Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error

Options
Go to last post Go to first unread
ballyclover  
#1 Posted : 12 April 2018 12:04:46(UTC)
Rank: Forum user
ballyclover

I know that GDPR has been discussed already but this is slightly different.

Working through our systems it has highlighted the fact that the person who fills in the accident book could have access to personnel data. (if 1st aider does it).

So on a side note to this it have been decided that the way incidents are recorded will be changed and I just want peoples opinion

All incidents will be recorded, basically anything from a paper cut to more serious incidents. First aiders will now record the incident on a spread sheet, which will only contain basic information. Name, incident,treatment.

This will then be passed to the Health and Safety Manager who will decide if the incident merits entery into the accident book. If it does he alone will interview the injured party and enter all personnel details into the accident book, to protect that data inline with GDPR policy. He will also decide if further investigations are required. That record will only be stored as electronic data and placed on a limted access secure location.

All paper copies will be shreaded

Accidents deemed minor will be added to a spread sheet again with basic information and kept for a period of time.This information will be used for interal statisical studies.

So my question is what do you all think? Are there any downside to this suggestion?

Thanks in advance

Kate  
#2 Posted : 12 April 2018 14:14:21(UTC)
Rank: Super forum user
Kate

What sort of accident book have you got?

Modern off-the-shelf accident books contain forms which you pull out when each is complete to take for further investigation and to end up in secure storage, so that someone filling in the book doesn't see the previous records.

ballyclover  
#3 Posted : 13 April 2018 07:13:03(UTC)
Rank: Forum user
ballyclover

we use the book as described. However we don't want the 1st aider who fills the book in to be to prviy to any personnel data, other than name and incident

Blackburn31728  
#4 Posted : 13 April 2018 07:27:28(UTC)
Rank: Forum user
Blackburn31728

Me thinks u are looking to hard at this a person has to be given some sort of responsibility as a supervisor he should know about GDPR and the rules and the accident book named is fine as long as he secures the infomation on the back side of it. Otherwise what do HR do and all there info some one somewhere has to see personnel details its all about keeping it safe and secure

thanks 1 user thanked Blackburn31728 for this useful post.
DavidGault on 13/04/2018(UTC)
Roundtuit  
#5 Posted : 13 April 2018 08:16:01(UTC)
Rank: Super forum user
Roundtuit

Agree that you seem to be taking the handling of "Personal Information" to an unintended extreme.

The mere fact that a First Aider has administered treatment makes them privy to information about the individual, as would any witness to the causational incident.

Are you also intending to wipe the memory of First-Aiders and witness(es)?

thanks 1 user thanked Roundtuit for this useful post.
DavidGault on 13/04/2018(UTC)
Kate  
#6 Posted : 13 April 2018 08:27:29(UTC)
Rank: Super forum user
Kate

Sorry, I misunderstood.  Thanks for clarifying.

I think you could make a lot of difficulties for yourself with this.  For example, if the injured person is a visitor, it may be difficult to get their details subsequently.

I can't believe it is the intention of GDPR to prevent this information being collected, you just need to manage it properly once you have. 

Also consider, a first aider is trusted to know all kinds of very sensitive information about an individual they treat, for example they may ask them about illnesses and medications.  They may also see some intimate things when treating an injury.  It doesn't seem too much in that context for them to ask the person's address and occupation.

thanks 1 user thanked Kate for this useful post.
DavidGault on 13/04/2018(UTC)
Hsquared14  
#7 Posted : 13 April 2018 12:08:02(UTC)
Rank: Super forum user
Hsquared14

I have read the guidance on GDPR and personal contact details such as address and telephone contact details are not classed as "sensitive personal information"  also there is a rule stated in the guidance that information gathered to comply with other legislation is not subject to the requirements.  There is a lot of hot air being spouted about GDPR (not on here I might add but in media hype mainly) and much of it is scaremongering and not accurate.  I would encourage everyone to access the guidance notes and read it properly for themselves.  GDPR does not inhibit data being collected for lawful and legal reasons, it is designed to prevent the unlawful use and sharing of sensitive personal information.

thanks 2 users thanked Hsquared14 for this useful post.
chris42 on 13/04/2018(UTC), georgiaredmayne on 16/04/2018(UTC)
chris42  
#8 Posted : 13 April 2018 12:49:13(UTC)
Rank: Super forum user
chris42

Agree with Hsquared14, it is worth a read for the points made..

