ASLEF General Privacy Policy

Overview

We take privacy very seriously and want to ensure complete transparency on how your personal information is held and processed and what your rights as an individual are under the Data Protection Act 2018 and General Data Protection Regulation (GDPR). We will only use personal information for the purposes laid out below and we are aware of our responsibility to handle personal data with care and keep it safe and secure. 

How we use your information

This privacy notice tells you what to expect when we collect personal information. It applies to:

  • Rights of the individual

  • People who communicate with us

  • ASLEF members

  • ASLEF learners, family and friends

  • Non-member data (MSL)

  • Job applicants and employees

  • ASLEF website: How we use cookies

  • Links to other websites

  • Complaints regarding your personal data

  • Access to personal information

  • Right to be forgotten

  • People who make a complaint to us

  • Data breaches

  • Changes to this privacy notice

  • How to contact us

When we collect your personal information, we ensure that it is managed properly and securely. If we collect “sensitive information” that relates to physical or mental health, racial or ethnic origin, political opinions, trade union membership, religious beliefs, sexual life, we will ensure there is extra security around its management and storage. Information relating to criminal records and convictions is also treated as special category data for the purposes of this policy.

Where we want to disclose information to a third party, for example where we want to obtain a “disclosure” from the Disclosure and Barring Service, we will not do so without informing you beforehand unless the disclosure is required by law.

We will only keep data in line with our agreed retention policies, unless we have an exception to this, in which case we will ensure you understand the reasons why we will hold it for longer.     

Rights of the individual

As the owner of your data, GDPR allows you to ensure your data protection rights as an individual to:

  • the right to be informed

  • the right of access

  • the right to rectification

  • the right to erasure

  • the right to restrict processing

  • the right to data portability

  • the right to object

  • rights in relation to automated decision making and profiling 

People who communicate with us

People contacting us do so at their own discretion. Your personal information will be kept private and stored securely until a time it is no longer required or has no use. If you send us a private message with attachments, such as your CV, we may keep it for up to six years. We do not pass it on to external processors without your consent.

People who contact us via social media

We use social media, such as Facebook and Twitter, to communicate with members and people in the industry. Users contacting us via private or direct message do so at their own risk.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

ASLEF members

We will be principally responsible for controlling and looking after personal data. Members’ details will be passed internally between ASLEF representatives and ASLEF Head Office staff in compliance with the standards set out in this policy.  

The information will be kept secure and will only be used for purposes directly relevant to that person’s membership.

We will collect, store, and use the following categories of personal information about you:
Information entered on ASLEF membership forms (may include name, title, contact details, DOB, gender, ethnicity, NI number, bank account details, employer, branch, depot, contact preferences, political fund option, joining date, subscription rate, and other information).

We may also record additional personal information in the course of the period you are an ASLEF member in relation to any service provided as part of union membership or representative activities carried out on behalf of the union (for example history of changes in employer, branch, depot, address, badges and certificates awarded, trade union activities, information regarding grievances and disciplinary hearings, legal disputes, occupational health, training, conferences attended, expenses claimed, leaving date and reason).

On grounds of legitimate interest personal data will be shared with external third parties only for purposes that we have told you about (please address any questions or concerns to the GSP department). We will stipulate how they must process your data, ensure it is held securely, demand they are transparent with any data breaches and that they do not pass your data on to any other third parties without your consent.
 

  • Civica (ballots / referendums)

  • Labour Party (for political fund and Labour affiliates)

  • Salesforce and ImpactBox (membership database)

  • FormAssembly and PaperForm (for contact and other forms)

  • Netrix, Mailchimp, Textmarketer and ThruText

  • Sage

  • Thompsons Solicitors

  • Meeting and training registration (TUC, ITF, etc), hotel and conference centres

  • Publication designers, printers, mailing houses (labels to post monthly Journals)

  • Our accountants and auditors

  • Our IT support service (AirIT)

  • ASLEF Education: auditors, learning providers, funding providers, awarding and certification bodies

ASLEF also has a duty to comply with statutory obligations and is not able to provide membership to anyone who does not consent to the union sharing data with third party providers of services, as set out above, or to ASLEF using their personal data in order to perform the functions of the trade union. 

Names and photos of members participating in union events may appear in reports about trade union activities (published online and in ASLEF publications). Members will be asked to notify us if they do not wish to be named or photographed.

Once your membership with us has ended, we will retain records in accordance with the requirements of our retention schedule. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

Elected ASLEF representatives

Personal contact details of all members holding a position within the union (officers, EC, company council, district council, representative committee members, branch secretaries, H&S reps, equalities reps, ULRs, etc) will be shared with members because, as part of your role you must be contactable. Contact details appear in the contacts directory, on the closed area of the website, and can be requested from Head Office.

