GDPR – Implications for Health and Safety Professionals

GDPR – Implications for Health and Safety Professionals

13th June 2018

Nobody who uses the internet in the UK could fail to have missed the news of GDPR, the new EU General Data Protection Regulations EU2016/679 which came into force on May 25th.  Any health and safety professional will know that a safety management system requires the storage of competency records, disciplinary notes and health surveillance results to be effective.  Any information therein that relates to an identified or identifiable person is considered to be “personal data” and is subject to GDPR regulations.  This personal data includes driving licences, induction paperwork and Personal Protective Equipment (PPE) records.

GDPR’s Article 5 requires that personal data is processed lawfully, fairly and in a transparent manner in relation to individuals.  While it’s unlikely that there will be any unfairness in the use of data for health and safety purposes, the reasons for using such data should be clear.  When choosing a “lawful basis” for processing data, health and safety professionals are unlikely to obtain consent on each and every occasion and every time a record is generated.  An effective solution for dealing with this is to rely on the following two bases:

  • Legitimate Interest – the interest of effectively managing the health and safety of those connected with an organisation is evident and should require no further explanation.
  • Legal Obligation – this is of particular relevance for training records and health surveillance documents where there is a statutory requirement to keep records and be able to evidence and review health and safety systems.

In instances where the absence of consent may not be workable, relying on the above two bases will be unlikely to result in a significant change to normal practice.  However, health and safety professionals should be transparent about the data they are collecting and their reason for collecting it.

When it comes to sensitive personal data, particularly health records associated with surveillance and occupational health, one of the bases above should be identified in order to process the data.  This is covered by GDPR as “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee”.  Individuals should be informed about the collection and use of their personal data and health and safety policies should be transparent on the requirement to inform. 

According to GDPR storage limitation requirements, personal data should be stored in a format which permits the identification of data subjects for not longer than is necessary for the purposes for which the data is processed. 

When a health and safety incident occurs, an investigation should be conducted to understand what happened and how to prevent a similar occurrence in future.  There is also a requirement to submit a RIDDOR report and comply with document requests from the Health and Safety Executive (HSE).  This means that health and safety professionals need to consider how their investigation reports are disseminated.  If the reports contain references to personal data, practitioners should consider whether this can be removed or restricted before the report is circulated.  In some cases, the facts and learning outcomes of the incident are more important than the identity of the individuals concerned.  If it’s necessary to share personal data as part of an investigation, recipients should be cautioned to treat the data in an appropriate manner and destroy it when it is no longer needed.