What is the GDPR?
The General Data Protection Regulations (GDPR) will be effective from May 2018 and replaces the previous legislation about how data is should be secured and managed. This affects more departments than IT, and will include those dealing with health and safety management. So what do health and safety professionals need to think about relating to GDPR and this new legislation?
How will it affect your health & safety department?
A health and safety system will most likely have a large amount of personal data about employees, contractors, customers etc depending on the sector in which you work. The data might contain details such as names, addresses and phone numbers, all of which will come under this legislation and therefore need to be controlled. Other types of data that a health and safety department may hold which will come under the new regulations includes:
- Occupational health reports
- Risk assessments relating to those with limitations (medical, physical, sensory, learning or mental health)
- Highly confidential data such as witness statements following accidents
- Insurance claims and associated reports
- Complaints from workers regarding health, safety or environmental workplace conditions.
With the new regulations, it is strongly advised that those dealing with health and safety should:
- Understand the current data process and identify where personal data may exist in health and safety documents;
- Record what personal data is held and the document title/type of document (i.e. make a list/register);
- Identify where data is distributed with third party companies and add this to your register;
- Consider and assess the reason for possessing the personal data (do you really need to have access to this? – if not – take yourself and your responsibilities out of the equation)
- Clarify the risk level which comes with holding personal data (breach of data security legislation, complaints or claims from individuals who feel their personal data has been inappropriately used or shared etc). You could use a basic risk rating matrix for this in the same way as completing a general risk assessment.
- Ensure that the data in the list you have compiled is stored securely and not accessible to anyone, including inadvertently, without a valid reason; and
- Obey the data retention policies within your own organisation.
Although, it may be challenging to implement the above stages, many of these will most likely be integrated into changes in the organisation’s policies and procedures as a whole.
It has been said, that 75% of businesses might find it difficult to introduce compliant methods before the start date of GDPR. However, if you can prove that you are in the process of effectively putting procedures in place, regulators may take this into consideration.
Health and Safety Management – Are you a Controller or a Processor?
Some people who deal with health and safety documents will be controllers, some will be processers of documentation and others will be both. There are different requirements for each role-holder. So what is the difference?
As stated by the Information Commissioner’s Office (ICO) a Data Processor is in charge of choosing, whereas a Data Controller is who decides:
Overview of GDPR
GDPR needs to be treated carefully and followed by health and safety employees, even though there is currently lack of clarity and resources available to help us all understand how far we should be going to meet the legal requirements.
Because of this new legislation there may well be further implications relating to cyber and data security and this, together with health and safety management data, go hand-in-hand.
The GDPR means that all businesses will need to identify their health and safety data implications within this legislation, and to develop clear policies and procedures that can be followed without significantly disrupting day-to-day business.
If you would like to know more about how you can achieve this, please call us on 01622 717700 or email us at info@phsc-group.co.uk. This is something we have already helped a number of clients with, so let us help you get ahead of the game.