What are the General Data Protection Regulations (GDPR)?
The GDPR are the updated regulations which govern the gathering, retaining, processing and transferring of personal data in the European Union. These regulations replace the Data Protection Act 1998 and go further than ever before to extend individuals’ rights where their own personal data is concerned.
Who are the Scottish Joint Industry Board (SJIB) for the Electrical Contracting Industry?
The Scottish Joint Industry Board was founded in 1969 by SELECT and Unite the Union. The principal objects of the Board are to regulate relations between employers and employees engaged in the industry in Scotland, to provide benefits for persons engaged in the industry in Scotland, to stimulate and further the progress of the industry, and in addition and in the public interest to regulate and control employment, the level of skill and proficiency, health and safety competence, wages and welfare benefits.
The SJIB’s contact details are:
The Walled Garden
Midlothian EH26 0SB
Tel: 0131 445 9216
The Data Controller for the SJIB is the Secretary of the SJIB Fiona Harper.
What is a GDPR Privacy Statement and why is it important?
This document sets out the rights and responsibilities (of the SJIB and ECS cardholders) associated with the gathering, processing, retaining and transference of personal data belonging to SJIB ECS cardholders.
As an SJIB ECS cardholder, the mechanisms and safeguards described in this policy apply to the personal data the SJIB hold about you (Data Subjects).
Where can I learn more about the General Data Protection Regulations?
To learn more, go to https://ico.org.uk
The GDPR affords data subjects certain rights, which are discussed with reference to the SJIB’s gathering, processing and transferring of personal data below.
The right to be informed
What personal data is collected?
The personal data the SJIB collect and retain about SJIB ECS cardholders comprises of the following:
- National Insurance number
- Phone number
- Date of birth
- Union membership number
- History of apprenticeship (if applicable)
- Grade card applications
- Qualified Supervisor (SELECT or NICEIC if applicable)
- Training courses
- Documents (scanned application forms and certificates).
Where does an individual’s personal data come from?
Data on SJIB ECS cardholders comes from the operative themselves when they apply for an SJIB ECS or when they update their personal data directly through the SJIB, or through card renewal. All of that personal data is collected, collated and stored by the SJIB.
SJIB ECS cardholders must provide the SJIB with certain pieces of personal data to enable them to discharge the contract with them, e.g. name, National Insurance number, educational attainment. While operatives are not under any statutory obligation to provide this personal data, if they choose not to the SJIB will be unable to issue an SJIB ECS card.
What are the legal bases for processing personal data?
The SJIB collects, processes and retains SJIB card holders’ personal data because the data is necessary to discharge a contract, necessary in the protection of the public interest, and by explicit consent.
What is personal data used for?
The SJIB use an individual’s personal data to update and maintain their records and to enable the SJIB to produce and issue the appropriate SJIB ECS card.
The personal data is also anonymised and used to compile management information reports for the SJIB National Board. This enables the SJIB to identify trends and monitor the number of Operatives working in the industry with valid SJIB ECS cards, which may form future SJIB strategies.
When legally required to, we may also disclose certain SJIB ECS card holders’ personal data to external agencies such as the police, Health & Safety Executive, and HMRC etc. Where we are not legally prevented from doing so, the SJIB will always seek to inform the SJIB ECS cardholder concerned that a disclosure is being made.
There is no automated decision-making or profiling built into our policies, procedures or software systems.
How is personal data stored?
Personal data is predominately stored in digital form, in relevant software programmes and in password-protected files on computers. When it is necessary for members of staff to transport physical documents containing personal data, these are transported in locked bags.
For how long is personal data stored?
The SJIB only stores and uses the personal data it needs for legitimate business purposes, to discharge a contract, for the purpose of the protection of public interest, or with SJIB ECS card holder’s explicit consent.
The SJIB holds operatives’ data indefinitely or until instructed by the operative to delete it, since the data may be of irreplaceable value if it were to be destroyed (i.e. details of apprenticeship through to completion, SJIB grades awarded over the years, qualifications and training, copies of certificates).
Under what circumstances would personal data be deleted?
The SJIB will delete SJIB ECS card holders’ details when there is no longer a lawful reason to retain them, or where an SJIB ECS cardholder specifically requests that their details be deleted.
Who has access to personal data?
Members of SJIB staff have access to SJIB ECS card holders’ data in order for them to carry out their legitimate tasks for SJIB.
Their job titles may include but are not limited to:
- Secretary of the SJIB
- Employment and Skills Operations Manager
- Employment and Skills Administrators
- Employment Affairs Adviser.
The SJIB will only respond to email correspondence where personal data is to be transferred if the email address in question has previously been supplied to us by the SJIB ECS cardholder and verified as valid.
When responding to phone calls, the SJIB will seek to verify through checking two pieces of personal data that the identity of the caller is as purported before divulging any personal data.
Who could the SJIB share personal data with?
