I have a sitation where an employee has reported an injury, we have investigated etc and it has become a RIDDOR reportable but in the injury report the employee didn't give / first aider didn't ask for the home address or age. 

I have to get my RIDDOR report in to the HSE but without this information I can't submit the report (can I?) 

Our HR team were asked for the address and age and have gone into melt down why do I need this etc etc.... so they now want written authority to disclose the information from the employee before they give me it. 

Does anyone know where I can find legislation / guideance to stop them adding this into my injury reporting system?

And if not what if the employee refuses?

RIDDOR is a legal requirement

RIDDOR reg 4 (2) Where any person at work is incapacitated for routine work for more than seven consecutive days (excluding the day of the accident) because of an injury resulting from an accident arising out of or in connection with that work, the responsible person must send a report to the relevant enforcing authority in an approved manner as soon as practicable and in any event within 15 days of the accident.

My bold to highlight and underline

The approved manner is the online form, which requires the personal contact details of the injured person. There is no choice in the matter even if the IP says no.

The IP’s address is required so the HSE can contact the employee away from work.

Chris

Also the accident book :-

The Social Security (Claims and Payments) Regulations 1979

Schedule 4 PARTICULARS TO BE GIVEN OF ACCIDENTS

(1) Full name, address and occupation of injured person;

(2) Date and time of accident;

(3) Place where accident happened;

(4) Cause and nature of injury;

(5) Name, address and occupation of person giving the notice, if other than the injured person.

Chris

I can see this situation worsening when the General Data Protection Regulation kicks in

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Is this another one of those situations where the full implications of a decision haven't been thought through?  I can see it being a legal minefield of consent forms and exemptions, opt ins and opt outs with no one's data being any better cared for or protected than before.

DPA section 35: "(1)Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court."

http://www.legislation.gov.uk/ukpga/1998/29/section/35

So if RIDDOR requires it, you are allowed to disclose it.

How about: 

email the information commissioner's office &HSE local offices and ask them? 

put details of HR for reporting person, or witheld by hr for privacy on the address, or check up who your data controller is and get them to contact the ICO for a definitive answer (put correct details on the form). 

when hse ring, put them through to the HR person so that they can deal with the issue at a later time if need be, having recorded what they wanted to do, or suggest they refer to their employment lawyer contact to get advice or guidance in writing to evidence the decision made by the organisation.

apparently GDPR should be relatively similar to what we have now, just with bigger fines for transgression, so as such shouldn't be anything different.   

You could bypass hr anyway and just ask the person who had the accident to give you their details, as you will have a method of contacting them from doing the investigation,

Personally, 

I would fill the form in, print it and then redact the address and give a copy to HR and copy for your files, perhaps that addresses the issue for all parties as a compromise for dealing with data protection and availability of records. 

Make sure you also have a mechanism for same thing when doing docs for insurers, as they will also need same for the accident/ potential future claim investigation. 

Ask them what would they recommend you do instead of providing accurate information to the regulator.

Whilst HSE would suggest that they are able to deal with the lack of information, I would suggest that it's a direct challenge to their authourity and competence that is going to wind them up before they even get to site. 

you could always ring the HSE local office and ask to speak to them about the issue and ask whether it's acceptable and make a note, then forward to HR. & email copy local contact at HSE if you have one. 

I agree the idea of a right to be forgotten is a problem, don't really know how suitable and sufficient records will be maintained going forward, however there is an issue as occ health records are required to be held for for 40 years. I don't see HSE's desire for accurate records being over-ridden by GDPR personally, and until there is case law, it's going to be an ongoing issue. 

to me the case is active till it's settled (especially accident records), and whilst there is the potential litigation for civil claim, the records will be required. 

At InfoSec, there was a discussion about records management (backups) and right to be forgotten. Personally, i'd say it's technically unachieveable to have backups gone through and although someone will probably win a case somewhere, reasonableness and achieveability have to come in somewhere. An organisation has to have the ability to protect information from device failure, and whilst there's campaigners out there who will insist on everything getting rid, I am sure that there will be a backlash from those who are the sensible, and say that it is entirely impracticable to remove data from archives on a person by person, case by case basis.

Personally, as I suggested, by submitting the accurate details, then redacting the relevant information and storing redacted, I think there's a sensible compromise, (ala card details storage in line with PCI-DSS), however, some lawyers in london with money to burn will argue till they are blue in the face that black is white and the ones with the best arguement/lawyer etc will set a precident. 

Till then people will follow the ICO guidance as far as they can and see what happens.  

In terms of the original posting, the HR people will have the records of the person, and there has to be an accurate report to the HSE, as such, the process needs to be done and documented, then once completed someone can talk to lawyers, ICO, and HSE about "after may next year".

Of course, just thinking cynically for a moment, if the only way to contact an employee is via the company. The company will then know for sure the HSE is going to talk to the employee and apply appropriate pressure to keep quiet.

My understanding of the data protection act is that if an employee agrees you can past their personal details in 6 foot high letters on the side of a building. Therefore providing at employment start you are clear what you may do with their info and they agree, I fail to see a problem.

Is there really a court that would find you at fault, for completing a legaly required document?

Originally Posted by: chris42

My understanding of the data protection act is that if an employee agrees you can past their personal details in 6 foot high letters on the side of a building. Therefore providing at employment start you are clear what you may do with their info and they agree, I fail to see a problem.

Too many things are generalised at the start of employment (how many contracts require employees to "opt out" of the Working Time Directive then place the onus on the employee to come back if they are unhappy with the situation)

There is currently a discussion about presumed consent with NHS records passed to Google - I remember a letter many years ago about NHS national computerisation very badly worded "you must inform us if you do not wish us to handle your data in this manner" which was all well and good if you actually received the letter to be able to respond.

Consent for anything should be willingly (without duress) and positivley given (without presumption)

The RIDDOR form supplied by the HSE does NOT specify home address so works address is as good because  there is no specified legal requirement for the home address.

Not sure it matters to the HSE, in the days when you could call speak with them, I used to tell them I am putting the company address and didn't know the age and they completed the form for me. I still recieved the electronic version back.

Where I work now we all sign a 'confidentality form' yet I am not even given names for accidents just initials and this is for employees and residents, at one time it would bother me now I just contactthe manager of the establishment and tell them they have the resonsibility to report under RIDDORand leave it at that. I keep all coorespondance and still have them from two years ago asking if they realised we worked for the same company. HR, the senior management or the CEO failed to step in so I leave it to them

Now I'm not sure the HSE would even make the decision. I contacted them the other day for advice on an injury and was told that it was not for them to make the decision that was down to me, so I explained what happened and said "in that case I am not reporting it" he asked was that my decision and whne I said it was hge said "i wouldn't either"

End of call.

I have has this stuff before from HR departments. What you need to do is to explain to them it is a statutory requirement that accidents be reported to the HSE and it is statutory requirement that you supply the HSE with the injured party’s home address. This is so that the HSE can contact the injured employee directly if they decide to follow up the incident. Statutory requirements trump date protection.

 HR do it for whatever reason HR exists-to make life difficult for everybody else mainly!

Well what usually happens is I get the report of an injury related incident and I investigate. If the injured party is available I ask them about the incident, if not I ask colleagues and managers.  I do not ask about a person’s age or their home address or other details because I don’t know if it going to be a RIDDOR (especially a 7 day RIDDOR). Then a week later I get called, such and such is still off making it a RIDDOR. So I traipse down to HR and start arguing about RIDDOR v DPA.