Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error
GDPR & Management Systems - Records Management
Options
Go to last post Go to first unread
Previous Topic Next Topic
Stuart Smiles  
#1 Posted : 13 June 2017 11:14:17(UTC)
Rank: Forum user
Stuart Smiles

Hi All,

With the incoming General Data Protection Regulation go live less than a year away, and the general desire to share information for the benefit of Health and Safety, have you found that people are now looking to reduce the level of information stored and classified to "Comply with GDPR".

At Infosec (IT Security Show) last week, mention was made of likely data subject requests forcing extremely expensive data gathering excercies and resulting in a general desire within organisations to "get rid of data" to ensure that organisations store as little as possible, to the extent of expunging subject data from archived backups & records! 

Such requests would require documents relating to the subject, such as emails, records & correspondence mentioning the data subject to be made available, with no fee (reduced from £10), and as such records will have to be made available within a very short timescale.

CCTV also is covered under the regulations.

Obviously a significant document to add to the management systems, available at : 

Information Commissioner's guide:

https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr/ (questions)

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (steps guide)

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ (homepage)

European Directive:

 http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf (directive)

CIPD

https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection 

How will auditors review documents - what about auditing/sharing "supply chain" - already an issue? 

What will human resource departments offer as advice/requirements/guidance? 

Who will go through and sort archives of data to select what need be kept or not?

Wholesale changes to IT and processes will happen soon if not already.

Thoughts on how organisations can best comply would be welcomed, as I can see the "worms can" well and truly open. 

Migration of data storage to a "new compliant system" will probably take/add significant resource requirements to an already busy schedule.
Back to top
Ron Hunter  
#2 Posted : 13 June 2017 12:07:58(UTC)
Rank: Super forum user
Ron Hunter

Woe betide any Organisation which does not comply with current UK Legislation protecting the personal data of natural persons.

That new EU Regulation is a lengthy document - so what's new for Occ. Health professionals? Nothing leaps out at me in that respect.

Accident data, RIDDOR, claims data, occupational health records have been subject to DPR for a long time now, as has the requirement for the controller to be able to demonstrate consent for holding that data and using it for legitimate purposes.

Beware the less than scrupulous people out there who will attempt to convince you that what you already have is "no longer compliant with new legislation"...........................

If your Organisation is affected, and is currently doing what the law requires, then you'll already have a "data controller" - go ask them!

Back to top
Users browsing this topic
Guest
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET