Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error

Options
Go to last post Go to first unread
Paul Watson  
#1 Posted : 28 February 2018 14:26:24(UTC)
Rank: New forum user
Paul Watson

Hi All.

I am not a frequent forum user so apologies if I do not follow protocol.

My colleagues and I have been trying to update ourselves on implications of the General Data Protection Regulation (GDPR) that is due to take effect very soon. We have been able to gain a reasonable understanding of what is needed, however how this impacts on the H&S data related processes and procedures is not really covered in the main info websites.

If we are trying to consider the impact that the GDPR will have on capturing, using, keeping data in relation to the following records

  • First aid
  • Accidents, incidents
  • Litigation defence information of both suspected future claims and current claims
  • CCTV footage that may support future defence of litigation  
  • Communications with insurers were exchange of data is required
  • Health surveillance
  • Training

 

Can anyone please help/advise accordingly?

Does anyone know of any exemptions where H&S legislation trumps the requirements of GDPR or have any information sources that can be shared so I know where to look to research the impact of GDPR on H&S.

I already looked at the GDPR and Health  & Safety: A Guide For HSE Professionals ( https://www.pro-sapien.com/wp-content/uploads/2017/12/GDPR-and-Health-and-Safety_A-Guide-For-HSE-Professionals.pdf ), but I have not found this to be very helpful.

Thank you

Paul Watson

confined  
#2 Posted : 05 March 2018 14:59:31(UTC)
Rank: Forum user
confined

Anyone ?

I am reallly intrested to know more about this topic?

Cheers

A Kurdziel  
#3 Posted : 05 March 2018 15:27:22(UTC)
Rank: Super forum user
A Kurdziel

So we can’t keep any records and Health and Safety is reduced to a theoretical exercise- well no that, is not the case. It is still acceptable to keep personal records on people and to process them as long as this is done correctly. There has to be a clear policy how this will be done and named individuals( the controller etc) will be responsible for ensuring that it is correctly managed.

The justifications for collecting and processing data will be any one of the following:

  • They have consent to the processing of personal. So it could be written into their contract of employment that HR hold personal information, so that they can get paid, that they is someone to contact at home if they have an accident at work, that they have completed certain types of training that they have had an accident etc.

Even if they have not given specific consent (which is nice to have since it is clear cut) there are these other justifications which might be generally relevant:

  • The data held is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • The data held is necessary for compliance with a legal obligation to which the controller is subject, eg they need to give personal details to the HSE when reporting under RIDDOR
  • The data held is necessary to protect the vital interests of the data subject or of another natural person eg health surveillance data

So ideally get explicit consent but you can fall back on these other justifications.

Other things to note:

  • it might be necessary to anonymise some data for example accident reports at H&S committee meetings
  • anybody can ask what data you have on them and generally you need to show it to them so no more sarcastic comments on accident reports!
  • You have to have policy of disposing of data that is no longer relevant- those 20 year old DSE assessments can go!
thanks 5 users thanked A Kurdziel for this useful post.
Martin Brogan on 05/03/2018(UTC), Kate on 05/03/2018(UTC), jakatac1@gmail.com on 05/03/2018(UTC), Paul Watson on 06/03/2018(UTC), SDJ on 06/03/2018(UTC)
toe  
#4 Posted : 05 March 2018 22:40:57(UTC)
Rank: Super forum user
toe

Originally Posted by: Paul Watson Go to Quoted Post

Does anyone know of any exemptions where H&S legislation trumps the requirements of GDPR or have any information sources that can be shared so I know where to look to research the impact of GDPR on H&S.

Where there is a legal requirement to keep records these will always trump the GPDR. E.g. accident/incident records, investigation records, RIDDOR reports, OCC health records, insurance documents, tax records, medical records, lease agreements, legal contracts, accusations of abuse, wills, etc…

IMHO I think that all H&S records should be kept for a minimum of 3 years, for the potential of a civil claim occurring.

