Rank: Forum user 
|
A query on follow up to accidents involving members of the public, and how their contact details are used. We have a large number of visitors to our site and when first aid is required we use the same accident books as for employees. Personal details are collected should there be a requirement to report via RIDDOR or to identify the person as part of any investigation or claims process.
My approach is that these are the only reasons we hold these details and that they should not be used to contact the individual (e.g. to enquire how they are doing or follow up on the severity of an injury) unless they have expressed consent for this (which it is currently not part of our procedure to ask them to do).
Does this tie in with how you understand accident forms used for non-employees interact with GDPR?
|
 1 user thanked Elfin_Safety for this useful post.
|
|
|
|
Rank: Super forum user 
|
The legitmate business interest under which you have made the record is to identify an incident affecting an individual that occurred on insured premises. As you state it is not to get in contact with the injured party and any external communication or enquiry should be directed through the offices of your insurers.
|
4 users thanked Roundtuit for this useful post.
|
|
|
|
Rank: Super forum user
|
The legitmate business interest under which you have made the record is to identify an incident affecting an individual that occurred on insured premises. As you state it is not to get in contact with the injured party and any external communication or enquiry should be directed through the offices of your insurers.
|
4 users thanked Roundtuit for this useful post.
|
|
|
|
Rank: Super forum user
|
On a slight tangent, this is a great example of how we apply the practicalities of the law. So, a member of staff or the public cannot refuse to give their personal details under the Data Protection Act 2018 (GPDR is a European thing) when reporting an accident in a workplace. To add, a date of birth is also needed for RIDDOR requirements. They also cannot exercise their right as the data subject to be forgotten or that the data be deleted once it has been retrieved, as the data is being kept for legal reasons. The DPA 2018 is regarded as subordinate legislation to the HSAWA 1974. However, it's crucial to understand that personal data must be confidential and kept secure at all times and should only be accessible to individuals with a legitimate interest. Therefore, it would be good practice or even maybe a requirement to ensure that the data retrieved is protected under the DPA. Echoing Roundtuit’s comment above, when it comes to contacting an injured non-employee, it's always best to consult with your insurer first. They can advise you when it's appropriate to do so. It's not a matter of ‘expressed consent’.
|
3 users thanked toe for this useful post.
|
|
|
|
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.