Elected ASLEF representatives may request contact details of relevant members in order to contact them about union business (e.g. representative committee reps to contact members of equality strands, H&S events, etc). They are reminded of their responsibilities regarding the secure collection, storage and sharing of personal data, which must be used and retained only for legitimate purposes. Members should refer to guidance previously issued by ASLEF and available on the members’ area of the website, along with relevant sections in the ASLEF I.T. Policy and the ASLEF Social Media Policy

ASLEF learners, family and friends

ASLEF Education offer learning opportunities, with support from Union Learning Representatives, for members and for eligible family and friends in compliance with the standards set out above, for collection, storage and use of members’ personal data. By enrolling learners are giving consent for ASLEF Education to keep a record of their personal information and employment information as well as their level of prior educational attainment, unique learner number, first spoken language, and assessment results (with an agreed retention period of 10 years).  Online learning platforms are hosted by Beach Design, Unionlearn and CallidusCloud which are secure portals.  Personal information and learning achievements are retained for the purposes of satisfying legal, accounting, and reporting requirements and some data will be shared with auditors, learning providers, funding providers, awarding and certification bodies in compliance with the processes and protections above.

Contact details for ULRs are shared in the same way as for all ASLEF representatives, outlined above.

Non-member data and Minimum Service Levels (MSLs)

Employers wishing to use the MSL legislation will issue work notices.  From these lists we will internally identify ASLEF members and we will issue compliance notices to those individuals. Compliance notices will only be issued to current members (including members up to 12 weeks in arrears, before their membership is lapsed).  We will not be informing employers which of their employees are union members. Non-member data shared by employers will not be retained after we have issued compliance notices.

Job applicants and employees

When individuals apply to work with us, we will only use the information they supply to us within ASLEF and to process their application. Personal information about unsuccessful candidates will be held for up to six months after the recruitment exercise has been completed. It will then be destroyed or deleted.
Once a person has been hired by us, we will compile a file relating to their service / employment with us. Any personal data we hold on employees is stated in the internal privacy policy and contracts, along with all processors we use. The information will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with us has ended, we will retain the file in accordance with the requirements of our retention schedule (6 years).


Staff should refer to ASLEF’s ‘Privacy Notice for employees’
 

ASLEF website: how we use cookies

We use traffic log cookies to identify which pages are being used. This helps us to analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes using anonymised data. 
 

The public pages of our website don’t collect cookies that give us personal information about website users. We do not use personalised adverts or sell information to third parties. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. The members’ area of the website is customised and cookies are used to store a session id when members log in. This enables members to update their profiles and tailors some content, by district and company. 
 

Links to other websites

Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Complaints regarding your personal data

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading, inappropriate or data has been unfairly shared, lost or held inappropriately. We would also welcome any suggestions for improving our procedures.

How to voice your concerns to us

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to our Data Protection Lead at the email address: info@aslef.org.uk

If you are unhappy with our response, you have the right to escalate this to the Information Commissioner’s Office (ICO) @ https://ico.org.uk/concerns/.
 

Access to personal information

We try to be as open as we can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a “subject access request”, without any cost to the individual and in a machine‐readable format. If we do hold information about you, we will:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form within one calendar month

To make a request to us for any personal information we may hold you need to put the request in writing, addressing it to our Data Protection Lead info@aslef.org.uk. We will ensure a response to you in a machine‐readable format is provided within one calendar month.

If we do not hold information about you due to it being erased due to the retention dates having expired or through a previous request for erasure, we will inform you. Any further question can be submitted to our Data Protection Lead and should you feel the response is not adequate you have the opportunity to escalate to the ICO.
 

Right to be forgotten

Within GDPR every individual has the right for their data to be forgotten or erased, unless there are legal grounds which do not allow the erasure, such as:

•    legal obligations such as HMRC or legal investigation
•    contractual obligation must be fulfilled by the company
•    public task or interest where it is helping with the detection or prevention of a criminal act

Should you request to be forgotten, or give authority to a third party, such as your solicitor, we will confirm the identity and then proceed to remove your personally identifiable data from our records and send you an audit. We will keep the minimum data to identify you as a living person, in case of an audit by the ICO or a second request should come in, so as to prove we have acted in accordance with the GDPR.

Again, should you not be happy with the process we have gone through, you have the right to complain to our Data Protection Lead, and in turn if the response is not adequate you retain the right to escalate this to the ICO.
 

People who make a complaint to us

When we receive a complaint from a person, we log the details of the complaint and validate them against our records. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for six years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us, we will only use the information supplied to us to deal with the enquiry and any subsequent issues.
 

Retention and deletion of data records

We will ensure your data is retained for the agreed retention period and deleted at that point. We will also ensure your data is properly deleted. This also includes any data transmissions that hold data temporarily, as we will ensure they are deleted after the event.

Data Breaches

We ensure all your data is held securely and our staff are trained to understand the many different types of breaches, such as:

  • Hacking by external parties
  • Break‐ins to our premises and stealing of data or computer equipment
  • Virus affecting our IT infrastructure

Any data breaches will be reported to the ICO within 72 hours of being detected and we will let the individuals know who have been affected while we carry out our investigations.
 

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated in February 2024.

Members should also refer to ASLEF's I.T. Policy and ASLEF's Social Media Policy.

How to contact us

If you want to request information about our privacy policy, you can email our Data Protection Lead at info@aslef.org.uk or write to: ASLEF, 77 St John Street, London EC1M 4NN