Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error

Options
Go to last post Go to first unread
Ann Diment  
#1 Posted : 11 April 2018 14:59:07(UTC)
Rank: Forum user
Ann Diment

Hello fellow IOSH members. I work part time for a leisure centre trust and we are updating our data retention policies in preparation for GDPR regulations. What retention times are other organisations adapting for  incident records? Any reasons for extending the 3 year limit other than if a claim is made during that period? 

Many Thanks

Ann

jcollins17  
#2 Posted : 11 April 2018 15:08:46(UTC)
Rank: Forum user
jcollins17

I had a meeting regarding our GDPR regs yesterday.

We keep our paper records for 3 years, but we also log all accident/incidents on a spreadsheet. We will probably keep the spreadsheet indefinitely or archive as we go along (although no real reason too).

The only reason I can think of keeping the information is so that stats/trends can be taken from them so we can see if we are improving year on year.

George_Young  
#3 Posted : 11 April 2018 19:44:25(UTC)
Rank: Forum user
George_Young

while many companies will keep for 3 years (or longer if IP under the age of 18) it may be worth discussing with your insurance company to see if there are any requirements for a longer period.

I know you not asking about this, but remember health surveillance or other medical assessments may be needed for 40years + depending on legal requirements

Stuart Smiles  
#4 Posted : 11 April 2018 20:43:01(UTC)
Rank: Forum user
Stuart Smiles

end of employment of individual + waiting time. If any issues with person such as suspect claims, be inclined to store longer - 10years + after end of employment. if relate to potential condition, suggest consider whether up to 40 year limit as for occupational health and associated stuff. look at/consider differential based on severity of incident so that you can store for less significant one to timescale a, and more significant ones on a case by case basis, with review or mechanism to vary away from the Policy.

thanks 1 user thanked Stuart Smiles for this useful post.
jwk on 17/04/2018(UTC)
lorna  
#5 Posted : 12 April 2018 06:57:59(UTC)
Rank: Forum user
lorna

I checked with our insurers and they want incident reports etc keeping for up to 8 years - i.e. person reaches age of 21 + 3 years (many are only 16 now). I thought I was being cautious hanging onto them for 5...glad I asked before I shredded/deleted them!

Hsquared14  
#6 Posted : 12 April 2018 11:46:02(UTC)
Rank: Super forum user
Hsquared14

Originally Posted by: lorna Go to Quoted Post

I checked with our insurers and they want incident reports etc keeping for up to 8 years - i.e. person reaches age of 21 + 3 years (many are only 16 now). I thought I was being cautious hanging onto them for 5...glad I asked before I shredded/deleted them!

Having worked as an insurance surveyor from 1997 to 2017 the standard advice was to keep for 5 years - I have no idea why insurers are now quoting 8 years - that does seem a bit OTT.  Of course if the incident involved chemicals then I suppose the COSHH regulations would apply and you would need to keep them longer.   Lorna did your insurer give you any reason why they were specifying a retention time of 8years?

lorna  
#7 Posted : 12 April 2018 13:06:07(UTC)
Rank: Forum user
lorna

I thought it was 3 years after they reached 18 (i.e. became an adult) but the insurer was quite insistent that it was 21 + 3. As most of our reported injuries requrie little more than a plaster or an ice-pack, it does seem rather OTT to me too!

djupnorth  
#8 Posted : 16 April 2018 17:45:43(UTC)
Rank: Forum user
djupnorth

Lorna,

Your insurer may have contractual claims in mind where the limitation period is 6 years, as well as personal injury claims where the limitation period is 3 years (after the IP's 18th birthday if he/she is a child).

A key requirement of the GDPR is that you only collect the mimimum amount of data necessary and keep it for the minimum period.  It might be a defence that you are following insurers instructions but I would seek that requirement from your insurer in writing (an email will do as long as it can be accessed in the future).

I hope this helps.

DJ

Users browsing this topic
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.