms of telecommunication are available should primary means be unavailable.
    14. Incident Management and Breach Notification
    • Incident Response Plan: Implement an incident response plan to manage Security Incidents or Personal Data breaches involving Union Data.
    • Incident Response Training: Provide staff with incident response training to respond appropriately and immediately to information spillages.
    • Immediate Reporting: Ensure that any Security Incident or Personal Data Breach related to Union Data or Union/Data Processor system functionality are reported to the Union’s Data Protection Officer, where feasible, within 24 hours of becoming aware of it, pursuant to DPA and Union Data Policy requirements.
    • Assistance: Provide all necessary assistance for breach reporting to the Information Commissioner’s Office (ICO) or notification to members as required by law.
    • Incident Tracking: Track and document all Security Incidents as part of continuous improvement.
    15. Sub-processor Management
    • Approval for Subprocessors: Obtain the Union’s approval before engaging any sub-processors to Process Union Data or administer the Union’s IT infrastructure pursuant to DPA and Union Data Policy requirements.
    • Equivalent Obligations: Ensure that any sub-processors are bound by equivalent security measures and Data Protection obligations as per DPA and Union Data Policy requirements.
    • Regular Audits: Regularly audit sub-processors to ensure compliance and keep the Union informed of any relevant audit results or findings.
    16. International Data Transfers
    • Approval for International Transfers: Obtain the Union’s approval before engaging in any international transfers of Union Data.
    • DPIA for International Transfers: Conduct a Data Protection Impact Assessment (DPIA) prior to proposed International Transfers. Share the DPIA results with the IWW Data Protection Officer for approval/rejection. International Transfers must not be performed if the DPIA’s conclusions are negative.
    • Transfer Compliance: Ensure that any transfer of Personal Data outside the UK or EEA complies with Chapter V of the UK GDPR, using approved transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
    • Data Transfer Agreements: Enter into data transfer agreements as required to lawfully transfer Personal Data internationally.

    By adhering to these Technical and Organisational Measures, the Data Processor commits to protecting the IT infrastructure and Personal Data under the care of the IWW, ensuring compliance with UK GDPR and supporting the Union’s mission to safeguard its members’ rights and information.


    “`

    All persons or organisations who are authorised or mandated to process Personal Data on behalf of the IWW, including IWW role holders, volunteers, employees, staff, individual contactors, or third party contractor organisations, must sign a Data Processor Agreement (DPA) with the IWW, in which they commit to comply with our Privacy and Data Protection Policy, Technical and Organisational Measures, and with applicable data protection laws.

    The DPO, IT Committee and Communications Administrator must implement appropriate access control and access termination procedures for personnel or external parties with access to Union information systems, ensuring access rights are promptly revoked upon termination or role change.

    The DPO, IT Committee and Communications Administrator must ensure that access to Union Data is granted strictly based on role and necessity, particularly for sensitive Personal Data and Special Category Data.

    We use robust authentication methods, including (where possible/applicable/appropriate) multi-factor authentication (MFA), combined with Access Control Lists for systems that contain or control access to Union Personnel and Members’ Personal Data and platform permissions, preventing unauthorized actions.

    The Data Protection Officer, Communications Administrator and IT Committee regularly audit user access levels to ensure that only authorised Union personnel, members, and authorised Data Processor staff have appropriate access to sensitive areas.

    The Data Protection Officer, Communications Administrator and IT Committee maintain logs of all administrative activities related to user permissions, data access, and system changes. They monitor these logs for unusual or unauthorised access.

    The IWW WISE-RA Data Protection Officer (DPO) has the right to suspend access to Union IT systems or other information processing media immediately on suspicion of a breach of the terms of the Union’s Privacy and Data Protection Policy, a breach of DPA terms, or on suspicion of a data protection breach or any other lapse, negligence, breach or malfeasance with regard to the processing of Union data. The Communications Administrator and members of the IT Committee may do the same and shall notify the DPO immediately. All such incidents shall be reported to the next Delegates Executive Committee meeting.


