- digital bargaining hub
- 5 data rights and data protection
Digital Bargaining Hub
The hub provides real-world bargaining clauses, union guidance, and framework agreements that can be adapted for use at the bargaining table.
No results found
5 Data rights and data protection
This theme is concerned with workers' data, access rights and data protection. While the theme of data is closely related to concepts like artificial intelligence and digital technologies, the clauses in this section relate to what data is extracted, by whom, how it is analysed, for what purposes and the rights workers have (or should have) over it. If you are interested in clauses concerned with the use and deployment of specific digital tools and AI, visit section 6.
Digitalisation implies the extraction and creation of large amounts of data. In all of the areas discussed in this section, a robust legislative approach would strengthen worker protection, but collective bargaining can also make a big difference. This is true for remote workers and for those who work on-site.
Unions can secure stronger data rights by addressing the following issues:
This sub-theme is concerned with ensuring that employers abide by existing data protection regulations.
Data is a new source of power and leverage within the world of work. The trend of monitoring and data gathering by employers has accelerated over recent years and is expected to continue. Europe as well as countries including Canada, Brazil and Switzerland have established personal data protection laws to ensure greater privacy and rights in this area. These regulations provide workers with varying levels of protection. Trade unions should ensure that where there is existing legislation on personal data protection and privacy, such protections are observed at work.
Trade unions in action: Ensuring compliance with existing laws
Europe has one of the most extensive personal data protection laws: the General Data Protection Regulation (GDPR). This applies to all personal data in Europe and thus to collective agreements from European countries. Many collective agreements make direct reference to GDPR provisions. Below, you'll find one collective agreement, from UK union CWU that references a Data Protection Officer. This is a person appointed by the enterprise who is responsible for ensuring GDPR compliance. GDPR also requires Data Protection Impact Assessment (DIPA) and other protections. UK union, Prospect, provides another example. Prospect offers guidance for unions on how they can evaluate the adequacy of an employer's DIPA. Although the UK has now left the EU, for the time being, these provisions are still in place.
Countries outside of Europe also have data protection regulations. A third example is provided by the Canadian union, CUPE, which references relevant Canadian regulations.
Data are hosted within the European Economic Area and the data protection and data security arrangements must satisfy the University’s Data Protection Officer and Chief Information Security Officer respectively.
Country
United Kingdom
Year
2019
Document type
Collective Bargaining Agreement
Clause number
10104
As union representatives, you can scrutinise your employer’s DPIA (Data Protection Impact Assessment) to make sure it:
1. Provides a description of the proposed processing of the data, and the reasons why the processing is taking place.
2. Explains the legal basis for the processing.
3. Provides an assessment of how necessary the processing of the data is in relation to the reasons for the processing - employers should only be collecting the minimum amount of data needed.
4. Consults with the relevant stakeholders – this should include trade union and/or workforce representatives
5. Identifies and assesses the risks to the personal data of individuals.
6. Identifies the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulations.
7. Details recommendations to be signed off by project managers - the outcomes should be incorporated into the project plan.
Union
Prospect Union
Country
United Kingdom
Year
2020
Document type
Guidance
Clause number
10096
Article 18 Personal Information and Electronic Monitoring
18.01 The Employer recognizes the right of privacy of its Employees with respect to their personal information. The Employer shall not collect, use, or disclose any Employee personal information without their expressed consent except where required by law.
18.02 Any collection, use, or disclosure of an Employees personal information shall be done in accordance with the Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96.
18.03 There shall be no electronic monitoring of Employees by the Employer for any purpose without the written consent of the Employee.
18.04 An Employee may withdraw their consent under this Article at any time.
Union
Canadian Union of Public Employees
Country
Canada
Year
various
Document type
Collective Bargaining Agreement
Clause number
10098
This sub-theme is concerned with data collection about workers and provisions that ensure that data is stored safely and securely.
When data falls into the wrong hands, it can place workers' privacy in jeopardy. In addition to personal data regulations, trade unions have issued recommendations and guides limiting the scope of data collection and promoting workers' data security and data protection by, for example, requiring employers anonymise data, use pseudonyms, and limit access to data files. Unions should also be aware that where data is stored can also impact workers' rights and privacy. If data is moved to jurisdictions with weak data protection regimes, workers’ privacy is at risk. Unions should know if identifiable information is moved to other jurisdictions and should have the right to block this movement.
Trade unions in action: Limiting data collection to only what is necessary or expressly permitted
While employers may have valid reasons for collecting some data about workers, this doesn't mean they should have access to everything. Unions can help promote worker privacy by advocating for data minimisation. Employers should collect only what they need for the firm to operate. This means they should be able to concretely explain what they are collecting and why.
