From the 25th May, the General Data Protection Regulation (GDPR) replaces data protection legislation that dates back to the 1990’s and applies to all organisations that collect or use the personal data of individuals in the EU.
You may think this would only affect the IT department in a business, but it is likely to have an impact on health and safety also.
The Aim of GDPR
The GDPR aims to protect personal data better. It does this in two ways. It increases a person’s rights to decide what data is held and to an extent what happens to it. It also requires organisations and businesses that collect and use personal data to be more transparent about why they need such data and what they do with it. It also means firms and organisations are more accountable for what happens with data, especially if there is a data breach that results in data loss, or inadvertently changed, released, or accessed by an unauthorised person.
Consequences of Non-Compliance
Under the Data Protection Act 1998, the maximum enforceable fine was £500,000. However now under GDPR potential sanctions have significantly increased. To show how seriously the European Commission is taking the issue of data protection they are threatening to impose fines for non-compliance of up to 20 million Euros or 4% of a company £s total worldwide turnover.
However, the likelihood of actually implementing these substantial fines has been played down by the Information Commissioner’s Office (ICO), which is the lead supervisory authority for GDPR in the UK.
The legislation also allows for people to make civil claims for damages and complaints to the ICO, especially in the event of a data breach. In addition to imposing fines, the ICO can also issue warnings and reprimands, order the rectification or erasure of data, and even ban a business from processing data.
Two Classes of Personal Data
Under the regulation, there are two levels of personal data. General personal data is any data that can be used to identify an individual. Personal data includes names, addresses, and mobile numbers.
In addition to this, there is a class of data known as sensitive personal data which includes information about a person’s health.
Why GDPR Impacts Health and Safety
The health and safety system of a business may contain a significant amount of personal data about clients, employees, contractors and suppliers. This may include some sensitive data too because it is health related. This type of data may be gathered and used in the course of creating:
- Training records.
- Occupational health reports.
- Risk assessments that contain sensitive information like physical or mental health issues, special needs, or disabilities.
- Recording issues raised by employees regarding health, safety, or environmental conditions in the workplace.
- Records of accidents or incidents in the workplace including highly confidential data such as injuries received, how injuries were treated, and witness statements.
If a business is keeping health and safety documents that contain personal data of people in the EU, it will have to be compliant with GDPR. Compliance includes being able to justify having the personal data in the first place, having a list or register of what personal data is kept and in which documents, and identifying and recording where data is distributed to third party companies (for example, online storage sites).
The data should also be subject to the data retention policies within the business. This means ensuring the data and the list or register of data held is securely stored and only accessible by specific personnel.
These procedures will not be exclusive to health and safety. If the business is already working on being GDPR compliant it will probably just be a matter of making sure the handling of health and safety records is integrated into whatever GDPR compliant measures are in place with regards to personal data.
Two New Roles
The GDPR defines two roles that may be new to many health and safety professionals: the data controller and the data processor.
1. Data Controller
The data controller determines the purposes and means of processing personal data. They are the one to decide to collect personal data in the first place. They also decide
- which items of personal data to collect
- the specific purposes the data is to be used for
- which individuals to collect data about
- whether to disclose the data and if so, who to
- how long information is to be kept
2. Data Processor
The data processor is responsible for processing personal data on behalf of a data controller. Data processing occurs whenever anything is done with personal data. A data processor decides:
- what IT systems are used to collect personal data
- how personal information is stored
- the details of security surrounding the data
- how the data is transferred from the business to a third party
- how personal data is retrieved
- the method that ensures a retention schedule is adhered to
- how information is deleted permanently
Only the minimum amount of personal data needed for a particular purpose should be collected, and there must be a legitimate legal basis for processing the data.
A business may only have one of these two roles. However, companies that collect, store and use data using their own systems are both a data controller and a data processor.
A New Level Of Responsibility
Whether a business is recording details of employees who have completed first aid training, organised eyesight tests for Display Screen Equipment users, or using external companies for alcohol and drug testing, there are likely to be data protection issues.
Now that the GDPR applies to all businesses that have or handle data regarding people in the EU, it means businesses must have or be working towards meeting the GDPR requirements by having clear policies, procedures and record keeping. Because the regulations are so wide-ranging, it means a new level of responsibility is needed for health and safety where personal data is used or stored.