    ⚠ Data Breaches

    Personal data Breach / Security Incident definition: any incident whatsoever and howsoever caused which results (or could potentially result) in: (i) unauthorised or unlawful processing of personal data, including any unauthorised reproduction, alteration, disclosure, sale, or any other misuse or exploitation of personal data; (ii) accidental loss, destruction, or corruption of, or damage to personal data; (iii) the confidentiality, integrity, or availability of personal data otherwise becoming compromised; or (iv) the Union or a Union Data Processor or service user breaching the Union’s Privacy and Data Protection Policy or related policies, or data protection legislation.

    Personal data breaches, data security incidents, and any failure to comply with data protection laws or IWW policies relevant to data protection can result in disciplinary and legal action against the IWW and/or the person who has perpetrated the breach, from the Information Commissioner’s Office or from individuals affected. The IWW is exposed to potential heavy fines for failure to comply with data protection law.

    Any such data breach, security incident or infringement of this Policy, related policies, or data protection laws shall be considered as a serious matter under the IWW WISE-RA’s Complaints and Disciplinary procedures.

    Disciplinary or legal processes addressing data breaches, data security incidents, or infringements of this Policy, related policies, or data protection laws, as concerns data processed by, or on behalf of the IWW WISE-RA, shall be governed by the law of England and Wales.

    IWW WISE-RA Data Processors must notify the IWW WISE-RA Data Protection Officer of any accidental or unauthorised access of the personal data, or any breach of IWW WISE-RA policies relevant to data protection and processing that they may become aware of.

    ⚠ Reporting a personal data breach or data security incident.

    Any suspected personal data breach, security incident, or breach of the present Policy or any related policies must be reported to the Union’s Data Protection Officer (DPO) without delay.

    The applicable legislation requires Data Controllers to notify any personal data breach to the Information Commissioner’s Office (ICO) and, in certain instances, the Data Subject. This will be done by the Society’s DPO.

    Where the Union acts as the Data Processor for third party Data Controller of the Personal data that is subject to the personal data breach or security incident, the Union’s DPO will immediately notify the Data Controller’s Data Protection Officer and implement their instructions.

    The DPO will keep accurate records, on the Union’s Membership Database, of all information and evidence relevant to the data breach or security incident. Access to these records will be restricted at the discretion of the DPO following data minimisation and need-to-know principles as outlined in this Policy and the applicable legislation.

    The DPO will conduct an investigation of any data breach or security incident and produce a Data Breach Report or Data Security Incident Report outlining the timeline, causes, effects/consequences, potential liabilities, damages and costs to all affected parties, and outlining proposed actions to address and mitigate the breach/incident, any proposed disciplinary measures on those responsible for the breach/incident, as well as proposed policy and procedure updates to prevent the recurrence of similar breaches/incidents.

    This report will be submitted to the IWW WISE-RA Secretary, Delegates Executive Council (DEC), and any complaint officer and complaints panel appointed to address the breach, as well as the ICO if legally or contractually required to do so.  

    The DEC will review the report’s proposals and the DPO will implement (or direct relevant Data Processors to implement) any of the actions, proposals, and amended proposals that the DEC decides to enact as a result of this process.

    In case of a data breach or security incident, the Union’s DPO will notify, and act as the main point of contact, with the affected Data Subjects, members and service users, Data Controllers, and/or the ICO where we are legally or contractually required to do so.

    If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the DPO, and follow the DPO’s instructions. You should preserve all evidence relating to the potential personal data breach or data security incident, as it will need to be attached to the data Data Breach Report or Data Security Incident Report.


    ⚠ Enforcement

    Any data breach, security incident or infringement of this Policy, related policies, or data protection laws shall be considered as a serious matter under the IWW WISE-RA’s Complaints and Disciplinary procedures.

    Disciplinary or legal processes addressing data breaches, data security incidents, or infringements of this Policy, related policies, or data protection laws, as concerns data processed by, or on behalf of the IWW WISE-RA, shall be governed by the law of England and Wales.

    Infringing data protection laws or policy is a disciplinary offence and will be dealt with by the WISE-RA complaints and disciplinary procedures as appropriate.

    The IWW WISE-RA Data Protection Officer (DPO) has the right to suspend database and any other access to Union IT systems or other information processing media immediately on suspicion of a breach. The Communications Administrator and members of the IT Committee may do the same and shall notify the DPO immediately. All such incidents shall be reported to the next Delegates Executive Committee meeting.


