GDPR Comes into Force: Review Health & Safety Records Now

GDPR is the new European legal framework for the protection of personal data. It builds on and tightens up current data protection requirements. The UK government has already announced that it will include GDPR in UK law following Britain’s withdrawal from the European Union, so it will continue to apply post-Brexit. The legislation covers everything from unstructured information potentially stored within email accounts, to health and safety-specific software.

Penalties for non-compliance are hefty – up to 20 million euros or 4% of annual turnover, whichever is higher. And this is before you take into account the reputational damage, legal and other associated costs.

Adhere to the 6 Key Data Protection Principles

GDPR compliance means that personal data must be processed according to the following 6 data protection principles:

  1. Processed lawfully, fairly and transparently
  2. Collected only for specific legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Must be accurate and kept up to date
  5. Stored only as long as necessary
  6. Ensure appropriate security, integrity and confidentiality

Examples of health and safety records requiring review for GDPR compliance potentially include: accident reports and investigations, first aid, occupational health, DSE assessments, training documents and any summaries provided of this information for management reports,health and safety meetings, etc.

The first step for health and safety managers is to find out how your organisation is implementing the GDPR requirements, and whether a Data Protection Officer (DPO), who is responsible for ensuring compliance, has been appointed. If so, contact your DPO to check they have considered the personal data held by your department. If your business doesn’t have a designated DPO, find out who is responsible for data protection compliance and speak to them.  Also make sure you work closely with your HR colleagues to identify, and agree, who controls shared personal data relating to, for example, occupational health.

9 Key GDPR Actions for Health & Safety Managers

  1. Work closely with HR colleagues on shared records to ensure they fulfil the 6 data protection principles
  2. Understand and document your current health and safety data processes and demonstrate they comply with GDPR principles
  3. Document the personal data held by the health and safety department
  4. Assess the security of personal data held by the health and safety department with the help of your IT department, including what can be considered sensitive data, for example, ‘data concerning health’
  5. Check your existing security clearances for access to data held by the health and safety department to ensure personal data is secure
  6. Document where personal data is shared with third party organisations, including regulatory bodies, insurance companies or contractors
  7. Review and define justifications for holding personal data in the health and safety department
  8. Categorise the risk level associated with personal data held – different levels of security and access can be applied based on the level of risk associated with an unintended or malicious disclosure, alteration or destruction of the data
  9. Implement your organisation’s personal data retention policies