Skip to main content
IOSH Magazine: Safety, Health and Wellbeing in the world of work - return to the homepage IOSH Magaazine logo
  • Visit IOSH Magazine on Facebook
  • Visit @ioshmagazine on Twitter
  • Visit IOSH Magazine on LinkedIn
Gender equality
Practice meets perfect
May/June 2023 issue

Main navigation

  • Home
    • Browse previous issues
    • Member accolades
    • Member tributes
  • Health
    • Mental health and wellbeing
      • Bullying
      • Drugs and alcohol
      • Mental health
      • Stress
      • Wellbeing
    • Musculoskeletal disorders (MSDs)
      • Ergonomics
      • Manual handling
      • Vibration
    • Occupational cancer
      • Asbestos
      • Hazardous substances
      • Radiation
  • Safety
    • Incident management
      • Chemicals
      • Electricity
      • Fire
      • First aid
      • Slips and trips
    • Non-health related fatalities
      • Road safety
      • Work at height
    • Risk management
      • Confined spaces
      • Disability
      • Legionella
      • Lifting operations
      • Lone workers
      • Noise
      • Personal protective equipment
      • Violence at work
      • Work equipment
      • Workplace transport
  • Management
    • Human factors
      • Accident reduction
      • Behavioural safety
      • Control of contractors
      • Migrant workers
      • Older workers
      • Reporting
      • Safe systems of work
      • Sickness absence
      • Young workers
    • Leadership and management
      • Employee involvement
      • Management systems
    • Management standards
      • ISO 45001
      • ISO 45003
    • Planning
      • Assurance
      • Compliance
      • Emergency planning
      • Insurance
    • Rehabilitation
      • Personal injury
      • Return to work
    • Strategy
      • Corporate governance
      • Performance/results
      • Regulation/enforcement
      • Reputation
    • Sustainability
      • Human capital and Vision Zero
  • Skills
    • Communication
    • Personal performance
      • Achieving Fellowship
      • Career development
      • Competencies
      • Personal development
      • Professional skills
      • Qualifications
    • Stakeholder management
    • Working with others
      • Leadership
      • Future Leaders
  • Jobs
  • Covid-19
  • Knowledge Bank
    • Back to basics
    • Book club
    • Infographics
    • Podcast
    • Reports
    • Webinars
    • Videos
  • Products & Services
  • Management
    • Human factors
      • Sickness absence
      • Accident reduction
      • Behavioural safety
      • Control of contractors
      • Migrant workers
      • Older workers
      • Reporting
      • Safe systems of work
      • Young workers
    • Leadership and management
      • Employee involvement
      • Leadership
      • Management systems
    • Management standards
      • ISO 45001
      • ISO 45003
    • Planning
      • Assurance
      • Compliance
      • Emergency planning
      • Insurance
    • Strategy
      • Corporate governance
      • Performance/results
      • Regulation/enforcement
      • Reputation
    • Sustainability
      • Human capital and Vision Zero
  • Health
    • COVID-19
    • Mental health and wellbeing
      • Bullying
      • Drugs and alcohol
      • Mental health
      • Stress
      • Wellbeing
    • Musculoskeletal disorders (MSDs)
      • Ergonomics
      • Manual handling
      • Vibration
    • Occupational cancer
      • Asbestos
      • Hazardous substances
      • Radiation
  • Safety
    • Incident management
      • Chemicals
      • Electricity
      • Fire
      • First aid
      • Slips and trips
    • Non-health related fatalities
      • Road safety
      • Work at height
    • Risk management
      • Confined spaces
      • Disability
      • Legionella
      • Lifting operations
      • Lone workers
      • Noise
      • Personal protective equipment
      • Violence at work
      • Work equipment
      • Workplace transport
  • Skills
    • Communication
    • Personal performance
      • Career development
      • Competencies
      • Personal development
      • Qualifications
      • Professional skills
      • Achieving Fellowship
    • Stakeholder management
    • Working with others
      • Leadership
      • Future Leaders
  • Transport and logistics
  • Third sector
  • Retail
  • Mining and quarrying
  • Rail
  • Rehabilitation
    • Personal injury
    • Return to work
  • Utilities
  • Manufacturing and engineering
  • Construction
  • Sector: IOSH Branch
    • Sector: Northern Ireland
    • Sector: Midland
    • Sector: Merseyside
    • Sector: Manchester and North West Districts
    • Sector: Ireland East
    • Sector: Ireland
    • Sector: Edinburgh
    • Sector: Desmond-South Munster
    • Sector: Qatar
    • Sector: Oman
    • Singapore
    • Sector: South Coast
    • Sector: South Wales
    • Sector: Thames Valley
    • Sector: Tyne and Wear
    • Sector: UAE
    • Sector: West of Scotland
    • Sector: Yorkshire
  • Healthcare
  • Sector: Fire
  • Sector: Financial/general services
  • Sector: Energy
  • Education
  • Sector: Communications and media
  • Chemicals
  • Sector: Central government
  • Catering and leisure
  • Agriculture and forestry
  • Sector: Local government
  • Sector: IOSH Group
    • Sector: Financial Services
    • Sector: Sports Grounds and Events
    • Rural industries
    • Sector: railway
    • Public Services
    • Sector: Offshore
    • Sector: Hazardous Industries
    • Sector: Food and Drink
    • Sector: Fire Risk Management
    • Education
    • Construction
    • Sector: Aviation and Aerospace
Quick links:
  • Home
  • IOSH Magazine Issues
  • February 2020
Features
Compliance

