GDPR and Health and Safety 20 July 2018 Stephen Thompson, Partner Darwin Gray LLP
Key purpose of GDPR The real purpose is to harmonise the rules across the EU member states To ensure that individuals understand how their data is being used, have more control over their data, and understand how to make a complaint about the use of their data The Data Protection Act 2018 (DPA) replaces the 1998 Act
What data does the GDPR apply to? The GDPR only applies to personal data 2 categories: - “personal data” - “sensitive personal data” If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.
Main principles Data processed lawfully, fairly and transparently Collected for specified and legitimate purposes Limited to what is necessary Accurate and up to date data held for the intended purposes Data kept for no longer than necessary Processed with appropriate security Employer responsible for compliance
Rights The GDPR provides for: The right to be informed The right of access The right to rectification The right to erase The right to restrict processing The right to data portability The right to object Rights in relation to automatic decision- making and profiling
Legal basis for processing There are six lawful bases set out in the GDPR: Consent Contract Compliance with a legal obligation Vital interests Public interests Legitimate interests
Legal basis for processing Organisations are still entitled to deal with data providing they have a legal basis for doing so. What about consent? Consent must be “freely given, specific, informed and unambiguous”
Legal basis for processing Most relevant to Health & Safety Contract Compliance with a legal obligation Vital interests Legitimate interest
H&S personal data Health and Safety departments are likely to hold a variety of personal data including the following: Employee personal data including sensitive personal data Accident reports including details of witnesses and also details of injuries and treatment given Transcripts of interviews Images from CCTV monitors
Practical issues Privacy Impact Assessments (PIA) Appointment of Data Protection Officer (DPO) General employment issues Specific health and safety issues Record keeping Data breaches
1. Privacy Impact Assessments Organisations should undertake a risk assessment to understand: What data they are collecting and from whom How much data is collected unnecessarily Where the data is stored What individuals/employees are told about how their data will be used, if anything Identify what legal basis you are relying on Risk assessments should be repeated in the future if the organisation undertakes a new project, or following a breach
2. Appointment of DPO Make sure you know who your DPO/data manager is and get to know them Work with them closely in relation to your health & safety practices and procedures Attend and arrange regular training for you and your team Keep abreast of changes in the law and ICO developments
3. General employment issues Privacy Notice - applies to job applicants, employees, consultants and workers Subject Access Requests Changes or variation to contract clauses Data protection policies Data sharing agreements
General employment issues Ensure you know who the Data Protection Officer(s) is/are so you can report issues and breaches Familiarise yourself with the relevant strategy and policy documents and comply with them – particularly agile working policies Remember that simple mistakes such as e-mailing the wrong person, or failing to use the blind copy function are all breaches. Take care to minimise the risk of this happening
General employment issues Avoid sending personal data via e-mail as a matter of course Hold information centrally on the server and send links to colleagues to the relevant folders – IT dept. can deal with any access issue If you do need to send information by e-mail, ensure the e-mails are encrypted – IT dept. can help
General employment issues If you receive a Subject Access Request ensure that you pass it on promptly to the DPO or relevant person – there is a strict deadline of 28 days to comply Also pass on any request for alleged incorrect details to be amended, or for data to be deleted Think carefully if you receive a request to share someone’s data Manage your e-mails effectively
General employment issues Agile working – policy dealing with working from home / remotely likely to be updated. Consider issues such as: Use work computers / phones where provided If using home devices, ensure they are password protected and have some anti-virus as a minimum Don’t store login and password details on shared or personal devices Avoid using public open Wifi wherever possible to access Office 365 etc
4. Specific H&S issues The H&S department or system is likely to hold a wide range of personal data Employee data such as names, addresses, job titles etc. must all be securely stored Sensitive data must be guarded even more carefully
Specific H&S issues Specific recommendations: Understand and document current data processes and check that they meet compliance requirements Record what personal data is held, why and where Regularly re-assess thereafter Assess the security of the data stored, in particular sensitive personal data
Specific H&S issues Specific recommendations: Consider what data you share with 3rd parties and why e.g. H&S consultants Check their GDPR compliance and consider putting data sharing agreements in place Review how long you retain personal data, why and how you destroy it
5. Record keeping The DPA contains explicit provisions about documenting your processing activities You must maintain records on several things such as processing purposes, data sharing and retention Records must be kept up to date and reflect your current processing activities The ICO have produced some basic templates to help you document your processing activities which can be found on their website
6. Data breaches Types of breach: Data loss Accidental deletion of data Sending data to the wrong person – e.g. emails Holding incorrect data Sharing data without consent or allowing third party access
Data breaches “Breach” is more than just loss of data “Significant” breaches must be notified to the ICO within 72 hours Two tiers of potential fines: - the higher of €10million or 2% of your global turnover - the higher of €20million or 4% of your global turnover
Data breaches Don’t be afraid to report the breach to your DPO - most breaches are likely to be minor but should still be reported to the DPO and recorded There should be a central register for recording breaches Assist the DPO promptly if they need to undertake an investigation of the breach – the DPO might need to make a report to the ICO and time will be of the essence
Get in touch If you would like advice or assistance with GDPR/DPA compliance please get in touch: sthompson@darwingray.com
Thank you for listening @DarwinGrayLLP Darwin Gray LLP