    Sharing of information

    We may disclose information about you to IWW officers, staff, organisers, and workplace representatives, insofar as reasonably necessary for the purposes as set out in this privacy policy.

    ⚠ In the context of an official IWW WISE-RA complaints process, investigation or mediation process, when an officially appointed or elected mediation officer, complaints officer, investigating officer or the members of an appointed investigation or complaints panel require access to personal data to complete their mandated duties, they will, as all other Data Processors, be required to sign a Data Processor Agreement (DPA), and the Data Protection Officer should record their authorisation for the data access with their approval of the DPA. When personal information is sought in this way, the mediation officer, complaints officer, investigating officer or the members of an appointed investigation or complaints panel may, at their discretion, opt to not inform the Data Subject about their access to the Data Subject’s personal data, if they deem this to be in the legitimate interest of the Union and conducting the process fairly and successfully. However, when information has been sought in this way, the Data Processors must inform the member at the end of the process (and in advance of relevant formal meetings), even if no further procedure or action is taken.

    We may need to disclose limited information about you to Webarchitects, the web service cooperative that hosts our website, email list and email servers, in order to administer our websites and provide our online services for members.

    If you make monthly recurring membership dues payments through our payment provider, you will be sharing your payment details with our third-party payment processor, GoCardless.

    We may need to disclose information about you to third party contractors or services we use for any of the data processing purposes listed above; for example, to maintain or upgrade our IT systems and membership database. Where this is necessary, we ensure appropriate data protection measures are in place.

    If you purchase items on our online shop, you may need to provide your payment details to PayPal or we may need to share your payment details with another card payment processor. We will also need to share your name and shipment address with the Royal Mail or other courier or postal services we might use to send you the goods you purchase.

    The IWW will not disclose any of your personally identifiable information to any other third party unless it is justified by:

    • the lawful basis of pursuing our legitimate interests as a trade union;
    • or it is necessary to fulfil our contractual obligations;
    • or we have your explicit consent to do so;
    • or it is necessary to protect someone’s life;
    • or we are required to do so by law.

    ⚠ Generally, we are not allowed to share personal data with third-parties unless certain safeguards and contractual arrangements have been put in place.

    ⚠ Our Data Processors may only share the personal data we hold with another IWW Data Processor if the recipient has signed an IWW WISE-RA Data Processor Agreement and has a job-related need to know the information.

    ⚠ In addition to the justifications for sharing personal data listed above, we may only share the personal data we hold with third parties, such as our service providers if:

    • they have a need to know the information for the purposes of providing contracted services;
    • sharing the personal data complies with the Privacy Notice and Privacy and Data Protection Policy provided to the Data Subject and, if required by the present Policy, the Data Subject’s consent has been obtained;
    • the third-party’s data processing systems comply with the required data security standards, policies and procedures and use of the third-party’s data processing services is authorised by the IWW WISE-RA Data Protection Officer and formally mandated by the IWW’s governing bodies, and/or the third-party service provider puts adequate security measures in place by entering into a Data Processor Agreement (DPA) with the Union;
    • sharing the personal data complies with any relevant or applicable DPA between the Union and the third-party Data Controller / the Data Processor / the Data Subject (as relevant to the specific circumstances) that is the source or initial provider of the data;
    • the data sharing constitutes a data transfer that complies with any applicable cross border transfer restrictions.

    ⚠ Using, and sharing data with third-party communications/data-processing platforms and services

    No discussion or decision-making about internal union business, and no discussion or processing of personal data under the care of the IWW WISE-RA should be done on third-party communications or data-processing platforms, unless it is first authorised by the Union’s Data Protection Officer and then formally and democratically mandated by the Union or a constitutive body of the Union to which that data strictly pertains.

