Hi all, I have a query around taking pictures for accident reports; my opinion is that taking pictures of an accident forms a vital part about how an accident may have occurred, what may have been involved, what the environment was like at the time etc and for claim defense purposes, understand just how significant (or not) the accident may be at the time. From what I've read on the DPA (2018) and GDPR (2018), picture taking - from my interpretation, and this is where I'd like some clarity - seems fine as long as it's processed lawfully, it has a legitimate purpose, it's relevant and as long as you have consent of the person at the time etc. Is this correct or have I misinterpreted? If I am right, the other issue is, can you only take said pictures on a company-owned device as opposed to a personal device (i.e. a company camera, rather than a personal mobile phone)? My intention would be to gain the persons' consent, explain to them why I am taking it (i.e. for accident investigation purposes), hold a copy electronically (for future use, if required) and then delete the version held on the camera. Can anyone advise whether this would be acceptable? I hope all that makes sense. Thanks. 

Most of the pictures I take regarding accident investigations do not include people in them. When taking pictures of body parts, arms, legs, limbs, cuts, burns etc, I do not include the persons face.

I don’t think the device the picture is taken on has any bearing on the legislation.

Note 1: If you decide to go down the route of consent, it must be written and the person can withdraw the consent at any time.

Note 2: Other pieces of legislation may trump GPDR e.g. HSAWA 1974. However, there is only one requirement in H&S Law that I know of regarding accident (or incident) investigation and therefore you may not have a legitimate reason to take a photo of a person without their consent (unless in a public place) for accident investigation purposes.

Edited by user 21 September 2018 14:13:41(UTC)  | Reason: Not specified

Just to add – your right, if investigating an accident/incident GPDR applies because there is often no legal reason to investigate accidents/incidents.

However, if there is a claim or intimation of a claim against the organisation or you are legally investigating or reviewing, then GPDR does not apply. For example, the subject may not have a right to see their data and/or information relating to them and they do not have the right to be forgotten.

There is guidance in HSG 264 http://www.hse.gov.uk/pubns/hsg245.pdf "Investigating accidents and incidents" pg 7 - reproduced below.

Legal reasons for investigating

• To ensure you are operating your organisation within the law.
• The Management of Health and Safety at Work Regulations 1999, regulation 5, requires employers to plan, organise, control, monitor and review their health and safety arrangements. Health and safety investigations form an essential part of this process.
• Following the Woolf Report6 on civil action, you are expected to make full disclosure of the circumstances of an accident to the injured parties considering legal action. The fear of litigation may make you think it is better not to investigate, but you can’t make things better if you don’t know what went wrong! The fact that you thoroughly investigated an accident and took remedial action to prevent further accidents would demonstrate to a court that your company has a positive attitude to health and safety. Your investigation findings will also provide essential information for your insurers in the event of a claim.

Speaking of keeping personal data safe on my daily commute I looked across the table on the train and I could see some lawyer person going over her paper work for a legal case. I could clearly see the name of the claimant (which I will keep confidential) and the name of the defendant (a Chief Constable of a Police Force (you have 42 to choose from!). Apparently none of this stuff is confidential.  When I was a civil servant, I had it drummed into me that you were not to work on any papers on the train which had names or any sort of other sensitive information.

So here we are worrying about photos relating to a possibly minor accident and what looks like big stuff is being shown to all and sundry. Makes you think- mainly that I am in the wrong profession and if you are well paid enough you can get away with murder! (Metaphorically only!)

Originally Posted by: Waz

Under GDPR consider what you are using and why e.g. personal digital camera was lost which included a memory card containing the passport images of six contractors/employees. Does that camera in question support encryption?  If not, additional technical and organisational measures should be put in place to militate against the loss or theft of the camera or memory card.

Sorry? If there are images on a "found" camera they are not linked to an identifiable individual (unless it is like a police mug shot with booking number and name present) - there are many SM postings proving those present in images can remain unidentified for years when cameras and data cards are found. Whilst many miss-guided organisations suspended access to web sites (because they did not understand GDPR) there was no rush of new manufacturer cameras to the EU market claiming data encryption compliance to GDPR.

And if we are going down the route of data transfer how many now use their company issued mobile phone camera for such purposes? how many are on Apple or Android? and how many have remembered to STOP the phones operating system automatically storing photographs to the "cloud"? and how many can be sure even if they selected disable cloud storage the operating system isn't carrying on regardless?

Get over the paranoia - if I am involved in a car crash I WILL photograph the scene (including any passers by) and if I feel suspicious I will also photograph the other drivers & their passengers so that they ARE identifiable in the event of dispute and litigation. Here again my dash-cam does not discriminate what it records, how it records it, how it does not encrypt it and the fact the manufacturer has not rushed out a "GDPR compliant" unit.

GDPR does not place any truly significant new burdens - it merely corrects certain omissions that loophole lawyers had exploited.

So for accidents take pictures of the scene, take pictures of the injury just remember to treat them with the same confidentiallity as you had before GDPR arrived.

Edited by user 26 September 2018 22:06:13(UTC)  | Reason: FFS

I never said you should not investigate accidents.  I have said (ad nauseum) that they is no specific legal requirement to investigate accidents. By that I mean that no legislation ( as opposed to guidance or standard)  says “all accidents at work must be investigated” and as a corollary to that “if you do not investigate accidents at work you are liable to fine not exceeding level 1 on the standard scale” or whatever. It is implied that investigations should take, so that you can review your risk assessment etc but nothing is spelt out.   If you sit back and think about it for more than one second it is clear that without some form of accident incident investigation in it, you cannot have a credible health and safety management system. As far GDPR goes you can use the following arguments to justify retaining photographs of people without their specific approval: it is to comply with your (implied legal) obligations; to protect the vital interests of the data subject or another person because by collecting and using this information you can improve their Health and Safety at work; it is in the public interest to investigate and accidents at work; there is a legitimate reason for this collection of data (ie photos).

These are all justifications for taking photos of people, without their express permission, during accident investigations and retaining them and possibly sharing them with others. Whether these are legitimate justifications is for the Information Commissioner and the courts to decide.

So take and keep the pictures but be conscious of what you are using them for.

Originally Posted by: Steve e ashton

There is a specific legal obligation to investigate all injuries. Social security claims and payments regs 87, reg 25.

That regulation is nothing to do with Health and Safety. It is aimed at establishing that a genuine work related accident happened, so that the injured person can make a claim for statutory sick pay.

Because the legislation does not say you must:

• Record  that the accident took place, its location, who the injured party was and what they were doing at the time
• Classify the severity  of injury  and what type of injury it was
• Identify the root cause of the injury
• Establish what actions (if any) are needed  to prevent this from reoccurring
• Assign these actions to named individuals along with timetables for them to be completed
• And a sign off that they have done and everything is tickety-boo

If the legislation had anything to do with Health and Safety that is what it would include. Anything else is just record keeping for as you said a vestigial legal requirement.

Has anybody ever been prosecuted for an inadequate accident investigation process?  

I thought the BI510 was a "record of incident" i.e. it does not cover accident investigation nor corrective actions which are all "add ons"

Apparently there is now a 2018 edition also now covering "GDPR" https://books.hse.gov.uk/?DI=649639 unfortunately this does not yet have the "browse inside" feature available on the previous version https://books.hse.gov.uk/bookstore.asp?ACTION=BOOK&PRODUCTID=9780717665440 to see what is different.