Also, wouldn’t it be nice if some forward-thinking safety related institution produced some sort of guidance covering all types of potentially personal data us H&S practitioners may be involved with. Especially as the GDPR is not the nicest read, and it is easy to over react.

Now where can we find one of those? answers on a postcard.

thanks 1 user thanked chris42 for this useful post.
georgiaredmayne on 16/04/2018(UTC)
Roundtuit  
#9 Posted : 13 April 2018 14:10:41(UTC)
Rank: Super forum user
Roundtuit

...like the much anticipated definitive consensus on "RIDDOR or not"

stevedm  
#10 Posted : 14 April 2018 08:51:00(UTC)
Rank: Super forum user
stevedm

as part of the first aiders duties they will always be privy to personal data as part of history taking...GDPR aside...we make sure that any first aider we train or operate with have been trained in and sign a decalaration on patient confidentiality for non-medical professionals, as part of thier initial training/ annual update.

If you want a copy let me know...

confined  
#11 Posted : 16 April 2018 10:51:24(UTC)
Rank: Forum user
confined

Could'nt agree more than what Hsquared states....can anyone post any link to the   guidance out there for us H&S personel relating to GDPR

JL  
#12 Posted : 16 April 2018 12:12:38(UTC)
Rank: Forum user
JL

There is a company out there with GDPR guidance for H&S managers, I've not looked at it yet but it may be a helpful link 

https://www.pro-sapien.com/resources/downloads/health-safety-gdpr-guide/

Hsquared14  
#13 Posted : 16 April 2018 12:20:37(UTC)
Rank: Super forum user
Hsquared14

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Here you go, everything you need is here,

thanks 1 user thanked Hsquared14 for this useful post.
Kate on 17/04/2018(UTC)
djupnorth  
#14 Posted : 16 April 2018 17:28:58(UTC)
Rank: Forum user
djupnorth

As a duel qualified health and safety practitioner and solicitor I would certainly echo the advice above to read the ICO's guidance.

In short however, the GDPR does not greatly change the requirements of the Data Protection Act 1998 and in particular, it does not prevent the lawful gathering of personal information.  Lawful simply means that the information is gathered for one of the purposes set out in Article 6(1) and in the case of special category (currently sensitive personal) data also a condition in Article 9(2).

Importantly, before you ask for personal information you should make it clear to the individual why you need to collect that information and what you will do with it once you have collected it (unless they already know, e.g. because it is in a policy).  Where the information is needed to complete an accident book, prepare an accident report or report the incident to the HSE under RIDDOR, chances are you will be collecting that information lawfully. 

The key to compliance with GDPR is that you only collect the minimum information that is necessary to allow you to complete the task and that you collect it fairly and lawfully, i.e. don't decieve anybody.

What you must never do is obtain personal information for one purpose and then use it for another purpose without getting the individual's consent beforehand.

Once you have the information, you must keep it secure and only keep it for the minimum period of time necessary for the reason you collected it in the first place.  For example, in the case of completing an accident book entry this will generally be 3 years from the time the injury/illness is diagnosed (or for somebody under 18, three years from their 18th birthday).  Obviously there are different time periods for e.g. health surveillance records.

To summarise then, only gather information for a lawful purpose, gather only the minimum information necessary and always tell the individual why you are collecting that information and how it will be used, stored, used, etc.  Only keep information for as long as you need to (rather than want to) and keep it secure.  Never use a person's personal information for a purpose other than the one you collected it for in the first place.

I trust this helps.

DJ

thanks 2 users thanked djupnorth for this useful post.
Kate on 17/04/2018(UTC), sideshow on 18/04/2018(UTC)
Users browsing this topic
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.