    WISE-RA bans posting, discussing or revealing the following information on any non-mandated third-party platform:

    • any information that would constitute a breach of union rules covering mutual consent, safer spaces, confidentiality, trust, data protection and communications channels usage rules;
    • any Union discussions, decision-making, information or affairs that are currently held on, or for which the principle of ensuring optimal data-protection / data-security / operational-security would dictate that they should best/only be held on IWW WISE-RA controlled communications or data-processing channels;
    • information about disputes or complaints that are or should be subject to the union’s internal complaints/mediation process, or that is embargoed as a result of the union’s complaints/mediation process;
    • any member’s or IWW WISE-RA Data Subject’s personal data, including their name, links to their social media accounts, photos, or any other personally identifying information, unless such
      information is posted or revealed with that member’s explicit consent.

    Membership data and any personal data under the care of the IWW WISE-RA must not be used for the purposes of administering third-party communications or data-processing platforms, unless it is first authorised by the Union’s Data Protection Officer (DPO) and then formally and democratically mandated by the union or a constitutive body of the union to which that data strictly pertains.

    ⚠ Mandating the use of membership data for the purposes of administering third party platforms is
    discouraged. Likewise, Mandating the use of third-party platforms to discuss or decide internal union business is discouraged. IWW-controlled, internal communications platforms and tools should be given priority preference for all IWW communications and data processing.

    ⚠ When a third-party communications platform or a third-party Data Processor is proposed/envisaged for use and data sharing, including where international transfers of data would be involved, the DPO will conduct a Data Protection impact Assessment (DPIA), to assess whether:

    • the proposed processing can be considered necessary and proportional in relation to its purpose;
    • an existing communications or data processing platform/tool fully controlled by the IWW WISE-RA can adequately fulfill the same functions;
    • a communications or data processing platform/tool fully controlled by the IWW WISE-RA can be built in a reasonable amount of time to fulfil the same functions;
    • The proposed third-party platform has data-protection / data-security systems and provisions that are compatible with the Union’s Privacy and Data Protection Policy, any other related policies, and the applicable legislation as it applies to the Union’s processing of personal data;
    • Using the proposed third-party platform does not entail any unacceptable operational security risks, risks to personal data under our care, data protection or other liabilities, or lessen our ability to defend the Union and it’s members’ legal rights;
    • using the proposed third-party platform does not undermine the Union’s archival, transparency and accountability requirements, the Union’s democracy, and members’ democratic rights to access and participate in discussions and decision making;
    • the IWW body that proposes to use the third-party platform demonstrates that it will observe good data-security, data-protection and operational security practices when using the platform, in accordance with the union’s relevant policies;
    • the IWW body that proposes to use the third-party platform demonstrates that it will ensure the platform is properly and transparently moderated in accordance with the WISE-RA Data Protection, Safer Spaces, and communications policies;
    • the IWW body that proposes to use the third-party platform demonstrates that it can ensure that all required risk mitigation measures are in place and will be complied with.

    The DPIA can remain informal and unwritten if the assessment leads the DPO to conclude that the proposal to use a third-party platform should be rejected. the DPIA only needs to be recorded in writing if the proposed platform is approved.

    A written DPIA will also contain a description of the processing, its purposes, and the lawful basis for the processing.

    If the DPO concludes that the proposed third-party platform does not meet the required criteria and standards, it will be either rejected or only authorised for use only until an IWW WISE-RA controlled platform can be used instead, or the DPO may propose and authorise an alternative third-party platform.

    ⚠ Where possible, non-commercial, open-source platforms should be given preference for both IWW controlled platforms and third-party platforms.

    If third-party platforms are mandated for the above purposes, members (or non-member users) should not be opted-in by default: in order to participate, each individual user must explicitly opt-in based on informed consent, in such a manner that remaining opted-out is the default.

    Consent for opt-ins to third-party platforms must be collected and recorded via the IWW WISE-RA Membership Database.

    ⚠ When any constitutive body of IWW WISE-RA mandates a third-party communications or data-processing platform, they should contact the union’s Communications Administrator, who will provide technical support to ensure that the proper opt-in consent collection form is used. The Communications Administrator will also make sure the WISE-RA Data Protection Officer and IT Committee are informed.

    Content forthcoming.

    Transfers overseas

    We do not routinely transfer your data outside of the UK or the European Economic Area. Where this is necessary, we ensure appropriate data protection measures are in place.

