Data are hosted within the European Economic Area and the data protection and data security arrangements must satisfy the University’s Data Protection Officer and Chief Information Security Officer respectively.

As union representatives, you can scrutinise your employer’s DPIA (Data Protection Impact Assessment) to make sure it:

1. Provides a description of the proposed processing of the data, and the reasons why the processing is taking place.

2. Explains the legal basis for the processing.

3. Provides an assessment of how necessary the processing of the data is in relation to the reasons for the processing - employers should only be collecting the minimum amount of data needed.

4. Consults with the relevant stakeholders – this should include trade union and/or workforce representatives

5. Identifies and assesses the risks to the personal data of individuals.

6. Identifies the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulations.

7. Details recommendations to be signed off by project managers - the outcomes should be incorporated into the project plan.

Article 18 Personal Information and Electronic Monitoring

18.01 The Employer recognizes the right of privacy of its Employees with respect to their personal information. The Employer shall not collect, use, or disclose any Employee personal information without their expressed consent except where required by law.

18.02 Any collection, use, or disclosure of an Employees personal information shall be done in accordance with the Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96.

18.03 There shall be no electronic monitoring of Employees by the Employer for any purpose without the written consent of the Employee.

18.04 An Employee may withdraw their consent under this Article at any time.

In particular, the following rules and principles of data protection must be observed in the design of data protection:

• Data minimisation and necessity

• Permissibility and concretisation of purpose

• Principle of restricted authorisation

• Anonymisation or pseudonymisation

In accordance with the principles of data minimisation, purpose limitation and restricted authorisation, the collection and processing of personal data shall be limited to the legally permissible and objectively necessary extent, the use shall only take place within the framework of the agreed purposes and the rights of use and access to personal data shall be limited to those persons who need this data for the fulfilment of their tasks or who, as directly affected customers, have a right to information.

Evaluations of personal data are generally only permissible in anonymised form or - if a reference from the data to persons (re-identification) is required - in pseudonymised form. If procedures for pseudonymisation are to be used, the measures for pseudonymisation (including the security of the pseudonymisation key) as well as the necessity, conditions and procedure for re-identification must be explained. Evaluations are only permissible with the consent of the staff representation. Person-related abuse controls may only be carried out in cases of justified suspicion and with the involvement of the staff representation and the data protection officer.

The following actions need to be considered:

- Collecting, monitoring only relevant data about employee output, in order to facilitate performance management, and with the full knowledge and consent of the employees and their representatives.

- Differentiating between useful data, that does not invade the privacy of employees, and unhelpful or sensitive data, or data that can invade the privacy of employees at work needs to be isolated and deleted.

- Promoting trust in employees in a context of management by objectives rather than surveillance software which can often be not only ineffective but also costly and counterproductive.

The Bank commits that it will not turn employee data into a commodity for sale or trade, and a clause on Respect and Human Rights: The Bank is committed to respecting workers’ privacy and human rights as defined in law and in particular with regard to the UN’s Universal Declaration of Human Rights and the ILO’s 1997.

As part of the operation of [the firm], metadata is stored to support application support and quality of service analysis, but no content from communications is stored. The stored metadata is only accessible to administrators; it is deleted after 7 days.

In accordance with the legal requirements, when using IT procedures, only those personal data of employees are processed which are necessary for the operation of the procedure or for working with the procedure. This data may not be processed by the department for other purposes. Personal employee data may only be used for behaviour and/or performance control if it was collected for this purpose and the employees concerned already knew or could have known this at the time of their work with the procedure.

The collection, processing, storage, evaluation and forwarding of data in the context of occupational health management shall be subject to the principles of economical data collection and confidentiality. The co-determination rights of the staff councils must be observed and safeguarded in this context. […] Therefore, only the data necessary for analyses and evaluation within the framework of occupational health management shall be collected, stored, forwarded and evaluated. An evaluation is only carried out in anonymous form and in compliance with data protection regulations. The transfer of personal data requires the written consent of the employees concerned.