Rank: Forum user 
|
I have a sitation where an employee has reported an injury, we have investigated etc and it has become a RIDDOR reportable but in the injury report the employee didn't give / first aider didn't ask for the home address or age. I have to get my RIDDOR report in to the HSE but without this information I can't submit the report (can I?) Our HR team were asked for the address and age and have gone into melt down why do I need this etc etc.... so they now want written authority to disclose the information from the employee before they give me it. Does anyone know where I can find legislation / guideance to stop them adding this into my injury reporting system? And if not what if the employee refuses?
|
|
|
|
|
|
Rank: Forum user 
|
may be incorrect but we put the work address as their address information if it isnt supplied on the accident form.
|
|
|
|
|
|
Rank: Super forum user 
|
RIDDOR is a legal requirement
RIDDOR reg 4 (2) Where any person at work is incapacitated for routine work for more than seven consecutive days (excluding the day of the accident) because of an injury resulting from an accident arising out of or in connection with that work, the responsible person must send a report to the relevant enforcing authority in an approved manner as soon as practicable and in any event within 15 days of the accident.
My bold to highlight and underline
The approved manner is the online form, which requires the personal contact details of the injured person. There is no choice in the matter even if the IP says no.
The IP’s address is required so the HSE can contact the employee away from work.
Chris
|
|
|
|
|
|
Rank: Super forum user 
|
I think you can submit the report without that information, for example if you were doing it for a member of the public you wouldn't necessarily know the address would you? You could include your company address for the time being, the HSE only wants the person's address so that they can contact them directly, if they come back to you about the incident then the HSE can ask HR for the address details, they have a warrant and can't be denied the information regardless of the Data Protection Act. However, I do think that your HR dept is being rather over protective. You are presumably in a position of authority within the organisation fulfilling the legal duties of the organisation, it should be enough for your HR team to know that you are doing that to grant you access to the information. Reassure them that you will not retain the information and will not mis-use the information.
|
|
|
|
|
|
Rank: Super forum user
|
Also the accident book :-
The Social Security (Claims and Payments) Regulations 1979
Schedule 4 PARTICULARS TO BE GIVEN OF ACCIDENTS (1) Full name, address and occupation of injured person; (2) Date and time of accident; (3) Place where accident happened; (4) Cause and nature of injury; (5) Name, address and occupation of person giving the notice, if other than the injured person.
Chris
|
|
|
|
|
|
Rank: Super forum user 
|
|
 1 user thanked Roundtuit for this useful post.
|
|
|
|
Rank: Super forum user 
|
Originally Posted by: Roundtuit 
Yes indeed. We're already working through the first stages of implementing GDPR and I've had our Head of IG saying that the new right to be forgotten will take precedence over H&S law. I don't agree (naturally) but I can see that the ramifications will be hotly debated. Room for lots of confusion until the dust clears,
John
|
1 user thanked jwk for this useful post.
|
|
|
|
Rank: Super forum user
|
Is this another one of those situations where the full implications of a decision haven't been thought through? I can see it being a legal minefield of consent forms and exemptions, opt ins and opt outs with no one's data being any better cared for or protected than before.
|
1 user thanked Hsquared14 for this useful post.
|
|
|
|
Rank: Super forum user
|
Originally Posted by: Hsquared14 Reassure them that you will not retain the information and will not mis-use the information.
I retain the information (at the moment at least) If as responsible person I make a submission I want a full record of what information was given.
Of course, the solution is easy:
Make HR be the ones responsible for RIDDOR reporting – watch the colour drain from their faces when they realise they will have to do something and make decisions. In my experience, they are not fond of doing either of those things :o)
|
|
|
|
|
|
Rank: Super forum user 
|
DPA section 35: "(1)Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court." http://www.legislation.gov.uk/ukpga/1998/29/section/35
So if RIDDOR requires it, you are allowed to disclose it.
|
|
|
|
|
|
Rank: Forum user
|
We don't rouinely submit perosnal addresses on RIDDOR reports we use the site address at which they work and live for their employment for the season. This has never been an issue raised by LA's or HSE they just need to be able to contact the injured party. We are undergoing a GDPR review at present and there has been no issue with submitting personal addresses or not submitting them as the information is only shared between limited parties e.g. H&S, HR and insurance. We have processes in place to prevent storage of personal data e.g we check employee medical reports etc. where required e.g. HAV but as H&S we don't store them HR do and we can refer to them when needed and our H&S acc investigation files are locked to only the H&S dept thus minimising accidental release. It is about minimising the sharing of data not banning sharing it altogether.