Keeping record

Open-access content Steve Wilkinson CMIOSH — Tuesday 25th February 2020
From the archive:  Just so you know, this article is more than 3 years old.
Credit: iStock
Image Credit: iStock

An overhaul of the UK’s data protection and privacy laws raises serious questions for OSH professionals, who will need to be mindful of the financial and legal costs of non-compliance.

In the 21st century, data has the potential to be an OSH professional’s most important asset so long as it is obtained, recorded and used legally. Failure to do so, however, could lead to prosecution and fines ranging from 2-4% of a company’s global annual turnover. 

Representing this radical shake-up in UK data protection and privacy laws are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications Regulations 2003 (PECR). All bring new levels of ‘safety’ protection for OSH professionals to comply with. 

Although data provides OSH professionals with a wealth of important material, under the DPA18, any personal information kept on file that covers employees and customers must be adequate, relevant and not excessive. Inadequate records can lead to problems when managers have to deal with absence levels, staff turnover, sickness, lateness and discipline. 

As well as grasping the implications of the GDPR and the DPA18, OSH professionals also need to carefully consider PECR and the Computer Misuse Act. So what can OSH professionals do to avoid any costly legal and financial pitfalls further down the road?

Risk-based approach

The OSH professional may act as a ‘data controller’, which means they are obliged to quantify the risk to the data subject’s rights and freedoms from processing their personal data. Risk assessments covering a plethora of safety issues will contain personal data and must comply with the GDPR, DPA18 and PECR. Another issue to consider is the lawfulness of processing personal data (see ‘What is personal data?’ box, below) and what the assessment’s legal justification is. 

Before processing personal data, this sensitive information must be freely given and consent received from the data subject (see box, below).

When data controllers ask for consent, they have a duty under the GDPR to assess whether it will meet all the requirements to obtain valid consent. If obtained incorrectly, the data subject’s control becomes an invalid basis for processing, meaning the activity is unlawful. This is similar for where the OSH professional is acting as a processor, as the GDPR imposes direct compliance obligations on both controllers and processors, and both controllers and processors will face direct enforcement and serious penalties if they do not comply with the new EU data protection law.

The regulation brings in new accountability and transparency requirements. In particular, you must now inform those concerned upfront about your lawful basis for processing their personal data. OSH professionals (data controllers, or even those acting as a processor) need to explain clearly what they will do with the data subject’s consent, and whether they will do anything else on a different lawful basis. If the OSH professional knows that they will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, they need to tell the data subject at the outset. The process must also be documented in a data privacy impact assessment (DPIA).

The GDPR does not require a DPIA to be carried out for every processing operation, which may result in risks for the rights and freedoms of natural persons. Under Article 35(1), it is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

A DPIA describes the processing operation, assesses its necessity and proportionality and helps manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data. It also determines the measures to address them. DPIAs are important tools for accountability, as they help controllers comply with GDPR requirements and demonstrate that appropriate measures have been taken to ensure compliance.

