Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error
Data Protection Act and H&S Info.
Options
Go to last post Go to first unread
Previous Topic Next Topic
NLivesey  
#1 Posted : 05 August 2014 11:26:18(UTC)
Rank: Forum user
NLivesey
Good morning learned colleagues... It's been a while since I've posted anything here but I've stumbled across a challenge that I'm hoping you good folk may have experience with.

I'm currently trying to do a review of accident data from a 5 year timescale but I've been informed that, whilst the general details (date, location, accident type, injury, etc) are available to me the one piece of info I'm being denied is the IP names. The reason being given is because this would be a breach of the data protection act.

I've got some familairity with DPA and it was my understanding that as long as info is maintained within the organisation (not shared with 3rd parties), is maintained in a secure/encrypted state and destroyed after use that would be compliant. However, I'm after some confidence that my interpretation of the act's requirements are correct. Anyone have any experience with it?

Cheers me dears.
Back to top
jwk  
#2 Posted : 05 August 2014 11:46:23(UTC)
Rank: Super forum user
jwk
I don't see why you can't have this data. For some uses it has to be encrypted yes, particularly if it's anything to do with the NHS, but we don't encrypt evertything as a matter of course. Somebody is being a bit over-zealous in their interpretation of the law, or they're not interpreting the law, just making it up as they go along.

An organisation can make use of accident/incident information for its own internal safety purposes without breaching data protection laws,

John
Back to top
Andrew W Walker  
#3 Posted : 05 August 2014 11:58:20(UTC)
Rank: Super forum user
Andrew W Walker
I agree with jwk.

I did a similar thing in a previous life and I will be doing the same here.

One thing we had was the name of the Supervisor who was in charge of the area at the time of the incident. All of the who, what, why, where and when were very useful.

I'd certainly push for all of the info you need if I were in your place.

Andy
Back to top
HSSnail  
#4 Posted : 05 August 2014 13:20:03(UTC)
Rank: Super forum user
HSSnail
NLivesey

You don't say what relationship you have with the company - if you are their safety manager or similar I agree with my colleagues, but if you are doing this review for some other reason, research paper, newspaper article etc then data protection may prevent you getting the names.
Back to top
johnmurray  
#5 Posted : 05 August 2014 15:08:32(UTC)
Rank: Super forum user
johnmurray
Why do you need the names?
If you are not the employer then you do not have any legal access.
The employer is bound by law.

http://tinyurl.com/oamvyzx
Back to top
johnmurray  
#6 Posted : 05 August 2014 15:14:51(UTC)
Rank: Super forum user
johnmurray
jwk wrote:
I don't see why you can't have this data. For some uses it has to be encrypted yes, particularly if it's anything to do with the NHS, but we don't encrypt evertything as a matter of course. Somebody is being a bit over-zealous in their interpretation of the law, or they're not interpreting the law, just making it up as they go along.

An organisation can make use of accident/incident information for its own internal safety purposes without breaching data protection laws,

John


A read of ICO guidance seems in order.
Back to top
Canopener  
#7 Posted : 05 August 2014 15:57:14(UTC)
Rank: Super forum user
Canopener
This is becoming a bit of a habit, but I have to agree with John in so far as why do you need the names. Surely this is largely irrelevant. Isn't it?

Crack on!
Back to top
Animax01  
#8 Posted : 06 August 2014 09:15:07(UTC)
Rank: Super forum user
Animax01
The only reason you might need the names is to see who has the most accidents and in which area. This may highlight certain trends, say a 6ft plus person keeps banging their head.

Otherwise, the trend analysis shouldn't need any more information than what you already have.
Back to top
A Kurdziel  
#9 Posted : 06 August 2014 10:38:57(UTC)
Rank: Super forum user
A Kurdziel
In our place I collect the incident information so I know the names of the people who have accidents etc. I produce reports based on this information which is circulated to management and the TUS at for example the H&S committee. This is anonymised; we never mention names when discussing accidents/incidents in the committee. On the other hand the person’s line management are allowed to know what is going on as they are the ones who will be sorting things out after the event.
So the question is why do you need personal information if all you are doing is a review?
Back to top
jwk  
#10 Posted : 07 August 2014 13:03:06(UTC)
Rank: Super forum user
jwk
JohnMurray wrote:
A read of ICO guidance seems in order.


Read it John; it is replete with words like practical etc, and it distinguishes between injury records and accident records.

There can be good safety management raesons for needing names; in social care settings using somebody's name can be the means by which their care plan can be changed when a need is identified.

At my former employers we used an electronic system which meets NHS Infomation Governance standard and complies with ICO guidance. We collected names (behind password protection), and although reports for wider circulation were always anonymised, they could be made available where there was a need.

It's right to question why you need names, but in my view safety trumps confidentiality every day,

John
Back to top
johnmurray  
#11 Posted : 07 August 2014 15:08:39(UTC)
Rank: Super forum user
johnmurray
That would be your view. Inevitably incorrect.
Each 'case' will be different. In a medical setting, where information sharing may be a lifesaver, it may well be necessary to divulge information many times more confidential than in industrial "safety". My personal view, having noted many, many times the cavalier approach to data confidentiality adopted by many commercial organisations (including one that leaked a woman's absence from work as being due to her having an abortion to her workmates) is that unless data, including names, is absolutely necessary for protection, it should not be divulged.
If bosses don't like that; I should care?
With respect: medical confidentiality operates to a much higher degree than commercial data protection.
Although recent legislation re medical/social-care. seems designed to widely disperse information.
Back to top
jwk  
#12 Posted : 08 August 2014 09:51:51(UTC)
Rank: Super forum user
jwk
John,

We are currently investigating a chain of similar incidents which have affected one particular person; should we not be doing this?

Nobody is talking about a cavalier attitude to data, and you conflate inernal, legitimate data use with external leaks. Data is sensitive certainly, but for internal use there's no need to hide anything from those with a legitimate need to know,

John
Back to top
Users browsing this topic
Guest (2)
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2025, Yet Another Forum.NET