The recent high profile data security breaches in Australia (and around the world) have highlighted the vital importance of data security for unions. Data security regulation isn’t new, but the risks of breaches are now much more real and serious than five years or ten ago.
How important should data security and privacy be for your union? In short: a lot more important than you probably think.
Union members, like most people, increasingly insist on tailored, personalised experiences and services (which requires the use of personal data) while also demanding a high level of privacy and data protection.
This has been complicated by changes to how data can be captured and used, for example, privacy changes by Apple have made it increasingly difficult to use targeting for social media ads or even email campaigning. In the commercial sector, the response to these changes has been a switch from focusing on “third party data” (data held and stored by third party organisations like Facebook) to “first party data” (data held and stored by your own organisation).
First party data however increases the risks related to how unions (and other organisations) store that data and use it in a way that respects and protects members’ privacy.
It is also likely, following the Optus, Medibank and other data breaches, that Australia’s very lax laws will be significantly strengthened. This is good for everyday people, but will mean that unions must grapple with privacy and data security now, not to mention how these changes may affect your digital campaigns and recruitment.
This is increasingly important for union leaders to be across. Data and privacy breaches are now major, sometimes catastrophic, events that can be disastrous for the everyday operations of an organisation, and hugely impactful in reducing trust and confidence in your union. The steps needed to be prepared and compliant with cyber security and data requirements must be understood and championed by union leadership, as well as by senior staff.
There’s a few things that unions should consider:
First — what is data security and privacy compliance and is my union compliant?
Second — how can my union prepare for the future?
How can unions be data and privacy compliant?
What do I mean by data protection compliance? Basically, there are two areas to be aware of.
Firstly, you need to be aware of consumer data and privacy regulation. As I noted, these are likely to change soon in Australia.
Most consumer data laws are aimed at (but don’t necessarily achieve) protecting the privacy of consumers. We have seen the consequences of surveillance capitalism, and broadly speaking any regulatory strengthening of consumer privacy protections are good.
Other countries and areas (like Europe and California) have much stronger privacy and data laws than Australia. These regulations basically require organisations to only collect data that is absolutely necessary, to ensure it is stored securely, and to ensure that the consumer gives consent to the data being collected. It also gives consumers the right to request their data be deleted or not used for specific purposes.
It is likely that Australia will adopt elements of the stronger European and Californian regulations.
For unions, this means you will need to review your privacy policies to ensure that it is clear for your members (and potential members) what data your are collecting, and what you intend to do with it. (Contact the ACTU if you need assistance with this.) The Privacy Commissioner is basically a toothless regulator currently, but in the near future there will likely be far greater scope for fines and other regulator powers and actions.
(It’s worth noting that there are almost no data and privacy protections for workers currently — this is a major areas of public policy that also needs significant focus by unions and privacy advocates. Read more here and read the ACTU’s 2022 resolution on worker data privacy.)
Secondly, your union should also review your internal practices and work flows. How are you storing data? Who has access to it? Does your union’s staff know the distinctions between personal data and sensitive data? Does your union have a plan in place if a breach occurs?
One of the reasons that Optus and Medibank had such massive breaches was that their internal processes were not very robust — i.e. they had little restrictions on who could access personal and sensitive data, and weak security on things like passwords for crucial administrator accounts.
In the near future, with new regulations coming, unions will need to be proactive in ensuring data and privacy security.
You can review the Australian Cyber Security Centre resources here, including requirements around disclosing breaches and vulnerabilities.
Preparing for future privacy and data regulations
The past decade and a half in Australia has been almost entirely laissez faire when it came to data capture and privacy. Australia has a very weak set of privacy and data laws, but this will change very soon.
Unions need to be data organisations — in fact, historically we used data as one of the main advantages to out organise the bosses.
From the turn of last century, unions held the data monopoly of the “going rate” for workers’ wages. This gave us unrivalled power over bosses and it was information that was highly-valued by workers who we could organise using this knowledge. By the 1990s, we more or less forgot that this information monopoly was our advantage, and by the mid 2000s, corporations took over the monopoly.
Today, the big banks, credit scoring companies and corporate HR tech vendors possess more information about union members, work satisfaction, wages, and industry knowledge than unions could ever dream of. In fact, banks know far more about union members than unions themselves. Combined with the rapid growth in surveillance capitalism, logistics companies are using AI to remotely manage workers from warehouses to disability care, and monitoring pace, steps, keystrokes, social media and physical location at all times.
To return to being data organisations, unions can use a range of technology that has been developed by surveillance capitalism — like preference centres, or identity resolution systems, as well as more advanced consumer data management software (such as customer data platforms) to connect disparate systems like your membership system, website, email system and more.
To really gain the benefits of modern data technology, your union needs to invest in both systems and more importantly, people and culture. Your union needs to recognise the enormous value that data has, embed that recognition across your union, and ensure you have people internally who can extract, analyse and interpret that data.
Your union likely already has a significant amount of data about members across a number of systems — your membership database, finance system, email, industrial officer files, organisers’ excel documents and more. Not only about members, but workplaces, agreements, Awards, FWC cases and precedents, and so on. (This data could be attractive for hackers, especially for ransomware attacks, but member records have been targeted recently, for example the Smith Family had a breach in November 2022.)
Combining and organising that data into a single profile for your members is a massive challenge, but is one of the ways that your union can really recapture our data advantage.
Steps to improve this could include:
- Taking the Prospect UK data quiz to see how data-mature your union is. Prospect is a UK union that is more advanced than most when it comes to data security.
- Reviewing and updating your privacy policies and data collection policies on your union’s websites. Contact the ACTU for information for assistance.
- Auditing what data your union has stored about members, and where. It is likely that you’ll have data stored in all kinds of places, both in formal databases (like your finance system and membership system) and informal places like excel files and emails.
- Reviewing the skills and experience of your union’s staff — especially related to cyber security and data literacy. The biggest source of data breaches comes from social manipulation and phishing/spear phishing rather than “brute force” attacks or “hacking”. Resisting these requires increasing your union’s data and cyber security literacy.
Members increasingly are more savvy about their own data — so over time (and as more major corporations suffer data breaches) they will demand greater compliance and proactivity from their unions.
Your union should also consider looking at having a role or team responsible for data security and use. While most unions will not be large enough to be able to do this, it is something that national offices could consider — with the requirement that all branches agree to jointly improving data security and privacy standards.
At a minimum, greater support and resources should be provided to branch-level IT staff and teams, so that there is communication between them. Unions should also ensure there are very strong channels of communication between IT and database management staff (e.g. your membership system and finance team) and your digital organisers and comms staff who will be most likely to want to use your data.
Finally, your union should make a decision about who is responsible for your union’s data strategy and governance. This should be a senior elected leader in your union, who can make decisions about how your union manages member and other data, and who will take responsibility for compliance.
With new regulations coming next year in Australia, your union’s approach to privacy and data will need to be flexible. Most likely, it will require your union to do a lot of what is discussed in this post.
But it is also a major opportunity for your union to become more data-oriented and better able to meet the needs of your members and future members.