They also take into account new situations that could lead to high risks, which affect the rights and freedoms of natural persons. There is no need to carry one out in cases where similar technology has been used previously to collect similar data for the same purposes. 

For example, this could apply to a group of municipal authorities that are each setting up a similar closed circuit television (CCTV) system. Each one could carry out a single DPIA that covers how the processing is undertaken by the separate controllers. Alternatively, a railway operator (single controller) could cover video surveillance in all its train stations with one DPIA. This may also be applicable to similar processing operations that are implemented by various data controllers. In such cases, a reference DPIA should be shared or made publicly accessible, measures described in it must be implemented, and a justification for conducting one must be provided.

Breaches of the DPA 18 and the GDPR can range from 2-4% of the company global annual turnover

Big Brother is watching

A DPIA can also be useful for assessing the impact of CCTV on data protection. The legality of CCTV use generally falls under the PECR although OSH professionals should also be aware of the Computer Misuse Act. The amount of data generated by the recording, combined with analysing tools and techniques, increases the risks of secondary use (whether related or not to the purpose originally assigned to the system) and the risks of misuse. 

The potential risk of misuse grows in proportion to the amount of space monitored by the cameras as well as the number of individuals captured in the recording. Article 35(3)(c) of the GDPR requires that a DPIA is carried out when a publicly accessible area is heavily monitored on a large-scale. Also, Article 37(1)(b) requires processors to designate a data protection officer, if the processing operation entails regular and systematic monitoring of data subjects. 

OSH professionals should be careful about what information is gathered and the data subject’s rights. If their organisation receives a data subject access request, information held on the data subject must be identified and returned to them within one month. Otherwise, if the time period elapses and no information is provided, the data subject is entitled under Article 82 of the GDPR for rights to compensation and does not have to commence court proceedings to apply for it. Other defined rights for the data subject include right of rectification (Article 16), the right to erasure (Article 17), and the right to the restriction of processing (Article 18). They can also insist that all data transfers are completed with suitable safeguards in place.

If the organisation or OSH professional uses a cloud IT service which stores and/or processes sensitive information (including personal data) anywhere outside of the UK, they must consider if it is being transferred internationally. If OSH professionals transfer data by fax or computer, under Article 32 they must ensure they have implemented technical and organisational measures to ensure a level of security appropriate to the risk.

When assessing this, OSH professionals must be aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Paper records need a secure mechanism for transfer, which would include verification that the information is being sent to the correct address and via a secure courier. 


What is personal data?

This term applies to any information that relates to an identified or identifiable natural person (‘data subject’). They can be identified, directly or indirectly, in particular by reference 

to an identifier such as a name, an identification number, location data or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity 

of that natural person. 


Privacy by design

One of the most important features of the GDPR is compliance with Article 25 – the principle of data protection by design and by default (DPDD), which means that compliance shouldn’t be an afterthought. It should be treated as core to planning and implementing any new product or service.

It requires that personal data protection is part of the DNA of all products, services and information society services so that it is lawful under the GDPR. The OSH professional must ensure that, during the planning phase of processing activities and the implementation phase of any new product or service, data protection principles and appropriate technical and organisational safeguards are fully applied.

For those companies and organisations with a high-risk appetite, re-booting their thinking on data protection along the lines of DPDD will require technical and organisational changes and a shift in culture. For companies and organisations that are naturally risk-averse, following the DPDD principles will help to enhance organisational reputation and not simply be an exercise in GDPR compliance. 

There’s wriggle room in how a data controller and data processor implements data protection by design, but there isn’t in complying with data protection by default. As the organisation is required to demonstrate how it has considered this, it makes sense to ‘re-wire’ data processing operations so they comply with GDPR. 

A health record must be kept for all employees under health surveillance. Health records, or a copy, should be kept in a suitable form for at least 40 years from the date of last entry because often there is a long period between exposure and onset of ill health. A data privacy requirement is attached to the storage of records to ensure the data is held securely and not accessed by inappropriate parties. A ‘DPIA Lite’ should be considered to glean any long-term risk to the data subject in relation to storing personal data.

