Just a short 9 months ago the world was turned upside down by a single piece of legislation. This piece of legislation forced businesses across the world to shred, burn, or dissolve with industrial strength acid any evidence in their possession that another human being existed – unless, of course, the individual in question was willing to take a blood oath that they were absolutely, super-duper, positively, 100%, pinkie promise happy for them to use their data.
So, when it comes to safety management, this left people with a bit of a dilemma as health and safety legislation, seemingly, came into conflict with data protection legislation - leaving them in a catch-22 situation.
Employees need to be safe at work and so need to be trained. Records need to be kept of their training, of their personal licenses and accreditation etc. to prove that this has been done. But their data also needs to be kept safe and, in order to do so, any mention of their existence needs to be destroyed.
Ok, so perhaps I’m laying it on a bit thick, the GDPR really shouldn’t be making you flush personal data down the toilet or hide it under the floorboards. But there still is a legitimate question as to how much of a conflict there is between data protection under the GDPR and your duties to the safety of employees at your organisation.
The answer is actually quite simple: there’s no real conflict at all, the GDPR can be a very understanding creature.
Article 5 of the GDPR requires that you have a “lawful basis” for holding and using people’s personal data. It goes on to provide a list of lawful reasons. There are two that concern us right now:
- You are under a legal obligation, and
- You have a legitimate interest.
Now, employers have a number of legal obligations to hold certain data on their employees for the purposes of health and safety. For example, employers need to hold health surveillance records on their employees for 40 years.
Similarly, if you need to report an injury under RIDDOR then you’ll need to provide full details about the injured person, and you’ll need to keep details for your own records.
Also, it can be considered well within your “legitimate interests” to hold certain information – things that were mentioned earlier, like training records, accreditations, records of competency etc.
In terms of having a lawful basis, you’re covered. Where there may be an issue is with regards to transparency, how long you keep the data, and precisely what you use it for.
Individuals have a right to know what data you hold on them, how long you intend to hold it, and just what you intend to do with it.
Keep staff informed, perhaps update your health and safety policy with this information or ask staff to sign a privacy notice. And most importantly, never use their information for any other reason than the reasons they’ve agreed to or that you’re legally bound to.
Remember, either you have a legal basis or a legitimate interest to hold staff data, or you don’t hold it at all. Keep them informed and stick to what you’ve told them and you can’t go wrong.
iHASCO's GDPR Essentials Training is a great way of making your staff more knowledgable in personal data and how it should be handled, to date, we've helped over 140,000 people work towards compliance with the GDPR! Get started with a free trial today...