    The IWW Interwob Forum is an online discussion platform whose use is shared with the membership of other IWW Regional Administrations (RA) and Regional Organising Committees (ROC) that are outside the United-Kingdom and European Economic Area (EEA). These non UK and non EEA based IWW RAs and ROCs are administratively separate from IWW WISE-RA but part of the same worldwide confederation of IWW unions.

    Members of these non UK and non EEA IWW Administrations who access and use the Interwob Forum may be able to read the contents of some posts made by IWW WISE-RA Interwob Forum users, and see their Interwob usernames and profiles.

    Interwob users have the option of using personally non-identifying usernames, and default usernames and user profile settings do not expose personally identifying data beyond the user’s first name and membership number.

    The Interwob Forum is accessible only to members in Good Standing of IWW RAs and ROCs.

    All Interwob Forum moderators and Administrators who can access personally identifying user data, including those residing outside the EEA, must sign an IWW WISE-RA Data Processor Agreement before they obtain moderator or administrator access, in order to ensure their compliance and accountability to UK and EU GDPR data protection laws and IWW WISE-RA data protection policies. 


    The applicable legislation restricts data transfers to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to individuals by the applicable legislation is not undermined. You transfer personal data from one country to another when you transmit, send, view or access that data in or to a different country.

    it is necessary to conduct a Data Protection Impact Assessment (DPIA) prior to approving International Transfers. The procedures for conducting such DPIAs are detailed in the “IWW WISE-RA Privacy and Data Protection Policy” section titled “Using, and sharing data with third-party communications/data-processing platforms and services”. International Transfers should not be performed if the DPIA’s conclusions are negative.

    No international transfers of Union Data can be performed without the prior formal approval of the IWW WISE-RA Data Protection Officer.

    The IWW WISE-RA will not normally transfer Personal data outside UK or EEA, except if one of the following conditions applies:

    • it is necessary to process the details of members residing outside the EEA;
    • in connection with members travelling abroad or otherwise engaged in international solidarity work;
    • As necessary to fairly conduct elections involving IWW WISE-RA organisations outside the EEA, and only where there is a Data Processing Agreement between relevant organisations which meets the requirements of the present Policy, the applicable data protection legislation, and our legal obligations;
    • the UK ICO or another relevant regulatory authority has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
    • appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the the UK ICO or another relevant regulatory authority, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Union’s DPO if applicable;
    • the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks;
    • where the Union acts as the Data Processor for a third party Data Controller of the personal data concerned, and where the contract for services or Data Processor Agreement between the Union and the Data Controller explicitly authorises the transfer; or
    • the transfer is necessary for one of the other reasons set out in the applicable legislation, including the performance of a contract between us and the Data Subject; the performance of a contract with a third party Data Controller of the personal data concerned; reasons of public interest; to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent; and, in some limited cases, for our legitimate interests.


    Automated processing, profiling and decision making

    We may implement various limited forms of automated processing. This may involve automations for the following purposes:

    • Automations and automated analytics to organise, structure, manage and analyse various forms of personally identifiable and non-personal data, to save time on manual data processing, improve our administrative work, or to enable and improve the functionalities and security of the information technology tools we use or the online services we build and maintain.
    • We may employ automation to erase/anonymise/delete personal data that we no longer need to retain, after the data retention period expires.

    None of the automated processing currently employed by the IWW involves profiling in a manner that could result in legal effects or consequences that significantly affect any individual.

    The IWW does not currently perform any automated decision-making, nor any form of human decision making based on automated processing or profiling that may result in legal effects or consequences that significantly affect any individual.


    The Union shall avoid any form of automated decision-making that has a legal or similar significant effect on our Data Subjects, unless absolutely necessary for our legitimate interests, or our legal or contractual obligations, and it complies with the applicable legislation.

    Automated Decision-Making, definition: when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The applicable legislation prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

    Automated Processing definition: any form of Automated Processing of Personal data consisting of the use of Personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

    Generally, automated decision-making is prohibited when a decision has a legal or similar significant effect on an individual unless:

    • a Data Subject has explicitly consented;
    • the processing is authorised by law; or
    • the processing is necessary for the performance of or entering into a contract.

    If certain types of special category data are being processed, then grounds (b) or (c) will not be allowed but such special category data can be processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.