|
1 user thanked pip306 for this useful post.
|
|
|
|
Rank: Forum user
|
How about:
email the information commissioner's office &HSE local offices and ask them? put details of HR for reporting person, or witheld by hr for privacy on the address, or check up who your data controller is and get them to contact the ICO for a definitive answer (put correct details on the form). when hse ring, put them through to the HR person so that they can deal with the issue at a later time if need be, having recorded what they wanted to do, or suggest they refer to their employment lawyer contact to get advice or guidance in writing to evidence the decision made by the organisation.
apparently GDPR should be relatively similar to what we have now, just with bigger fines for transgression, so as such shouldn't be anything different. You could bypass hr anyway and just ask the person who had the accident to give you their details, as you will have a method of contacting them from doing the investigation,
Personally, I would fill the form in, print it and then redact the address and give a copy to HR and copy for your files, perhaps that addresses the issue for all parties as a compromise for dealing with data protection and availability of records.
Make sure you also have a mechanism for same thing when doing docs for insurers, as they will also need same for the accident/ potential future claim investigation.
Ask them what would they recommend you do instead of providing accurate information to the regulator.
Whilst HSE would suggest that they are able to deal with the lack of information, I would suggest that it's a direct challenge to their authourity and competence that is going to wind them up before they even get to site.
you could always ring the HSE local office and ask to speak to them about the issue and ask whether it's acceptable and make a note, then forward to HR. & email copy local contact at HSE if you have one.
|
|
|
|
|
|
Rank: Super forum user
|
Stuart,
the big change with GDPR will be a right to be forgotten; this is already giving our HR team kittens,
John
|
|
|
|
|
|
Rank: Forum user
|
I agree the idea of a right to be forgotten is a problem, don't really know how suitable and sufficient records will be maintained going forward, however there is an issue as occ health records are required to be held for for 40 years. I don't see HSE's desire for accurate records being over-ridden by GDPR personally, and until there is case law, it's going to be an ongoing issue. to me the case is active till it's settled (especially accident records), and whilst there is the potential litigation for civil claim, the records will be required.
At InfoSec, there was a discussion about records management (backups) and right to be forgotten. Personally, i'd say it's technically unachieveable to have backups gone through and although someone will probably win a case somewhere, reasonableness and achieveability have to come in somewhere. An organisation has to have the ability to protect information from device failure, and whilst there's campaigners out there who will insist on everything getting rid, I am sure that there will be a backlash from those who are the sensible, and say that it is entirely impracticable to remove data from archives on a person by person, case by case basis.
Personally, as I suggested, by submitting the accurate details, then redacting the relevant information and storing redacted, I think there's a sensible compromise, (ala card details storage in line with PCI-DSS), however, some lawyers in london with money to burn will argue till they are blue in the face that black is white and the ones with the best arguement/lawyer etc will set a precident.
Till then people will follow the ICO guidance as far as they can and see what happens. In terms of the original posting, the HR people will have the records of the person, and there has to be an accurate report to the HSE, as such, the process needs to be done and documented, then once completed someone can talk to lawyers, ICO, and HSE about "after may next year".
|
1 user thanked Stuart Smiles for this useful post.
|
|
|
|
Rank: Super forum user 
|
I just put the companies address and if they haven't filled in the age I put 99.
|
|
|
|
|
|
Rank: Super forum user
|
Of course, just thinking cynically for a moment, if the only way to contact an employee is via the company. The company will then know for sure the HSE is going to talk to the employee and apply appropriate pressure to keep quiet.
My understanding of the data protection act is that if an employee agrees you can past their personal details in 6 foot high letters on the side of a building. Therefore providing at employment start you are clear what you may do with their info and they agree, I fail to see a problem. Is there really a court that would find you at fault, for completing a legaly required document?
|
|
|
|
|
|
Rank: Super forum user
|
I just put 'Contact HR for further details' in address sections
|
|
|
|
|
|
Rank: Super forum user
|
Originally Posted by: chris42 My understanding of the data protection act is that if an employee agrees you can past their personal details in 6 foot high letters on the side of a building. Therefore providing at employment start you are clear what you may do with their info and they agree, I fail to see a problem.
