From May 25, the GDPR brought in new requirements on businesses to manage their data differently. The aim is to ensure a greater level of protection of personal data and more robust security of information.
But, according to TUC’s head of safety Hugh Robertson, there have been unintended ‘worrying’ ramifications for health and safety. Writing in a TUC blog posting, he said: “We find that a lot of employers are saying that the GDPR restricts what information they can supply [to health and safety representatives].
“Examples of this include refusing to hand over information from accident report forms, instead saying they will just give quarterly reports, or instructing their auditor to stop sharing their safety audits with safety representatives on the grounds they contain some personal data.
“This is nonsense. These employers are making no attempt to gain consent for sharing the information or, if consent is withheld, anonymising
According to HSE, GDPR should make no difference to union safety reps’ work as the Safety Representatives and Safety Committees Regulations already impose requirements on consent.
A spokesperson told Safety Management: “Employers are required to provide documents and information requested by safety representatives under Regulation 7 of SRSC as before. This includes the requirement to obtain the consent of an individual employee before providing to safety representatives documents which relate specifically to that employee.”
However, according to Murray Ferguson, director at health and safety software systems provider Pro-Sapien, organisations without ‘flexible’ IT systems may struggle to handle sensitive data appropriately.
“Employers who have left it late to consider the legislative impact may find themselves in a situation where meeting the requirements of GDPR and their union rep obligations are time consuming and cumbersome,” said Ferguson.
“In an ideal situation, the EHS professional should be aware of and ensure that free text fields relating to the incident should not include personal information when managing the Incident Reporting process. This means that the details of an individual can be managed in controlled fields (such as Health Records) and omitted where the recipient third party does not need to know that information – although, as Robertson argues, without some data the report may be useless.
“We see this being handled by using report types; template reports can be created where only the appropriate level of detail is provided based to the recipient of the report and whether the injured party has provided permission for their personal information to be shared.”
He added that the process of gaining such permissions may be a ‘challenge’, but ultimately not problematic. “In the case of union reps it is likely that the data subject would not object to their information being shared.”
GDPR and Health and Safety, a Guide here