The initial reaction to GDPR has been somewhat of a ‘paper shredding’ exercise in order to minimise the amount of data that may be processed or stored. Your email inbox has likely been inundated with ‘opt in’ emails from organisations you barely recognise pleading to stay in touch via their mailing list. But how can data purging be aligned with a safety management system that requires the storage of competency records, disciplinary notes and health surveillance results? In the world of health and safety an often hailed maxim is ‘if it wasn’t written down, it didn’t happen’.
Any information that relates to an identified or identifiable natural person is considered ‘personal data’. That will most likely extend to driving licences, induction paperwork and PPE records.
Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. It is unlikely that there will be any malice or unfairness in the use of data for health and safety purposes; the reason for using the data should be clear.
In choosing a ‘lawful basis’ for processing the data, most health and safety professionals are unlikely to obtain consent each and every time a record is generated. A simpler solution is to rely on two other bases:
In the absence of consent, which may be too burdensome to be workable, a reliance on the two bases above will be unlikely to result in any significant change to normal practice. Health and safety practitioners should be clear as to what information they are collecting and why; as most health and safety policies and process documents already are.
It is easy to see how ‘sensitive personal data’ could be collected by way of managing health and safety; particularly the health records associated with surveillance and occupational health regimes. Given the progress made in assessing and managing the health and wellbeing of employees, it would be wrong for practitioners to use the GDPR as an excuse to retreat.
In order to process this data, one of the bases of processing (as above) should be identified. This should not be a difficult task given the importance of health monitoring in a variety of industries. The second stage is to find a particular condition that allows the processing of this extra-sensitivities data. In the current scenario, the GDPR provides great assistance, with one particular category being that:
“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…”
Not only does the GDPR require a lawful basis for the collection and use of personal data, it also calls for transparency. Individuals have the right to be informed about the collection and use of their personal data, and when this changes. Clear and transparent health and safety policies should achieve the requirement to ‘inform’.
Whilst previously employers may have relied upon a consent clause in the employment contract, genuine, stand-alone consent is now required and this will likely be achieved through the use of a privacy notice issued when employment commences. Health and safety practitioners may want to incorporate reference to this in the induction process.
According to the storage limitation principle in the GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. An organisation that properly reviews its documentation, such as regularly reviewing training records and competencies, should not require any significant changes. Good safety management requires practitioners to be ‘on top’ of their records and avoid lapsed assessments and superseded documents from languishing in archives.
Set out below is a non-exhaustive list of suggested retention periods for common types of personal data held. Although personal data may be held for longer periods, sufficient justification for doing so (such as an ongoing criminal prosecution) is required.
Following any health and safety incident, it is standard practice to conduct an investigation to understand what happened, and how future incidents may be prevented. We do not consider that reference to personal data as part of that investigation will incur the wrath of the Information Commissioner.
Equally, the legal requirement to submit a RIDDOR report and comply with a formal document request from the HSE (under section 20 of the Health and Safety at Work etc Act 1974) will subvert any criticism that data is not being handled properly.
Health and safety professionals do need to consider, however, how their investigation reports are disseminated. If there is reference to personal data within an investigation report then practitioners should consider whether that data can be removed or restricted before any report is circulated around a business or provided to an insurer. Anonymisation through an easily identifiable key should also be viewed with caution.
It is often the case that the facts and learnings of an incident are more important than the identity of the individual(s) concerned. If it is necessary to share personal data as part of an investigation, recipients should be reminded to treat it appropriately and destroy it when no longer required.
The furore and publicity surrounding GDPR is akin to that experienced during the introduction of the Sentencing Council’s Guideline for sentencing health and safety offences in February 2016. However, two years on from the Guideline, those organisations who already had a structured and transparent approach to health and safety management had little to fear. The same should be said of GDPR which really should be a reminder to organisations to reconsider their existing obligations under domestic data protection law.
Interesting article – I would like to see expansion on some of the more complex issues to give a clearer picture for more diverse businesses that are open to members of the public and potentially under 18s as if you take the above example table as it is could be mis leading in some circumstances.
A really useful article – I’ll have to bookmark this one, as have already had to deal with quite a number of people shouting about what information I can and can’t record as part of an incident investigation – most of whom don’t actually have a clue. It seems that the ones shouting ‘Health and Safety’ as an excuse for being an obstructive pain-in-the-neck now have a new battle cry! Thanks for this!
A key important inaccuracy here regarding consent. It’s very clear under GDPR that consent is not appropriate in an employer – employee relationship. I’m not sure why the author talks about consent here it’s not needed. In addition, businesses need to be mindful of accident records for under 18s as they have 3 years from the point of turning 18 to make a claim. Consideration also needs to be given to any accidents or incidents relating to potential “health” issues as there is no time limit on claims. This in mind I would not be looking to cleanse accident data… Read more »