GDPR – Implications for the Health and Safety Professional
The enforcement date for the EU General Data Protection Regulation EU 2016/679 (“GDPR”) is now upon us. From last week, organisations which are not compliant with GDPR may face heavy fines of up to €20 million or 4% of annual global turnover, whichever is the greater. But what does the GDPR actually mean for a health and safety professional? Phil Crosbie from Eversheds Sutherland explains…
The initial reaction to GDPR has been somewhat of a ‘paper shredding’ exercise in order to minimise the amount of data that may be processed or stored. Your email inbox has likely been inundated with ‘opt in’ emails from organisations you barely recognise pleading to stay in touch via their mailing list. But how can data purging be aligned with a safety management system that requires the storage of competency records, disciplinary notes and health surveillance results? In the world of health and safety an often hailed maxim is ‘if it wasn’t written down, it didn’t happen’.
How to manage the day-to-day
Any information that relates to an identified or identifiable natural person is considered ‘personal data’. That will most likely extend to driving licences, induction paperwork and PPE records.
Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. It is unlikely that there will be any malice or unfairness in the use of data for health and safety purposes; the reason for using the data should be clear.
In choosing a ‘lawful basis’ for processing the data, most health and safety professionals are unlikely to obtain consent each and every time a record is generated. A simpler solution is to rely on two other bases:
- Legal Obligation – this will be particularly relevant for training records and health surveillance documents, where there is a statutory requirement to keep records, and be able to evidence and review health and safety systems;
- Legitimate Interest – the interest in properly managing the health and safety of those connected with an organisation is evident, and should not require further explanation.
In the absence of consent, which may be too burdensome to be workable, a reliance on the two bases above will be unlikely to result in any significant change to normal practice. Health and safety practitioners should be clear as to what information they are collecting and why; as most health and safety policies and process documents already are.
Make sure your business stays in the know – don’t miss Safety & Health Expo’s live discussion panels on the latest legislation.
Sensitive personal data
It is easy to see how ‘sensitive personal data’ could be collected by way of managing health and safety; particularly the health records associated with surveillance and occupational health regimes. Given the progress made in assessing and managing the health and wellbeing of employees, it would be wrong for practitioners to use the GDPR as an excuse to retreat.
In order to process this data, one of the bases of processing (as above) should be identified. This should not be a difficult task given the importance of health monitoring in a variety of industries. The second stage is to find a particular condition that allows the processing of this extra-sensitivities data. In the current scenario, the GDPR provides great assistance, with one particular category being that:
“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…”
Not only does the GDPR require a lawful basis for the collection and use of personal data, it also calls for transparency. Individuals have the right to be informed about the collection and use of their personal data, and when this changes. Clear and transparent health and safety policies should achieve the requirement to ‘inform’.
Whilst previously employers may have relied upon a consent clause in the employment contract, genuine, stand-alone consent is now required and this will likely be achieved through the use of a privacy notice issued when employment commences. Health and safety practitioners may want to incorporate reference to this in the induction process.
According to the storage limitation principle in the GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. An organisation that properly reviews its documentation, such as regularly reviewing training records and competencies, should not require any significant changes. Good safety management requires practitioners to be ‘on top’ of their records and avoid lapsed assessments and superseded documents from languishing in archives.
Set out below is a non-exhaustive list of suggested retention periods for common types of personal data held. Although personal data may be held for longer periods, sufficient justification for doing so (such as an ongoing criminal prosecution) is required.
Health and Safety Incidents
Following any health and safety incident, it is standard practice to conduct an investigation to understand what happened, and how future incidents may be prevented. We do not consider that reference to personal data as part of that investigation will incur the wrath of the Information Commissioner.
Equally, the legal requirement to submit a RIDDOR report and comply with a formal document request from the HSE (under section 20 of the Health and Safety at Work etc Act 1974) will subvert any criticism that data is not being handled properly.
Health and safety professionals do need to consider, however, how their investigation reports are disseminated. If there is reference to personal data within an investigation report then practitioners should consider whether that data can be removed or restricted before any report is circulated around a business or provided to an insurer. Anonymisation through an easily identifiable key should also be viewed with caution.
It is often the case that the facts and learnings of an incident are more important than the identity of the individual(s) concerned. If it is necessary to share personal data as part of an investigation, recipients should be reminded to treat it appropriately and destroy it when no longer required.
The furore and publicity surrounding GDPR is akin to that experienced during the introduction of the Sentencing Council’s Guideline for sentencing health and safety offences in February 2016. However, two years on from the Guideline, those organisations who already had a structured and transparent approach to health and safety management had little to fear. The same should be said of GDPR which really should be a reminder to organisations to reconsider their existing obligations under domestic data protection law.
Eversheds Sutherland is listed as a tier 1 law firm for health and safety advice in all the major legal directories. Phil Crosbie is a Principal Associate in the Leeds office. Phil Crosbie is a Principal Associate in the Leeds office.