How does GPDR affect health and safety management?

Before 25 May 2018 in-boxes were filled with email about the General Data Protection Regulation (GPDR). It might be assumed that under GPDR you are no longer allowed to hold much, if any, personal data about your staff or others. Personal data in the context of GPDR is any information that relates to an identified or identifiable person.

However, not holding personal data conflicts with the usual way to manage health and safety risks. For example, most employers hold training record and copies of qualifications held by staff.

Article 5 of the GPDR requires those who hold personal data to process is lawfully, fairly and in a transparent manner. The principals to ensure that there is a lawful basis for you to hold personal data are: there is a legal obligation; or, you have a legitimate interest. With regard to having a legal obligation to hold or use data this may be for a number of reasons. For example, the event of an accident you are under a strict duty to submit a report to the HSE under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR). RIDDOR requires companies to provide detailed information about an injured person. Another strict duty is for employers to hold health surveillance records for a period of at least 40 years. Again, this cannot be achieved without holding personal data.

With regard to the legitimate interest aspect of GDPR, a valid legitimate interest for a company would be hold information about staff that would demonstrate that the individuals are competent to carry out the roles that they are employed for.

GPDR requires transparency. This means that individuals have the right to be informed about the collection and use of their personal data. To facilitate this may require an amendment to your health and safety policy and arrangements as well has having a privacy policy in place.