The Trade Unions' National and European Administration Delegation and European Public Administration Delegation jointly developed a checklist of good practices regarding the opportunities and risks of digitalisation. These include following the principle of data minimisation. An example comes from the Public Services Association in New Zealand. This union has negotiated language that requires any data that is collected about workers be for valid work purposes. Data must also only be used for the explicit reason for which it was collected. This type of clause can help unions be sure that data collected for one reason isn't repurposed for another use.
The following actions need to be considered:
- Collecting, monitoring only relevant data about employee output, in order to facilitate performance management, and with the full knowledge and consent of the employees and their representatives.
- Differentiating between useful data, that does not invade the privacy of employees, and unhelpful or sensitive data, or data that can invade the privacy of employees at work needs to be isolated and deleted.
- Promoting trust in employees in a context of management by objectives rather than surveillance software which can often be not only ineffective but also costly and counterproductive.
Union
EPSU
Country
Europe
Year
2020
Document type
Guidance
Clause number
10093
Collection, management and use of personal data
[The employer] can only collect personal information about employees for valid work purposes or where directed to by the law.
[The employer] will protect the privacy of employee's personal information and not disclose or use it for any purpose other than that for which it was originally collected.
Union
New Zealand Public Service Association
Country
New Zealand
Year
2023
Document type
Collective Bargaining Agreement
Clause number
10289
Trade union considerations: Understanding how third-party tools are used at work
Many digital tools deployed in workplaces are developed and owned by third parties. Unions should have the right to know whether these parties have access to workers' data and whether they have claimed rights to use or sell this data. Workers should also know if employers are using third party tools or services to collect information about them. These topics can be addressed at the negotiating table.
The example below is from the Trade Union of Dental Clinic (No. 23) in Russia and requires employers to collect data about employees directly from workers themselves. If the employer uses a third party service to obtain data about workers, workers must be informed and provide consent.
All personal data of the employee should be obtained only from [the worker directly]. If the employee’s personal data can only be obtained from a third party parties, then the employee must be notified about this in advance and written consent must be obtained.
Country
Russia
Year
2019
Document type
Collective bargaining agreement
Clause number
10407
This sub-theme is concerned with data ownership, including who owns workers' data and for how long.
Employers extract data from workers, such as location, movement, efficiency, hours worked, sick days and vacations. This data provides essential information about individual workers. Ideally, this data should belong to the workers.
The Digital Bargaining Hub contains language where unions have successfully negotiated for workers to have access their data and to use it. Under certain circumstances (such as an invasion of privacy, data collected without consent, or incorrect data), unions have also negotiated for workers to have the right to correct their personal data or to delete it.
Trade unions in action: Ensuring that workers have access to their data
Workers should have access to data that is collected about them. Some of the most innovative examples of unions negotiating for this right come from the world of professional sports. In this context, wearable technologies are used to collect a wide range of highly sensitive data; these data may be a strong indicator of current or future athletic performance.
The Major League Baseball Players Association has bargained language that is featured below. It insures that players are provided with full access to any data collected about them via wearable technologies.
The Euroleague Players Association has also negotiated language that ensures players have the right to opt in to data collection from wearable technologies and provides players with access to this data. Another interesting feature about this clause is that data collected via these technologies can not be used for a player's individual contract negotiations.
Before a Player can voluntarily agree to use a wearable technology, the Club must first provide the Player a written explanation of the technology being proposed, along with a list of the Club representatives who will have access to the information and data collected, generated, stored and/or analyzed (the “Wearable Data”). If the wearable technology includes the ability to create a login or otherwise provide direct access to the Player’s personal data, the Club shall make that data available to the Player. In the event this functionality is not available, the Club must provide a copy of the Player’s data to the Player upon his request.
Country
United States
Year
2022
Document type
Collective bargaining agreement
Clause number
10532
The Clubs and EP may request the Players to use wearable technology during practices to track and measure information such as jumps, change of directions, accelerations and decelerations, loads, heart rates, heart rate variations, distances, speeds, heights, weights and biometric and other health and performance data related to the Players (including the audio and video recording of this information). However, the following will be taken into account:
• The use of the aforementioned wearable technology will be subject to and conditional on its voluntary acceptance by the Players, as Players have the right to refuse to use it at any time.
• The purposes of the use of these wearable devices will be clearly explained to the Players by the Medical and Performance staff of the Club and/or by EP, also in a written form.
• All data collected by the Clubs and/or EP in relation to the use of these wearable devices is private and confidential and may only be used for health, performance and tactical purposes.
• The data collected by the wearable devices will be accessible to each Player at any time at the Player’s request.
• All collected data of each Player may be used, disclosed and shared only with the staff of the Club and/or EP and with each Player.
• All data collected by the wearable devices will never be used for the purpose of the Players’ contractual negotiations.
