GDPR and Health and Safety: 2019 Update

Last year - almost to the day - the General Data Protection Regulation (GDPR) came into force. Can you believe twelve months have past already?

In the run up to May 25th 2018, our inboxes were inundated with marketing opt-in emails. Moreover, the media frenzied about non-compliance, and even compared the GDPR to Y2K.

As a result, most companies frantically ensured GDPR compliance, lest they were hit with the infamous fine (€20 million or 4% annual global turnover, whichever is higher). So much so, our GDPR and health and safety guide became our most popular download.

Download GDPR for Health and Safety: A Guide for HSE Professionals 2019 Update »

Now, in celebration of GDPR’s first birthday, let’s look at its impact on the health and safety industry. But first, which companies were fined for non-compliance?

GDPR vs Google

Unsurprisingly, Google received a £44 million fine. CNIL, a French data regulator, accused the search engine giant of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

In other words, Google’s ambiguity around users’ personal data did not go down well. Awkward.

However, Google’s got company. While not quite reaching a fine, Amazon, Apple, Netflix and Spotify had their dirty GDPR laundry aired: all platforms received blame for inappropriately responding to users’ data requests.

Under Article 15 of the GDPR, it states:

"The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data ..."

As we know, health and safety often requires sensitive employee data. Consequently, EHS professionals were deeply concerned about gathering and storing employee data under the GDPR.

GDPR and EHS

In our GDPR whitepaper, we found that data kept for health and safety purposes is at higher risk of breaching the regulation.

However, Murray Ferguson, Managing Director at Pro-Sapien Software, said:

"For the most part, EHS professionals always captured sensitive personal data. As a result, they already know the data processes and security."

"The GDPR legislation raised the bar. Large and small companies considered their responsibilities around personal data. In turn, EHS and IT compliance worked together, ensuring appropriate and robust controls."

Sensitive EHS data and GDPR

The main GDPR controls are twofold. Firstly, process information lawfully, fairly and transparently. Secondly, store data with an appropriate level of security. In other words, back-up and encrypt data, then lock under a 'need to know' access.

Murray said:

“Similar to other departments, EHS professionals are strongly aware of data security. Non-EHS software vendors saw a hike in buyer scrutiny and an increase focus on digital security and data compliance in the past 12 months.”

"The GDPR replaced outdated and unfit for purpose data protection laws. Now, we see mainstream media coverage and public awareness around personal data security."

"Furthermore, workplaces, social media platforms and governmental bodies have a greater awareness of personal data security."

Accident Reporting

As we know, accident reporting involves sensitive information. Moreover, mishandling this data can breach the GDPR.

Now for the good news! You collect information for an accident report ‘lawfully’. That makes it GDPR compliant.

Under the GDPR, 'lawful' processing means one of the following applies:

• Clear consent
• Contractual obligation
• Required by law
• Necessary to perform a task in the public interest
• Legitimate interest

When recording workplace accidents, employers must process data under the Social Security (Claims and Payments) Regulations 1979. This includes:

• full name, address and occupation of injured person
• date and time of accident
• accident location
• injury cause and nature
• name, address and occupation of the person giving notice, if other than the injured person

For this reason, the 2012 edition of the HSE’s accident book is also GDPR compliant.

However, even with 'lawfully' gathered information, the GDPR encourages transparency. Most importantly with accident reports, inform the injured worker of the data collection, explaining how long it’s held for and who has access.

Securely store the accident book on completion.  Mistakes can happen in an accident scenario – it’s a high stress situation. A misplaced accident form means other workers could find it. Moreover, depending on the scenario, this could spark further stress for the injured worker.

Employers misusing GDPR

Certainly, the GDPR comes with many benefits, including improved data security, enhanced data management and boosted customer relationships.

Nonetheless, some employers mis-used the GDPR in regards to health and safety. EHS pros were withheld necessary information by employers excessively concerned with the GDPR.

Hugh Roberston, head of safety at TUC, wrote in a blog post:

“A lot of employers say the GDPR restricts the supply of information. Examples include not handing over accident report form information, or halting Safety Audits on the grounds of containing personal data.”

“This is nonsense. These employers make no attempt to gain consent for sharing the information or, if consent is withheld, anonymizing the information.”

Roberts concludes:

“Employers refusing information, means they should not have given it out before, or they use the GDPR as an excuse."

Furthermore, guidance from the Health and Safety Executive concurs. Safety pros follow the Safety Representatives and Safety Committees Regulations, without impingement from the GDPR.

Conclusion

Now, a year down the line, hopefully you feel more clued up about the GDPR. Nevertheless, while its Y2K-style predictions didn't come to pass, non-compliance could be devastating. Find out more by reading our GDPR guide for HSE Professionals updated for 2019.