Rank: Forum user 
|
Hi All, Has anyone amended their report forms to make allowances for sensitive data and the form being shared with legal representatives and insurers to cover themselves under GDPR or are the reasons for collecting the data considered reasonable enough cause as not to do so? Many thanks
|
|
|
|
|
|
Rank: Super forum user
|
Depends on which actual data is being collected and what it is being used for. Obviously you need to have the names of people involved but if the report is being discussed at an H&S committee for example then this needs to be removed.
We put in the name and contact details for the injured party as if it is a RIDDOR the HSE want this information.
You really need to decide what you actually need and what other stakeholders need. For example what do you insurers need (not want; need?).
|
|
|
|
|
|
Rank: Forum user
|
GDPR is related to 'Personal Data' that can identify an individual. What you need to do, is identify in your data register what you have, why you have it e.g. reason (which is one of 6 - for RIDDOR its 'legal') e.g. What is the Data Held - e.g. Injured Party (Name) Purpose of Collecting Data - Lawful Basis for Collecting Data - e.g. Legal Requirement (weakest reason is consent as it can be removed) Then you need to identify where it is kept, what the security measures are and how long you are keeping it, what is the source of information e.g. IP, has the employee given express consent and security measures.
|
|
|
|
|
|
Rank: Super forum user 
|
Remember the last revision of the BI510 "Accident Book" tried to cover the first pass of data protection - i,e, the IP's consent to have non-anonnamised form data shared with those with legitimate interest e.g. Safety Representatives. A recent post asked about the "signature" of the IP http://forum.iosh.co.uk/posts/t127007-Signing-The-Accident-Book
"Legal" rights to hold data are not the same as the right to disseminate data
|
|
|
|
|
|
Rank: Super forum user
|
Remember the last revision of the BI510 "Accident Book" tried to cover the first pass of data protection - i,e, the IP's consent to have non-anonnamised form data shared with those with legitimate interest e.g. Safety Representatives. A recent post asked about the "signature" of the IP http://forum.iosh.co.uk/posts/t127007-Signing-The-Accident-Book
"Legal" rights to hold data are not the same as the right to disseminate data
|
|
|
|
|
|
Rank: Super forum user 
|
In the real world you sit in the H&S committee meeting with employee representatives and you refer to the IP having a fall or broken finger or something and they instantly say the persons name ! They all know perfectly well who the person who scalded themselves with hot coffee was, as they have been taking the £!$$ out of them along with everyone else for the last few days. If you have your representatives set up correctly so they represent a particular team then they know who it is when you say IP. There is no need for anyone to see actual BI510 forms other than HSE or Social security people and possibly you if you need to visit to do your investigation. (regardless of permissions I always ask if it is ok first if I need to do that or ask if I can interview over the phone). It would have to be a significant injury to require me to do this and I believe the IP expect someone to do this (and from experience of this almost seem glad someone want to hear their side of events). Chris
|
|
|
|
|
|
Rank: Forum user
|
Then again, what if there is an injury to a third party (or member of the public)? In multi-occupancy sites, such as ports and shopping centres for example it is easy to envisage a scenario where a name and details etc can be circulated through several organisations after an accident.
I didn't get a clear answer on data protection issues when I raised this point a few years ago when I worked somewhere like this - with GDPR hitting the headlines so much recently Joe Public is more aware these days and perhaps more likely to raise the question themselves?
|
 1 user thanked pseudonym for this useful post.
|
|
|
|
Rank: Forum user
|
I think the issue for me is simply that due to the fact that we are collecting all the information necessary on every IR (as they all have potential to become a RIDDOR for arguments sake) and we are only sharing this information with our insurers and legal teams who all have to be aware of addresses etc. in order to be able to contact and verify those that subsequently turn claims, then it is my belief that we have a legitimate reasons for collecting all of that data without adding additional small print to the IR.
Unless any of you tell me differently that is. Good week to all!
|
|
|
|
|
|
Rank: Forum user
|
I agree, your legal people and insurers are amongst those who probably need to know the details of incidents, but back when I worked in a multi-occupancy / user site (I'm trying not to let on where it was) my concern was how easily and quickly details could get circulated - always with good intentions - to all the attendees of the daily operations meeting - at which you would typically have cleaning contractor rep, security contractor rep, site owners, fanchise operators & retail and possibly police / emergency services (depending on what was going on).
A first aider collecting Mrs Smith's age, address and the 'fact' that she has diabetes and had been drinking that morning when she slipped / tripped / fell over, can very quickly be shared amongst half a dozen organizations - some of whom may then pass the info up their reporting structures for their own reasons.
Like I said, never got a straight answer on data protection implications, but it did make me uneasy
|
|
|
|
|
|
Rank: Super forum user 
|
Please read the guidance on the website of the Information Commissioners Office website. You will see from the guide that GDPR does not apply to information collected to fulfll another legal requirement and that H&S Law takes precedence. In addition this information is not classed as "sensitive" personal information so the rules are not as strict. Its all there in the guidance but sadly people are not reading it but are relying on hearsay and scaremongering articles which are not entirely accurate.
|
1 user thanked Hsquared14 for this useful post.
|
|
|
|
Rank: Forum user
|
I don't dispute that the collection of data is a legal requirement, and therefore the investigator is entitled to collect it, my concern (which predates GDPR) is that often the collected information is then 'shared' (OK, sometimes in verbal report to an Operations Team) with no consent given for name and address, age, medical conditions and possibly (in the example of ports, raileay stations, etc) travel plans to be shared with the duty manager of WH Smiths and Boots .. .. That's what I'm bothered about.
|
1 user thanked pseudonym for this useful post.
|
|
|
|
Rank: Super forum user
|
That's a different question - if you are sharing data then you either need consent or share it anonymously! Again read the guidance and all will become clear!
|
|
|
|
|
|
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.