Country
Germany
Year
2021
Document type
Framework Agreement
Clause number
10535
Trade unions in action: Prohibiting the sale of workers' data
Data is a valuable asset. When data is sold, ownership changes and control is lost. In these cases, data can end up anywhere and be used for any purpose, including by organizations that undermine worker interests.
It is possible to negotiate clauses that constrain the ability of employers to sell worker data. For example, the Financial Services Union in Ireland has negotiated with management an amendment to the staff privacy policy. These include an anti-commodification clause:
The Bank commits that it will not turn employee data into a commodity for sale or trade, and a clause on Respect and Human Rights: The Bank is committed to respecting workers’ privacy and human rights as defined in law and in particular with regard to the UN’s Universal Declaration of Human Rights and the ILO’s 1997.
Country
Ireland
Year
2021
Document type
Collective Bargaining Agreement
Clause number
10097
Trade unions in action: The right of deletion and data disposal policies
Data is an unusual resource. Unlike other commodities, data can't be 'used up'. Instead it can be used for infinite purposes. This raises important questions about how long can employers store workers' data. Limiting how long data can be stored can help to limit how data will be used.
Two examples of trade union language are included below. German union Ver.di specifies that some types of data will be retained only for service quality analysis for a limited number of days (7). In the case of Korean union KPTU, union members can request that personal records be revised or disposed of under the conditions described below.
As part of the operation of [the firm], metadata is stored to support application support and quality of service analysis, but no content from communications is stored. The stored metadata is only accessible to administrators; it is deleted after 7 days.
Union
Vereinte Dienstleistungsgewerkschaft
Country
Germany
Year
2016
Document type
Works Council Agreement
Clause number
10100
This sub-theme is concerned with how workers' data is used and processed and what restrictions are placed on employers' use of workers' data.
Data is made powerful through analysis and evaluation. These kinds of data processing activities can be undertaken at the level of the individual, the workplace or even the industry. Unions should not only make demands about what data will be collected but also how it will be used. For example, workplace data can either be used to reward teams for hitting output targets, or it can be used to punish individuals who fall behind.
Algorithms, meanwhile, can be used to make inferences about worker performance. These inferences sometimes draw correlations between age and gender and desirable characteristics like employment tenure. If automated hiring systems target workers according to these inferences, they risk introducing bias into the job market. Unions should work to place restrictions on data use that is disadvantageous to workers.
Trade unions in action: Implementing data restriction clauses
Unions can introduce data restriction clauses to ensure that data collected about workers is only be used for predetermined and agreed upon purposes. These clauses mitigate known risks related to data processing. They can also limit the scope of analysis that can be conducted, for example, by reducing employers' abilities to develop potentially risky ways of using worker data in the future.
Below are two examples from works councils involving the German trade union Ver.di. Both provide language that restricts firms' use of worker data.
In accordance with the legal requirements, when using IT procedures, only those personal data of employees are processed which are necessary for the operation of the procedure or for working with the procedure. This data may not be processed by the department for other purposes. Personal employee data may only be used for behaviour and/or performance control if it was collected for this purpose and the employees concerned already knew or could have known this at the time of their work with the procedure.
Country
Germany
Year
2020
Document type
Works Council Agreement
Clause number
10091
The collection, processing, storage, evaluation and forwarding of data in the context of occupational health management shall be subject to the principles of economical data collection and confidentiality. The co-determination rights of the staff councils must be observed and safeguarded in this context. […] Therefore, only the data necessary for analyses and evaluation within the framework of occupational health management shall be collected, stored, forwarded and evaluated. An evaluation is only carried out in anonymous form and in compliance with data protection regulations. The transfer of personal data requires the written consent of the employees concerned.
Union
DGB Bildungswerk, Vereinte Dienstleistungsgewerkschaft
Country
Germany
Year
2015
Document type
Works Council Agreement
Clause number
10105
Trade union considerations: Understanding GDPR and the impact of algorithmic inferences
Workers who are covered by the European General Data Protection Regulation have a right to know what data-generated inferences and profiles are created using their personal data.
Workers and citizens are constantly subject to data processing that is used to create inferences about behaviour or to profile individuals. These inferences have real-world consequences on the autonomy and freedom of individuals. For example, they may influence how online job recruitment ads are displayed or forecast a newly hired worker's tenure.
Unions should bargain for the right to know what inferences and profiles workers are subject to, what inferences and profiles are created using workers’ data and what the employer does with this information.
Additional reading on Theme 5: Data rights and data protection
Colclough (2020) https://socialeurope.eu/workers-rights-negotiating-and-co-governing-digital-systems-at-work
Wachter, Sandra, and Brent Mittelstadt. 2019. “A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI.” Columbia Business Law Review 2019 (2). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248829.
TUAC (2021) The limits of data rights for the workplace, Briefing Paper
ILO (1997): Protection of workers’ personal data