What is of interest though, is the ‘right to be forgotten’.

thanks 1 user thanked toe for this useful post.
Paul Watson on 06/03/2018(UTC)
Hsquared14  
#5 Posted : 06 March 2018 09:05:13(UTC)
Rank: Super forum user
Hsquared14

There really isn't much change from the current situation really.  It is more about additional transparency about what records and information will be kept and who will have access to it.  Where there is a legal requirement to keep records the GDPR will govern the security of the data and how it is communicated with other people.  Read the Data Sharing Guide for more information.  People are getting really uptight about this but the changes are minimal so no one who already takes care of their data should really have any cause for concern.

https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf

thanks 1 user thanked Hsquared14 for this useful post.
toe on 13/03/2018(UTC)
chris42  
#6 Posted : 13 March 2018 15:34:00(UTC)
Rank: Super forum user
chris42

Originally Posted by: Paul Watson Go to Quoted Post

We have been able to gain a reasonable understanding of what is needed, however how this impacts on the H&S data related processes and procedures is not really covered in the main info websites.

If we are trying to consider the impact that the GDPR will have on capturing, using, keeping data in relation to the following records

  • First aid
  • Accidents, incidents
  • Litigation defence information of both suspected future claims and current claims
  • CCTV footage that may support future defence of litigation  
  • Communications with insurers were exchange of data is required
  • Health surveillance
  • Training

 

Can anyone please help/advise accordingly?

Does anyone know of any exemptions where H&S legislation trumps the requirements of GDPR or have any information sources that can be shared so I know where to look to research the impact of GDPR on H&S.

I already looked at the GDPR and Health  & Safety: A Guide For HSE Professionals ( https://www.pro-sapien.com/wp-content/uploads/2017/12/GDPR-and-Health-and-Safety_A-Guide-For-HSE-Professionals.pdf ), but I have not found this to be very helpful.

Thank you

Paul Watson

To be honest I had hoped that IOSH, would have produced something for its members to help defend the need to keep records relating to the items you list. 

It is I think easy to foresee that many H&S people will end up at loggerheads with HR and IT departments.

I agree, that link you provided is not the best help, and again easy to see the company that produced it is in the electronic data industry.

Chris

thanks 2 users thanked chris42 for this useful post.
A Kurdziel on 13/03/2018(UTC), PH2 on 14/03/2018(UTC)
pip306  
#7 Posted : 16 March 2018 14:27:45(UTC)
Rank: Forum user
pip306

We have a GDPR team who we have worked with regarding our H&S data and GDPR. Basically in simple terms you need to demonstrate that the data is secure and controlled and not retained for periods longer than legally required and that if you collect  personal data for health surveillance DSE etc that a privacy wording is added exaplaining that the data is legally required to be collected but it wil lbe stored securely etc etc. Any data you hold which could be medical or refer to health condition is special category data whether H&S legislation applies or not. If you send data out to third parties e.g medicals, health surveillance etc you need to be able to ensure they handle the data correctly as well as yourself and there are secure means of sending it to and fro. GDPR has not stopped us doing anything we did before. There should be no reason for arguements or change sin what you keep if it is stored, obtained and disposed of correctly.

Edited by user 16 March 2018 14:29:28(UTC)  | Reason: spelling

wjp62  
#8 Posted : 16 March 2018 15:08:10(UTC)
Rank: Forum user
wjp62

Its a bit worrying when you see the following in the GDPR and Health & Safety: A Guide For HSE Professionals.....

"By its very nature, and in fact through HSE legislation, these records need to be maintained for a minimum of 40 years or more (Figure 1). There are, as you will be aware, specific requirements under the Control of Asbestos at Work Regulations 1987 and the Control of Substances Hazardous to Health Regulations 1988".

A Kurdziel  
#9 Posted : 16 March 2018 15:23:35(UTC)
Rank: Super forum user
A Kurdziel

Originally Posted by: wjp62 Go to Quoted Post

Its a bit worrying when you see the following in the GDPR and Health & Safety: A Guide For HSE Professionals.....

"By its very nature, and in fact through HSE legislation, these records need to be maintained for a minimum of 40 years or more (Figure 1). There are, as you will be aware, specific requirements under the Control of Asbestos at Work Regulations 1987 and the Control of Substances Hazardous to Health Regulations 1988".

Don’t forget the bit on RIDDOR that comes from Magna Carta!

thanks 1 user thanked A Kurdziel for this useful post.
Roundtuit on 16/03/2018(UTC)
Users browsing this topic
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.