Data protection is on all our minds as thousands of companies that deal with the EU prepare for the GDPR changes of May 25th. We’ve discussed what the regulation means for the Health and Safety department, and by now you’ll likely have a good idea of the actions you need to take around data categorization, output, sharing, retention, and deletion – but what about the less obvious areas that are harder to spot?
The risk of GDPR noncompliance in OHS Management
Much of what is required under GDPR is data protection best practice. The difference is that now data subjects (people) have more legal rights around knowing what information you hold on them, how you manage it, and how it is deleted (“the right to be forgotten”). Furthermore, GDPR introduces accountability and regulators may now levy noncompliance fines of up to 4% of a company’s global turnover.
Especially in the cases where many changes must be made to become compliant, it’s easy for things to slip through the cracks. The management of Occupational Health and Safety is very exposed to noncompliance due to the volume of personal data that is captured as part of its processes. So, let’s take it as an example to consider some important compliance issues that are a little less obvious.
Questions to ask yourself first
Firstly, in our GDPR and Health & Safety: A Guide For HSE Professionals paper, we suggested asking yourself the following questions (among others) in order to get started.
- Do you understand your current data processes? Can you demonstrate they meet compliance requirements?
- What personal data does the Health and Safety department hold?
- What security is in place for the personal and sensitive data stored?
- What are your justifications for holding personal data?
- What are your personal data retention policies?
But as part of this exercise you must also think about where one might find personal data in your OHS software. This is where we see GDPR really start to affect the everyday, and it can seem like noticing one issue leads to realizing ten others! To get you thinking, here are 3 aspects of your OHS software you may have forgotten about that contain personal data.
3 places you may have forgotten to check for personal data
1. Free-text comments in OHS forms
Albeit not the sole source, your forms are where much of the personal data you hold will come from or be stored. There are various types of data captured in this one area, some of which is structured, some of which is free-text (unstructured).
Categorizing structured data by security level
Through categorization, which is a recommendation of GPDR, you can designate certain types of data to require a higher security clearance than others. For example, you may have four levels of security such as Public, Private, Restricted, and Special Data.
- Public may be the time, date, location, description and severity of an incident.
- Private may be the job titles and hours worked of those involved.
- Restricted data would likely be the full names, contact details, and demographic details (age, gender) of those involved.
- Special Data is reserved for sensitive information such as the health records of the individuals involved in the incident.
The security level assigned to a certain field on your form will set the standard for what security permissions a user must have in order to view that data. This means that fields of security level 2-4 can be automatically locked down for users without the correct clearance, such as job titles and contact details as above. However, this becomes harder to manage in the case of free-text fields.
Avoiding personal data in free-text fields
Free-text fields or comment fields are used to allow users to describe something in their own words. For example, your Incident form likely has a free-text field for users to fill in a description of what happened. This field may have security level 1, Public, as a description is a basic requirement of being able to understand the record at hand. The problem arises when users inadvertently include personal data such as colleagues’ names in their descriptions.
Although most OHS software systems can assist in the categorization of data by assigning security levels and the locking down of structured fields, abilities are limited when it comes to detecting personal data in free-text. The most practical approach to avoiding this potential problem will involve instilling change in the way that people fill in forms. You could remind users to leave out personal data from free text-fields by adding a note to the form, or you may add a step to your approval process of redacting the likes of individual’s names from Public security level fields. Or both, or other!
2. Details in automatic email notifications
If your OHS system sends out automated notifications in workflows you’ll have to think about the data contained in them. Regardless of the security permissions of the person receiving the notification, if the email contains personal data it must be encrypted.
Email is heavily relied on in most businesses and has been cause for much confusion in the midst of GDPR. The regulation does not block the sharing of personal data via email but the data must be encrypted, and businesses must be able to demonstrate an element of care. Where able, you should remove personal data from email notifications sent by your Incident Management software – in many cases this information is not necessary in the email itself, and a link should be provided to the original and controlled record within your OHS system instead.
Emailing personal data to third parties
On top of automated notification emails, the Health and Safety department must also think about the sharing of personal data with third parties, such as insurance companies, legal firms, or training providers. This involves encrypting personal data that is shared through email and getting sufficient guarantees from third parties (‘processors’) that their data handling methods meet the requirements of GDPR.
3. Media used for evidence
It’s very easy to associate personal data with text information stored in a database. However, media such as images and video in which individuals can be identified are also classed as personal data, and thus must be protected. This is referred to by GDPR documentation as “biometric data”, and for the Health and Safety department this may include;
- Media attachments to forms
- Surveillance video footage
Biometric data should be treated the same way as text data; it must be stored in an electronic database, categorized, able to be exported, the individual(s) identified by it must be informed of its existence, and so on. The way you manage this will depend on how your biometric data is stored.
When media such as an image is attached to a form, the way it is stored depends on how your IMS is structured; for example, is the media classed as a field, in which case it can be locked down using security levels, or as an attachment like in an email? Is it also saved in a media library, retaining a link to its upload source (the form)? In the latter case, it will be easier to categorize your media to identify potential risk of a person’s identity being exposed. For example, media that have been attached to an injury and illness form are more likely to contain personal data than media relating to an environmental near-miss. Whatever the makeup of your OHS software system, steps should be taken to include images and video in your protection of personal data.
Images used for training and marketing
Whilst on the topic of biometric data, it’s worth mentioning that companies have a bit more freedom when it comes to media used for training and marketing purposes. This type of use is often covered in an employee’s contract, meaning that permission has been expressed for the business to use individual-identifying-images but only in these certain cases.
Training Management is often included under the Occupational Health and Safety umbrella, and the use of video is a powerful tool for teaching – GDPR does not prohibit its use in the slightest, but controls must be in place to ensure the correct permissions are obtained.
GDPR is an overdue exercise of education
If one thing is true of GDPR, it is that it is promoting an education in data protection. The aim is not to catch businesses out but to shift attitudes towards responsibilities. As L. Roe, data protection officer at the UK Institute of Engineering and Technology explained at a GDPR roundtable event,
“For me a lot of these issue are largely solved by great staff education. If they're good at knowing what the risks are, it cuts out a lot of our business risk.”
Regardless of whether you are legally bound by GDPR or not, you should be seeking to implement best practice and to adhere to what is seen as a world-leading standard. It is to be fully expected that other jurisdictions will follow suit with updated data protection laws as the legal world catches up with technology; and nonetheless, reduction in business risk meantime will be well worth the effort. Better to get ahead alongside your peers than be behind on what is increasingly becoming a news-worthy topic. (One only has to read the recent headlines to know the damage that a data protection breach can cause!)
So, if you do hold data on EU citizens, in among the GDPR rush in the run up to May 25th don’t forget to check your free-text fields; email notifications; and media files! And if you haven’t already, get a better understanding of the regulation with our guide for HSE professionals.
