An overhaul of the UK’s data protection and privacy laws raises serious questions for OSH professionals, who will need to be mindful of the financial and legal costs of non-compliance.
In the 21st century, data has the potential to be an OSH professional’s most important asset so long as it is obtained, recorded and used legally. Failure to do so, however, could lead to prosecution and fines ranging from 2-4% of a company’s global annual turnover.
Representing this radical shake-up in UK data protection and privacy laws are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications Regulations 2003 (PECR). All bring new levels of ‘safety’ protection for OSH professionals to comply with.
Although data provides OSH professionals with a wealth of important material, under the DPA18, any personal information kept on file that covers employees and customers must be adequate, relevant and not excessive. Inadequate records can lead to problems when managers have to deal with absence levels, staff turnover, sickness, lateness and discipline.
As well as grasping the implications of the GDPR and the DPA18, OSH professionals also need to carefully consider PECR and the Computer Misuse Act. So what can OSH professionals do to avoid any costly legal and financial pitfalls further down the road?
The OSH professional may act as a ‘data controller’, which means they are obliged to quantify the risk to the data subject’s rights and freedoms from processing their personal data. Risk assessments covering a plethora of safety issues will contain personal data and must comply with the GDPR, DPA18 and PECR. Another issue to consider is the lawfulness of processing personal data (see ‘What is personal data?’ box, below) and what the assessment’s legal justification is.
Before processing personal data, this sensitive information must be freely given and consent received from the data subject (see box, below).
When data controllers ask for consent, they have a duty under the GDPR to assess whether it will meet all the requirements to obtain valid consent. If obtained incorrectly, the data subject’s control becomes an invalid basis for processing, meaning the activity is unlawful. This is similar for where the OSH professional is acting as a processor, as the GDPR imposes direct compliance obligations on both controllers and processors, and both controllers and processors will face direct enforcement and serious penalties if they do not comply with the new EU data protection law.
The regulation brings in new accountability and transparency requirements. In particular, you must now inform those concerned upfront about your lawful basis for processing their personal data. OSH professionals (data controllers, or even those acting as a processor) need to explain clearly what they will do with the data subject’s consent, and whether they will do anything else on a different lawful basis. If the OSH professional knows that they will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, they need to tell the data subject at the outset. The process must also be documented in a data privacy impact assessment (DPIA).
The GDPR does not require a DPIA to be carried out for every processing operation, which may result in risks for the rights and freedoms of natural persons. Under Article 35(1), it is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
A DPIA describes the processing operation, assesses its necessity and proportionality and helps manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data. It also determines the measures to address them. DPIAs are important tools for accountability, as they help controllers comply with GDPR requirements and demonstrate that appropriate measures have been taken to ensure compliance.
They also take into account new situations that could lead to high risks, which affect the rights and freedoms of natural persons. There is no need to carry one out in cases where similar technology has been used previously to collect similar data for the same purposes.
For example, this could apply to a group of municipal authorities that are each setting up a similar closed circuit television (CCTV) system. Each one could carry out a single DPIA that covers how the processing is undertaken by the separate controllers. Alternatively, a railway operator (single controller) could cover video surveillance in all its train stations with one DPIA. This may also be applicable to similar processing operations that are implemented by various data controllers. In such cases, a reference DPIA should be shared or made publicly accessible, measures described in it must be implemented, and a justification for conducting one must be provided.
Breaches of the DPA 18 and the GDPR can range from 2-4% of the company global annual turnover
Big Brother is watching
A DPIA can also be useful for assessing the impact of CCTV on data protection. The legality of CCTV use generally falls under the PECR although OSH professionals should also be aware of the Computer Misuse Act. The amount of data generated by the recording, combined with analysing tools and techniques, increases the risks of secondary use (whether related or not to the purpose originally assigned to the system) and the risks of misuse.
