GDPR comes into force this week, and Health & Safety professionals need to be aware of what it means for them and their organisations.
Your HR department are probably up to speed with this. They’ve probably been sent on courses. Your IT experts are likely to have had specialist input on how to make sure they comply. But do you know what your responsibilities are? Did you even realise that GDPR will apply to you and your occupational health and safety (OSH) records?
What is GDPR?
GDPR (the General Data Protection Regulation) is the new EU regulation for data protection that comes into force on 25 May 2018. For those who might think that with BREXIT on the horizon this doesn’t matter too much be warned: it matters.
It matters of course to the many organisations that work with and across EU countries. But even if you only collect data for use in your department you can’t ignore GDPR. In June 2017 the UK government confirmed that it would implement the EU GDPR in the short term, and that post-BREXIT the same data protection rules will be incorporated into UK law.
GDPR aims to give individuals more control over their personal data by increasing their rights and encourage organisations to be more transparent about what they do with data, and more accountable for what happens with it.
“But I don’t deal with personal data, just safety data”
Have a look through your OSH files. Do your accident reports have the names and home addresses of people involved? Do you have individual risk assessments for named expectant or new mothers, or for young people on work experience? Do you have Personal Emergency Evacuation Plans (PEEP) which describe the support an employee will need during an evacuation? If you collect data from your vehicle fleet, could someone derive the home address of a driver from that data?
Some data might even require the higher level of protection required for sensitive personal data (now referred to as “special category data”). For example:
- Do accident reports refer to injuries received and medical treatment given?
- Do individual risks assessments refer to illnesses suffered during pregnancy, difficulties experienced at birth, or the special needs of a young person, such as dyslexia?
- Does a PEEP include medical information relating to a disability or a temporary condition?
As well as information about physical and mental health, trade-union membership, racial or ethnic origin and biometric data are all special category data.
“But I don’t have a database - can I ignore GDPR?”
There can’t be many people who still record everything on paper forms only. However even if you do, GDPR applies to this information. Most OHS managers use Word or Excel to produce checklists, assessments and reports. GDPR will certainly apply to any personal data in these. If you have your OHS information in a third-party online safety management system (SMS), you’re already a few steps ahead. Check with the provider that they know about GDPR and are doing their bit to comply. And don’t forget that if emails contain any personal information, they also fall under the regulations.
We set out the seven principles of GDPR below, with examples of how health and safety managers can conform – or how they can fail, whether the data is on paper, in electronic documents or in an online system.
1)Personal data shall be processed lawfully, fairly and in a transparent manner
When you ask someone for personal details, whether for a risk assessment, accident report or other form, you must make it clear to them how the information is to be used, and how long it will be kept.
2)Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with the initial purposes
There’s been an accident, and you ask Bob to tell you what happened. You explain that the information is for the accident report and will be used to improve safety systems. A few months later, Bob has a disciplinary hearing because of a different event. It would be wrong to use the information Bob provided for the accident report as evidence in the hearing.
3)Personal data shall be adequate, relevant and limited to what is necessary for processing requirements
Jack uses the same accident report form for members of the public and staff. It includes an address field. Jack needs it for members of the public, but he doesn’t need to collect it for staff as HR will have that information (and hold it securely). Another area of confusion is regarding health surveillance information. The HSE website explains that “health records are different to medical records in that they should not contain confidential medical information.” If a health professional detects an illness unrelated to work during health surveillance this information would be given to the employee, but not by default to the employer.
4)Personal data shall be accurate and kept up to date
The most common mistake here is lack of version control where electronic documents are stored on a shared server. Sami has multiple sclerosis (MS). He can walk downstairs but does so slowly, so his PEEP states that during an evacuation he will wait in the refuge until most people are ahead of him, and then he’ll walk down in his own time. Sami’s MS get’s worse, and a new PEEP is written that requires a buddy to be appointed to stay with him and provide support as he needs it. A buddy is trained, but then leaves. When reviewing PEEPs, the responsible person looks at the old PEEP, and doesn’t take account of Sami’s current needs.
5)Personal data shall be kept in an identifiable form only as long as is necessary for its intended purposes
If you have decades of paper records with individual’s names on, set aside a couple of days to prune and sort. Agree a retention policy first – whilst health surveillance records must be kept for forty years, do you really need to keep the risk assessments done ten years ago and now superseded? This could be a good opportunity to bring your records into the 21st century and digitise what needs to be kept.
6)Personal data shall be processed in a secure manner that protects against unauthorised or unlawful access, accidental loss, destruction or damage
If you are using an online SMS, ask your provider what they are doing about GDPR. Check that you have set access levels so that people only see the personal data relevant to them. For example, line managers might only need access to the training records of people within their department, so don’t give them access to the whole organisation.
Emailing documents takes them outside of your control – can you instead email people a link to where documents are stored? Find out who has access to areas of shared storage. One client gave me access to a file area where the fire policy documents were stored. In the same folder I could open staff PEEPs containing medical information. That was wrong under the old Data Protection Act (1998) and could be subject to heavy fines under GDPR.
And don’t forget the paperwork. Just because it’s hard to find, doesn’t make it secure. Time to gather up personal records you want to keep, lock them up securely – and check who has a key.
Many of the requirements of GDPR were already present in the Data Protection Act. However, there is a shift of emphasis: your organisation must be able to show that it is compliant with these principles. Find out what information you have, and decide which information is “personal” and “special category.” If you have a data protection specialist in your organisation, and they’re focusing only on HR or marketing, it’s time to let them know what you’ve got.