Some SJIB ECS card holders’ data will be available for use by other companies who act as a Data Processor on the SJIB’s behalf. They are prohibited from passing this data on to other organisations that are not connected with the SJIB.
SJIB ECS card holders’ personal data is processed and may be passed on to the following organisations for the following reasons:
|Aided Presentation||Print all SJIB ECS cards|
|SELECT/SJIB Members||Confirmation of grade, proof of apprenticeship, training etc|
|JIB||Confirmation of grade which would be honoured and awarded in Scotland|
|Unite the Union||Confirmation of membership number|
|Employers (current)||Confirmation of grade, proof of apprenticeship, training, valid card etc.|
|Recruitment Agencies||Confirmation of grade, proof of apprenticeship, training, valid card etc.|
|Contracts / Sites||Confirmation of grade, proof of apprenticeship, training, valid card etc.|
|Local Authorities||Confirmation of grade, training, valid card etc.|
|Building Standards Departments||Confirmation of grade, training, valid card etc|
How is the transfer of personal data (digitally or physically) carried out?
Personal data is transferred digitally via the SJIB’s secure email server, or on encrypted pen drives, and files containing personal data are passworded. When data is transferred in physical paper format, it is held in lockable bags or boxes.
Who is responsible for the safekeeping of personal data?
Under the GDPR the SJIB does not have a statutory requirement to have a Data Protection Officer. The person who is responsible for ensuring the SJIB discharges its obligations under the GDPR is the Secretary of the SJIB, Fiona Harper.
The Right of Access
How can an individual check what data the SJIB processes?
If an SJIB ECS cardholder would like to see the personal data the SJIB holds about them, they should use the address on the front of this document to communicate in writing that they would like to make a Subject Access Request.
Should an SJIB ECS cardholder be interested in any particular aspects of their personal data, specifying this will help the SJIB to provide the appropriate data quickly and efficiently. The SJIB is required to respond within one month.
There is not usually a fee for this, though the SJIB can charge a reasonable fee based on the administrative cost of providing the information if a request is manifestly unfounded or excessive, or for requests for further copies of the same information.
The Right to Rectification
How can an individual correct or make complete any data held about them?
Should an SJIB ECS card holder believe any aspect of the data that the SJIB holds about them to be inaccurate or incomplete, they should contact the SJIB in writing specifying what aspect of the data held needs to be changed. In some circumstances, the SJIB may ask for proof of the veracity of the updated details.
The Right to Erasure
How can an individual arrange to have their details deleted from the SJIB’s records?
If an SJIB ECS cardholder would like the SJIB to erase all personal details pertaining to them, they can make this request in person, on the phone, by email, or by post. Individuals should be aware that such a request will be treated as a rescinding one’s SJIB ECS card, as the SJIB is unable to discharge their contract with the SJIB ECS cardholder without knowledge of the SJIB ECS card holder’s personal data. This means that the SJIB would no longer be able to confirm an individual’s history of apprenticeship, SJIB grade(s), vocational qualifications, or any other qualifications to you or a potential employer/client/site.
The SJIB is required to respond to such a request within one month. The right is not absolute and may not apply in certain circumstances.
The data the SJIB holds is the absolute minimum which the SJIB requires in order to discharge the duties of the contract that they hold with SJIB ECS cardholders.
The Right to Restrict Processing
SJIB ECS cardholders have the right to request the restriction or suppression of their personal data. Under restricted processing, organisations are permitted to store personal data, but not use it in the way which has been specified.
If an SJIB ECS cardholder would like the SJIB to restrict or suppress their personal data for any reason, they can make this request in person, on the phone, by email, or by post. The SJIB is required to respond to such a request within one month.
The Right to Data Portability
The right to data portability allows Data Subjects to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
If an SJIB ECS card holder’s wishes to have their digital personal data transferred to another platform, they should make a request to the Secretary of the SJIB in writing at the address on the front of this document. The SJIB is required to respond to such a request within one month.
The Right to Object
SJIB ECS cardholders have the right to object to processing based on legitimate interests. Please be aware that an SJIB ECS card holder’s objection to processing does not supersede the SJIB’s other lawful bases for processing, such as necessary to discharge a contract, or necessary for the purpose of public interest.
Rights in Relation to Automated Decision-Making and Profiling
The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about a Data Subject).
The SJIB does not use automated decision-making in any of its systems or website and does not profile its SJIB ECS cardholders.
Does the SJIB collect any “special” data from SJIB card holders?
The GDPR refers to sensitive personal data as “special categories of personal data”. The SJIB does not gather process or transfer any special category data.
How can an individual lodge a complaint with the Information Commissioner’s Office (ICO)?
Anyone has the right to lodge a complaint with the ICO if they feel that their personal data has been handled outwith GDPR rules.
In order to do so, individuals call the ICO helpline on 0303 123 1113 to discuss the matter and receive advice on next steps.
Updated: February 2021