    All the personal data processed by the Union should be considered as special category data, insofar as it is related to the Data Subjects’ membership in the IWW as a union, or relationship to the IWW as a union (union membership, and people’s political or philosophical views, including sympathy with unions, are identified by the applicable legislation as special category data).

    If a decision is to be based solely on automated processing (including profiling), then Data Subjects must be informed, when we first communicate with them, of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information.

    We must inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.

    A Data Protection Impact Assessment must be carried out before any automated processing (including profiling) or automated decision-making activities are undertaken.



    Emails to members and promotional communications (‘direct marketing’)

    We use the postal, email and telephone contact data we have about our members to provide them with information and updates about the IWW’s activities, internal democratic processes, internal discussions, campaigns, and services. We do this on the lawful basis of pursuing the IWW’s legitimate interests as a trade union.

    General information emails that we send to our members from our membership database bulk mailer are tracked. This helps us to ensure that you only receive emails from us that are of interest to you.

    You can opt-out/unsubscribe from receiving emails and communications from us at any time. Opt-out/unsubscription methods will be accessibly signposted in our regular communications. Members can unsubscribe from general information emails sent via our database mailer at anytime by clicking the email opt-out link at the bottom of our emails.

    If you choose to opt out from general information emails, we will retain the right to send you a minimal number of important communications for the purposes of pursuing the legitimate interests or meeting the statutory requirements of the IWW as a trade union (namely information that we are legally required to send to our members: about union ballots and our Annual Returns Statement).

    We may also occasionally engage in promotional communications with non-members who have explicitly opted-in or subscribed to receive updates and information from us, or who have contacted us in the past to enquire about our activities and services. When we do this, we will always explicitly offer the right to object to further promotional communications.

    We will never share your contact details with any third-party service providers or data processors for promotional, marketing or advertising purposes.


    We can contact and send regular communications to IWW members on the lawful basis of the IWW’s legitimate interests as a trade union, and thus do not need to base such contact or regular communications on consent.

    Concerning non-members, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or calls, particularly automated calls). The limited exception for existing non-member contacts, known as “soft opt in”, allows organisations to send marketing texts or emails if they have obtained contact details in the course of a prior business interaction or exchange with that person (i.e., in our case, any interaction that is relevant to our mission or services as a union), they are marketing similar services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message

    For all our Data Subjects, members and non-members, the right to object to direct marketing must be explicitly offered in an intelligible manner so that it is clearly distinguishable from other information. A Data Subject’s objection to direct marketing must be promptly honoured. If a non-member opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future. For members, suppression is not necessary, but their opt-out preferences must be promptly implemented.



    User Accounts

    If you create or are given a user account on any IWW controlled online platform or service (such as an IWW email account, a Membership Database user account, or a Members' Area, Interwob forum or Wobchat user account), you are responsible for maintaining the security of your account and you are fully responsible for all activities that occur under the account. You must immediately notify IWW of any unauthorized uses of your account or any other breaches of security. IWW will not be liable for any acts or omissions by you, including any damages of any kind incurred as a result of such acts or omissions.

    When using IWW websites and communications tools, all account holders are expected to abide by the privacy and data protection rules and policies outlined on this page as well as IWW rules and policies concerning Safer Spaces, usage of our communications channels, and data security / operational security.

    Each user account provided by the IWW on its websites is intended for the exclusive and individual use of the authorized account holder. The account holder is the sole authorized user for their respective account, username, and password. The account holder must ensure the confidentiality of their account credentials and is prohibited from sharing their password with any other individual or permitting any other individual to use their account.

    ⚠ IWW email account passwords may sometimes need to be shared with a co-officer or co-role-holder for shared use; in such cases passwords must pnly be shared with the other authorised users using secure, encrypted communications (see step-by-step instructions for this.).

    Excluding the exception outlined in the preceding paragraph, The sharing of user account credentials, including but not limited to the username and password, with any other person is strictly prohibited. Access and use of accounts by any person other than the intended account holder is strictly prohibited, whether the account credentials are willingly provided to another person or are acquired by another person through unauthorized means such as hacking or theft.

