OHS teams will face particular legal constraints on how they handle personal data because much of the data they will process is likely to be subject to additional controls due to its sensitive nature.
With the GDPR set to apply from 25 May, and severe financial sanctions possible for breaches of it, there is an urgent need for OHS practitioners to fully understand what personal data they already hold or could collect in future, and take steps to ensure their processing of that information is compliant.
Personal data in the context of health and safety
OHS teams hold considerable personal data. For example, they are likely to hold details of individual workers' training records, and details of their health issues, including any staff special needs or disabilities.
In addition, accident reports will contain the names and addresses of those involved and of any witnesses, as well as of injuries received and treatment given. There may also be personal information recorded or transcribed from interviews made during internal investigations, and images from CCTV monitored for health and safety purposes will also constitute personal data where workers feature.
Like existing data protection rules, the GDPR will apply to this information. The GDPR gives a very broad definition to 'personal data' to include any information relating to an identified or identifiable individual, whether directly or indirectly.
Data protection principles
Many of the data protection principles that apply today will continue to be relevant under the GDPR. Those principles require, for example, that personal data is processed lawfully, fairly and in a transparent manner, and collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Further principles serve to restrict data processing to that which is necessary, to ensure personal data is accurate and kept up-to-date, and to govern data retention practices, including around how long information is kept in a form which permits identification of data subjects. They also address data security.
In line with new accountability requirements under the new framework, businesses must be able to demonstrate their compliance with those principles.
The GDPR contains provisions that expand on the principles, including setting out criteria that organisations must fulfil to ensure their processing of personal data can be considered lawful.
The GDPR provides several lawful means for OHS teams to process personal data. This includes where they have obtained the unambiguous, freely given, informed and specific consent of data subjects for such processing. However, it may be difficult for OHS practitioners to rely on consent as a lawful basis for data processing. This is because the processing is likely to be carried out in an employer-employee context – the perceived imbalance of power in this dynamic means it is debateable whether consent could be said to be 'freely given'. This issue has already been acknowledged by data protection watchdogs in the EU.
Data processing can take place without consent, however, such as in cases where the processing is necessary for a contract the organisation has with the individual, or because the individual has asked the organisation to take specific steps before entering into a contract.
In the context of health and safety, this 'contract' basis for processing is unlikely to be applicable where, for example, personal data is collected as part of an accident investigation. However, it may apply where an employee has particular requirements which need to be accommodated so that they can perform their duties – in this scenario, however, the personal data may be deemed a special category of data and subject to additional controls.
In other cases, OHS teams may be able to press ahead with data processing in pursuit of 'legitimate interests' they or a third party have. However, pursuit of legitimate interests cannot be relied upon where the rights, interests and freedoms of individuals' whose data is to be processed override those interests.
The legitimate interests basis for processing is the most flexible of the lawful basis provided for under the GDPR, but even here OHS professionals must carry out a balancing exercise and will have to carefully consider if there is in fact a legitimate interest behind the processing; if the processing is in fact necessary for that legitimate purpose; and if the legitimate interest is overridden by the individuals rights, interests and freedoms.
OHS professionals must properly assess the situation in each case and document the outcome so that the legitimate interest can be demonstrated.
In internal investigations following an incident, for example, interviews are often recorded. If this basis is to be used for that collection, consideration will need to be given to whether this is the least intrusive method of processing the information. If not, another basis will be required if the requirements of the GDPR are to be met. Interviewees must be told of the purpose in advance.
Special categories of data
Under the GDPR, certain types of personal data cannot be processed at all, except in limited, specified, circumstances. These are data relating to criminal convictions and offences and 'special category' data, formerly known as sensitive personal data, including data revealing racial or ethnic origin, trade union membership and data concerning health or sexual orientation.
OHS professionals must be particularly vigilant not to fall foul of their obligations here.
Such data can be processed only in specified circumstances which broadly replicate those under the current law, including with the explicit consent of the data subject; where necessary in the context of employment law, or laws relating to social security and social protection; where the processing relates to personal data which the data subject has made public; where the processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity.
Careful thought must be given to the reason for processing personal data in each case – failure to do so can result in very hefty fines at least of the order of those seen more recently following breaches of health and safety legislation.
In internal investigations, for example, where consent has been given by the data subject to the initial collection of a statement, before handing that information to a third party or regulator, OHS professionals should review the consent given and satisfy themselves that it covers this disclosure. If not, another lawful basis must be identified before any further processing takes place.
The current law contains certain exemptions from the processing requirements, which may help OHS professionals where processing takes place, for example, to obtain legal advice following an incident. These are largely replicated, although with some notable additional constraints, in the Data Protection Bill currently before parliament.
For example the provisions on processing are relaxed where the disclosure is "necessary … for the purpose of obtaining legal advice or otherwise establishing, exercising or defending legal rights", or in relation to actual or prospective legal proceedings, in each case where the disclosure could not otherwise be made.
Again, careful thought will need to be given to the particular circumstances before any such exemption is relied upon. It should be brought into play only when there is in reality no other option and even then be prepared to justify its use, otherwise enforcement action may well ensue.
Fines – sharpening the focus on compliance
One of the biggest changes that the GDPR will introduce is the potential for multi-million pound fines for data protection breaches.
From 25 May, data protection authorities across the EU, including the UK's information commissioner, will have the power to issue fines of up to 4% of a business' annual global turnover, or €20 million, whichever is highest, where they are responsible for certain breaches of the GDPR. Other types of breaches could attract fines of up to 2% of annual global turnover, or €10m.
A number of other options for sanction will be available to the information commissioner under the proposed new Data Protection Bill.
With this in mind, organisations should undertake an audit to identify any processes which are not GDPR compliant and identify any practical steps which are required in advance of 25 May.
Steps for health and safety practitioners to take
It is not too late for OHS professionals to prepare for the GDPR. They should immediately assess all the categories of personal data they collect, whether directly or indirectly, including through CCTV, by inference or from third parties, and ensure that they are able to meet the requirements of the GDPR in relation to it and, crucially, that they can demonstrate compliance.
Principally, they must be able to show that: all processing takes place in accordance with the data protection principles, and there is a lawful basis for the processing.
Thought must be given to the reason for collecting each separate category of personal data processed, which must be properly communicated to the data subject and documented. The GDPR has a mandatory list of the information which must be given to individuals where data is obtained directly from them but also where it is obtained indirectly. Data can be processed only for the specific purpose identified and notified and no further, unless one of the exemptions applies.
Broadly, steps towards compliance should include:
- assessing all personal data held, and re-assessing regularly thereafter
- documenting the data: how it is collected; where it is stored; how long it is kept and for what purpose(s); how it is deleted? etc;
- reviewing the reasons for holding personal data and redefining them if required
- reviewing the security of your data systems and ensure those of any third parties providers are similarly compliant. Undertake a risk analysis and document your findings. Consider whether additional measures should be taken to enhance security, for example, encryption and/or other ways of anonymising data. Any sharing with third parties must be documented;
- regularly carrying out risk assessments
- ensuring staff receive regular and appropriate training on how to handle personal data
- having a robust and fully compliant data protection policy in place which is regularly reviewed and fully supported. The policy should contain information on:
- the collection and use of personal data, the reason why it is collected and why it is processed;
- the rights of data subjects and how you will ensure that these are upheld
- how data breaches are dealt with.
Kevin Bridges is an expert in health and safety law at Pinsent Masons, the law firm behind Out-Law.com.