Employers are restricting union safety reps’ access to information under a ‘nonsense’ interpretation of the General Data Protection Regulation (GDPR) the TUC has warned.
From May 25, the GDPR brought in new requirements on businesses to manage their data differently. The aim is to ensure a greater level of protection of personal data and more robust security of information.
But, according to TUC’s head of safety Hugh Robertson, there have been unintended ‘worrying’ ramifications for health and safety. Writing in a TUC blog posting, he said: “We find that a lot of employers are saying that the GDPR restricts what information they can supply [to health and safety representatives].
“Examples of this include refusing to hand over information from accident report forms, instead saying they will just give quarterly reports, or instructing their auditor to stop sharing their safety audits with safety representatives on the grounds they contain some personal data.
“This is nonsense. These employers are making no attempt to gain consent for sharing the information or, if consent is withheld, anonymising
According to HSE, GDPR should make no difference to union safety reps’ work as the Safety Representatives and Safety Committees Regulations already impose requirements on consent.
A spokesperson told Safety Management: “Employers are required to provide documents and information requested by safety representatives under Regulation 7 of SRSC as before. This includes the requirement to obtain the consent of an individual employee before providing to safety representatives documents which relate specifically to that employee.”
However, according to Murray Ferguson, director at health and safety software systems provider Pro-Sapien, organisations without ‘flexible’ IT systems may struggle to handle sensitive data appropriately.
“Employers who have left it late to consider the legislative impact may find themselves in a situation where meeting the requirements of GDPR and their union rep obligations are time consuming and cumbersome,” said Ferguson.
“In an ideal situation, the EHS professional should be aware of and ensure that free text fields relating to the incident should not include personal information when managing the Incident Reporting process. This means that the details of an individual can be managed in controlled fields (such as Health Records) and omitted where the recipient third party does not need to know that information – although, as Robertson argues, without some data the report may be useless.
“We see this being handled by using report types; template reports can be created where only the appropriate level of detail is provided based to the recipient of the report and whether the injured party has provided permission for their personal information to be shared.”
He added that the process of gaining such permissions may be a ‘challenge’, but ultimately not problematic. “In the case of union reps it is likely that the data subject would not object to their information being shared.”
GDPR and Health and Safety, a Guide here
GDPR Online training avalaible here
By Belinda Liversedge on 26 July 2021
93 per cent of firms plan to adopt hybrid working models, according to a Confederation of British Industry (CBI) report.
By Belinda Liversedge on 13 July 2021
Experience has taught us that we can’t guarantee people will behave responsibly to prevent Covid transmission and wear masks, the chair of the British Safety Council has warned.
By Belinda Liversedge on 12 July 2021
The success of a pilot to trial the four-day working week in Iceland should be noted by other governments, the think tank which led the project has said.