    Any instance of unauthorized access to a user account, regardless of whether such access is the result of intentional sharing of account credentials by the account holder or through unauthorized acquisition by a third party, will be considered a security breach and a violation of this Policy.

    In the event of unauthorized access to a user account, the IWW will initiate an investigation and take appropriate actions. This may include, but is not limited to, disciplinary measures in accordance with the IWW’s complaints process. Legal action may also be considered where applicable. The response to such incidents will be conducted in alignment with the severity of the breach and the specifics of the situation.

    Account holders are required to immediately notify IWW upon becoming aware of any unauthorized use of their account or any other breach of security related to their account. Prompt reporting is crucial to ensure timely and effective response to such incidents.


    User-posted contents and media

    User rights and responsibilities

    IWW members can post contents to the public facing website (which must be approved by site editors before it is published). Members can also post contents to internal members-only discussion areas, such as Wobchat, the InterWob Forum, or any IWW email lists they may be subscribed to. Members can upload files to the IWW Owncloud file repository. IWW roleholders may be granted IWW hosted email accounts from which they can send and receive emails.

    When using IWW websites and communications tools, members are expected to abide by the privacy and data protection rules and policies outlined on this page as well as IWW rules and policies concerning Safer Spaces, usage of our communications channels, and data security / operational security.

    Please do not post content revealing someone else's personal data without their prior consent.

    The IWW retains the right to revoke your access to any IWW members-access-only websites and email accounts and their contents, including personal IWW email accounts and website user accounts.

    Copyright advisory

    User contributions submitted to IWW controlled websites are protected under an “All Rights Reserved” copyright of the IWW WISE-RA. This is to protect our users' posted content from unauthorised misuse and publication. All rights regarding the distribution, reproduction, adaptation, and public performance of user contributions on IWW WISE-RA websites are retained by the IWW WISE-RA. Use of any content in any form without the explicit permission of IWW WISE-RA is strictly prohibited.

    Without limiting any of those representations or warranties, the IWW WISE-RA reserves the right (though not the obligation) to, in its sole discretion, (i) refuse or remove any content that, in the IWW WISE-RA’s reasonable opinion, violates any of the IWW WISE-RA’s policy or is in any way harmful or objectionable, or (ii) terminate or deny access to and use of the Website to any individual or entity for any reason, in the IWW WISE-RA’s sole discretion. the IWW WISE-RA will have no obligation to provide a refund of any amounts previously paid.

    User content precaution advisories and disclaimers

    All IWW members will be able to see and download any content that you post or upload to Wobchat, the InterWob Forum, the IWW Owncloud file repository or any other members-only IWW websites. IWW email list subscribers will be able to see and download any content that you post to those lists. Any content you post to the public website (once site editors publish it) will be publicly visible and can be downloaded by any visitor to the website.

    Please only post content you are comfortable sharing with these audiences.

    If you upload images to the websites you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

    The IWW has not reviewed, and cannot review, all of the material, including computer software, posted to its websites by users, and cannot therefore be responsible for that material’s content, use or effects. By operating its websites, the IWW does not represent or imply that it endorses the material there posted, or that it believes such material to be accurate, useful or non-harmful. As a user of our websites you are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content.

    IWW websites may contain content that is offensive, indecent, or otherwise objectionable, as well as content containing technical inaccuracies, typographical mistakes, and other errors. IWW websites may also contain material that violates the privacy or publicity rights, or infringes the intellectual property and other proprietary rights, of third parties, or the downloading, copying or use of which is subject to additional terms and conditions, stated or unstated. IWW disclaims any responsibility for any harm resulting from the use by visitors of its websites, or from any downloading by those visitors of content there posted.

    We have not reviewed, and cannot review, all of the material, including computer software, made available through the websites and webpages to which the IWW's websites link, and that link to the IWW's websites. The IWW does not have any control over those non-IWW websites and webpages, and is not responsible for their contents or their use. By linking to a non-IWW websites and webpages, the IWW does not represent or imply that it endorses such website or webpage. You are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content. The IWW disclaims any responsibility for any harm resulting from your use of non-IWW websites and webpages.