The data subject access request (DSAR) gives the individual in question the right to obtain a copy of their personal data as well as any other supplementary information. It helps individuals, who are entitled to their own personal data, and not information relating to other people, to understand how and why their data is being used. Therefore, it is important that OSH professionals establish whether the information requested falls within the definition of personal data held by them. An individual can make a data subject access request verbally or in writing; the OSH professional must comply within one month of receipt of the request or (if later) within one month of receipt of: 

  • any requested information to clarify the request;
  • and any information requested to confirm the requester’s identity.

Responsibility for complying with a subject access request lies with the OSH professional. Failure to supply the requested information within the required timeline entitles the data subject to apply an Article 82 request. This indicates that any person who has suffered material or non-material damage due to an infringement of the GDPR, has the right to receive compensation from the controller or processer for the damage inflicted.  

Both private and public sector companies have started to insert data privacy requirements in their tendering processes. This is evident in (PPN) 09/14 (25 May 2016), which suggests the steps that the government is taking to further reduce levels of cyber security risk in its supply chain. 

In light of these changes in data privacy, OSH professionals would be well advised to consider their responsibilities carefully and ensure they have the correct tools and have had the required training to meet the data privacy requirements. 


To consent or not to consent?

Consent gives data subjects control over whether or not personal data that relates to them can be processed. There can only be an appropriate lawful basis if the data subject is offered control, which means the data subject has been offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. 

IOSH Magazine cover - February 2020
This article appeared in our February 2020 issue of IOSH Magazine .
Click here to view this issue

You may also be interested in...

Getty Images

 Manufacturing choice

Monday 17th February 2020
We consider the latest behavioural science thinking for nudging OSH behaviours.
Open-access content
Getty images

 A steer on road safety

Monday 10th February 2020
Drivers who are excessively tired pose as much of a risk as those who are drink driving, argue campaigners. So what can organisations do to ensure their employees out on the road are safe?
Open-access content
web_p18_tideway---krtst-west-tunnel---feb.png

 Turning the tide

Tuesday 4th February 2020
IOSH-funded research shows how major construction projects like Tideway can improve the management of occupational health risks and help ‘raise the bar’ across the wider sector.
Open-access content
headphones

 Priorities for progress

Friday 6th March 2020
Among the long and neglected to-do list of UK policy, six areas in OSH are in need of urgent attention and legislation. This is our manifesto for systemic and lasting change.
Open-access content
alamy

 Women at work: climbing the OSH ladder

Friday 6th March 2020
After celebrating International Women’s Day on 8 March, IOSH talks to five women who have risen to the top of the OSH profession about climbing the career ladder and the biggest challenges ahead.
Open-access content
christa

 The power of partnerships

Friday 6th March 2020
After a decade at the helm of the European Agency for Safety and Health at Work (EU-OSHA), executive director Dr Christa Sedlatschek will retire in 2021. She reflects on EU-OSHA’s collaborative work and its campaigns in the pipeline.
Open-access content
Topics
Features
Compliance
Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Health and Safety Improvement Manager

Leeds
£35000 - £50000 per annum
Reference
5452992

SHEQ Systems Advisor

Up to £40000.00 per annum + Car Allowance
Reference
5452988

Senior Health and Safety Manager

Reading
Up to £65000.00 per annum + Great Car Allowance & Benefits
Reference
5452983
See all jobs »

Sign up for regular e-alerts

Receive the latest news and features, free to your inbox

Sign up

Subscribe to IOSH magazine

Receive the print edition straight to your door

Subscribe
IOSH Covers
​
FOLLOW US
Twitter
LinkedIn
YouTube
CONTACT US
Contact us
Tel +44 (0)20 7880 6200
​

IOSH

About IOSH
Become a member
IOSH Events
MyIOSH

Information

Privacy Policy
Terms & Conditions
Cookie Policy

Get in touch

Contact us
Advertise with us
Subscribe to IOSH magazine
Write for IOSH magazine

IOSH Magazine

Health
Safety
Management
Skills
IOSH Jobs

© 2023 IOSH • IOSH is not responsible for the content of external sites

ioshmagazine.com and IOSH Magazine are published by Redactive Media Group. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