The potential risk of misuse grows in proportion to the amount of space monitored by the cameras as well as the number of individuals captured in the recording. Article 35(3)(c) of the GDPR requires that a DPIA is carried out when a publicly accessible area is heavily monitored on a large-scale. Also, Article 37(1)(b) requires processors to designate a data protection officer, if the processing operation entails regular and systematic monitoring of data subjects.
OSH professionals should be careful about what information is gathered and the data subject’s rights. If their organisation receives a data subject access request, information held on the data subject must be identified and returned to them within one month. Otherwise, if the time period elapses and no information is provided, the data subject is entitled under Article 82 of the GDPR for rights to compensation and does not have to commence court proceedings to apply for it. Other defined rights for the data subject include right of rectification (Article 16), the right to erasure (Article 17), and the right to the restriction of processing (Article 18). They can also insist that all data transfers are completed with suitable safeguards in place.
If the organisation or OSH professional uses a cloud IT service which stores and/or processes sensitive information (including personal data) anywhere outside of the UK, they must consider if it is being transferred internationally. If OSH professionals transfer data by fax or computer, under Article 32 they must ensure they have implemented technical and organisational measures to ensure a level of security appropriate to the risk.
When assessing this, OSH professionals must be aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Paper records need a secure mechanism for transfer, which would include verification that the information is being sent to the correct address and via a secure courier.
What is personal data?
This term applies to any information that relates to an identified or identifiable natural person (‘data subject’). They can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person.
Privacy by design
One of the most important features of the GDPR is compliance with Article 25 – the principle of data protection by design and by default (DPDD), which means that compliance shouldn’t be an afterthought. It should be treated as core to planning and implementing any new product or service.
It requires that personal data protection is part of the DNA of all products, services and information society services so that it is lawful under the GDPR. The OSH professional must ensure that, during the planning phase of processing activities and the implementation phase of any new product or service, data protection principles and appropriate technical and organisational safeguards are fully applied.
For those companies and organisations with a high-risk appetite, re-booting their thinking on data protection along the lines of DPDD will require technical and organisational changes and a shift in culture. For companies and organisations that are naturally risk-averse, following the DPDD principles will help to enhance organisational reputation and not simply be an exercise in GDPR compliance.
There’s wriggle room in how a data controller and data processor implements data protection by design, but there isn’t in complying with data protection by default. As the organisation is required to demonstrate how it has considered this, it makes sense to ‘re-wire’ data processing operations so they comply with GDPR.
A health record must be kept for all employees under health surveillance. Health records, or a copy, should be kept in a suitable form for at least 40 years from the date of last entry because often there is a long period between exposure and onset of ill health. A data privacy requirement is attached to the storage of records to ensure the data is held securely and not accessed by inappropriate parties. A ‘DPIA Lite’ should be considered to glean any long-term risk to the data subject in relation to storing personal data.
The data subject access request (DSAR) gives the individual in question the right to obtain a copy of their personal data as well as any other supplementary information. It helps individuals, who are entitled to their own personal data, and not information relating to other people, to understand how and why their data is being used. Therefore, it is important that OSH professionals establish whether the information requested falls within the definition of personal data held by them. An individual can make a data subject access request verbally or in writing; the OSH professional must comply within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request;
- and any information requested to confirm the requester’s identity.
Responsibility for complying with a subject access request lies with the OSH professional. Failure to supply the requested information within the required timeline entitles the data subject to apply an Article 82 request. This indicates that any person who has suffered material or non-material damage due to an infringement of the GDPR, has the right to receive compensation from the controller or processer for the damage inflicted.
Both private and public sector companies have started to insert data privacy requirements in their tendering processes. This is evident in (PPN) 09/14 (25 May 2016), which suggests the steps that the government is taking to further reduce levels of cyber security risk in its supply chain.
In light of these changes in data privacy, OSH professionals would be well advised to consider their responsibilities carefully and ensure they have the correct tools and have had the required training to meet the data privacy requirements.
To consent or not to consent?
Consent gives data subjects control over whether or not personal data that relates to them can be processed. There can only be an appropriate lawful basis if the data subject is offered control, which means the data subject has been offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.