Too many things are generalised at the start of employment (how many contracts require employees to "opt out" of the Working Time Directive then place the onus on the employee to come back if they are unhappy with the situation)
There is currently a discussion about presumed consent with NHS records passed to Google - I remember a letter many years ago about NHS national computerisation very badly worded "you must inform us if you do not wish us to handle your data in this manner" which was all well and good if you actually received the letter to be able to respond. Consent for anything should be willingly (without duress) and positivley given (without presumption)
|
|
|
|
|
|
Rank: Super forum user
|
The RIDDOR form supplied by the HSE does NOT specify home address so works address is as good because there is no specified legal requirement for the home address.
|
|
|
|
|
|
Rank: Super forum user
|
After making a report you can have a copy emailed to you. One from last year has the following boxes that were completed. In the section - About the injured person Injured Persons Name Injured persons Address Phone number Gender Age
What was their Occupation or Job title
Sorry, but they do ask for injured persons address amongst other things.
I still fail to see the problem in getting them to agree on the use of their information for this purpose at start of job, as we do for checking driving licences, paying them, next of kin etc. It’s not as if we or the HSE are going to give their details to the Prince of Nigeria to help him regain his title or help them claim PPI.
In a past job the Social security people asked for copies of the BI510 form so they could make sickness payments. I wonder how sympathetic they will be if the forms are not completed correctly. You can move one finger, then you can work is their motto isn’t it.
Chris
|
|
|
|
|
|
Rank: Super forum user
|
Not sure it matters to the HSE, in the days when you could call speak with them, I used to tell them I am putting the company address and didn't know the age and they completed the form for me. I still recieved the electronic version back. Where I work now we all sign a 'confidentality form' yet I am not even given names for accidents just initials and this is for employees and residents, at one time it would bother me now I just contactthe manager of the establishment and tell them they have the resonsibility to report under RIDDORand leave it at that. I keep all coorespondance and still have them from two years ago asking if they realised we worked for the same company. HR, the senior management or the CEO failed to step in so I leave it to them Now I'm not sure the HSE would even make the decision. I contacted them the other day for advice on an injury and was told that it was not for them to make the decision that was down to me, so I explained what happened and said "in that case I am not reporting it" he asked was that my decision and whne I said it was hge said "i wouldn't either" End of call.
|
|
|
|
|
|
Rank: Super forum user
|
Originally Posted by: chris42 I still fail to see the problem in getting them to agree on the use of their information for this purpose at start of job, as we do for checking driving licences, paying them, next of kin etc.
I still fail to see the problem full stop. The Data Protection Act itself says that the non-disclosure provisions within it don't apply to the situation - "Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court."
|
|
|
|
|
|
Rank: Super forum user
|
I have has this stuff before from HR departments. What you
need to do is to explain to them it is a statutory requirement that accidents
be reported to the HSE and it is statutory requirement that you supply the HSE
with the injured party’s home address. This is so that the HSE can contact the injured
employee directly if they decide to follow up the incident. Statutory
requirements trump date protection.
|
|
|
|
|
|
Rank: Super forum user
|
Do people really do it for data protection or because when working in acompany they leave it off once they have put the area the injury happened in and leave it at that, then someone has to chase them for the information.
|
|
|
|
|
|
Rank: Super forum user
|
HR do it for whatever reason HR exists-to make life difficult for everybody else mainly!
|
|
|
|
|
|
Rank: New forum user
|
Interesting so many different views and so many people trying to make it difficult.
All reportable accidents I would assume are being investigated by us so I would hope we have contact with the IP, therefore we can ask them directly for their address and permission to add it. If they are physically unable to provide us with the details because of the nature of their injuries then I would assume the matter may be taken out of our hands by LA/HSE or Police. But as quite rightly stated DPA is superceded by a legal requirement to share data.
The age issue as far as I remember its states on the form that if you don't know their age enter 99
|
|
|
|
|
|
Rank: Super forum user
|
Well what usually happens is I get the report of an injury related incident and I investigate. If the injured party is available I ask them about the incident, if not I ask colleagues and managers. I do not ask about a person’s age or their home address or other details because I don’t know if it going to be a RIDDOR (especially a 7 day RIDDOR). Then a week later I get called, such and such is still off making it a RIDDOR. So I traipse down to HR and start arguing about RIDDOR v DPA.
|
|
|
|
|
|
Rank: Super forum user
|
Extract from Regulation, my underlining to highlight. Seems this is not going to trump H&S in my opinion. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Article 88 Processing in the context of employment 1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. Article 6 Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
|
|
|
|
|
|
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.