    Downloading, editing or deleting your content/posts from IWW websites

    Members can directly download, amend, or delete any content they have posted on Wobchat, the InterWob Forum, IWW's Owncloud, or that is stored in their IWW email accounts by visiting the 'My Membership' page of the IWW Members' Area website (access to this area is restricted to members only and requires a password).

    Public website contributors can amend their posts themselves and can contact website editors or the IWW IT Committee or IWW Data Protection Officer to publish the amended content.

    Members can ask their local branch officers or contact the IWW Communications Administrator to subscribe or unsubscribe their email address(es) to/from their local branch's email lists. IWW roleholders can contact the IWW Communications Administrator for support with subscription or unsubscription on IWW email lists.

    Please note that once you have sent an email, the recipient(s) of that email, including the subscribers of any IWW email list(s) you post to, will be able to read that email and download its contents, and this cannot be undone nor deleted from the IWW email list's message archive.

    By default, contents that you have emailed, posted or uploaded yourself via Wobchat, the InterWob Forum, the IWW Owncloud file repository, IWW email accounts and email lists, or any other IWW communications platform, will remain indefinitely stored and visible on those platforms, even if you are no longer a member, unless you delete them yourself or explicitly request their erasure.

    If you wish to erase content that you posted on any IWW member-only website such as the Interwob Forum or Wobchat, while you have access as a member, you must do so yourself using the available editing and deletion tools.

    ⚠ You are only entitled to delete posts that you have published in your capacity as an individual member. If you are or have been a formally elected or appointed IWW role-holder, you are not entitled to delete any posts that you have made in that capacity.

    If you are no longer a member and/or no longer have access to IWW member-only websites, you may request erasure of personal content by contacting the Data Protection Officer or Communications Administrator. If authorised by the Data Protection Officer, erasure will be implemented by anonymising the content rather than deleting it, as this counts as erasure under current data protection legislation. You may appeal to the Data Protection Officer to request full deletion of content, subject to adequate justification and authorisation by the Data Protection Officer.

    Erasure, anonymisation or deletion of posts may be refused if the contents are relevant to, or if you are subject to any formal internal process reasonably requiring the data to be retained, such as a formal complaint or investigation, or if the Data Protection Officer decides the data needs to be retained for any reason compatible with the present Privacy Policy or as provided by the relevant legislation or regulatory authorities. In such cases, if you are still an active member, your ability to directly edit and delete your posts may be temporarily or permanently blocked.

    Likewise, on third-party communications (or data processing) platforms where you have given your consent to the IWW to share your personal data in order to connect/subscribe you and communicate with you (e.g., Whatsapp or Signal chat groups, Slack Channels, Loomio, etc.), contents that you post may remain indefinitely stored there unless you take action to delete them yourself or request their erasure by that third party Data Controller. You can ask us us to remove the subscription/connection/contact-data, that you had initially given us to add/subscribe you to a third-party platform, and we will comply with your request (except in rare cases where we maintain a lawful basis to delay or refrain from doing so), but we cannot, on your behalf, erase the content you posted yourself from those platforms, and it is your responsibility to do so.

    If you require assistance with any of the above, including requests for your data to be erased from Wobchat, the InterWob Forum, the IWW Owncloud file repository, or IWW Email accounts, please click here to submit a request via the contact form in the IWW Members Area website (select the 'Personal data requests' category). (Access to this area is restricted to members only and requires a password).


    Social media

    The IWW and its various bodies use social media websites such as Twitter, Youtube and Facebook to promote their activities. We do not collect any personal data from social media profiles. We do not use your member data to target our social media posts or any social media advertising. We do not provide or sell members' data to third parties for the purposes of social media marketing or any other form of marketing or analytics.

    Occasionally, posts on our websites may contain social media buttons or links to social media sites. When you click on these buttons or links, these sites will be registering that action and may use your information.

    You should check the respective policies of each of these social media sites to see how exactly they use your information and to find out how to opt out, or delete, such information.


    Amendments to this policy

    We reserve the right to change this Privacy and Data Protection Policy at any time without notice to you. We will post revised versions of this Policy on the website at https://www.iww.org.uk/privacy

    IWW WISE-RA Data Processors should regularly check this page as a reference of data protection policies and practices, and to keep themselves informed of any policy changes.