Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR and Health and Safety

Published byMildred Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "GDPR and Health and Safety"— Presentation transcript:

1 GDPR and Health and Safety
20 July 2018 Stephen Thompson, Partner Darwin Gray LLP

2 Key purpose of GDPR The real purpose is to harmonise the rules across the EU member states To ensure that individuals understand how their data is being used, have more control over their data, and understand how to make a complaint about the use of their data The Data Protection Act 2018 (DPA) replaces the 1998 Act

3 What data does the GDPR apply to?
The GDPR only applies to personal data 2 categories: - “personal data” - “sensitive personal data” If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.

4 Main principles Data processed lawfully, fairly and transparently
Collected for specified and legitimate purposes Limited to what is necessary Accurate and up to date data held for the intended purposes Data kept for no longer than necessary Processed with appropriate security Employer responsible for compliance

5 Rights The GDPR provides for: The right to be informed
The right of access The right to rectification The right to erase The right to restrict processing The right to data portability The right to object Rights in relation to automatic decision- making and profiling

6 Legal basis for processing
There are six lawful bases set out in the GDPR: Consent Contract Compliance with a legal obligation Vital interests Public interests Legitimate interests

7 Legal basis for processing
Organisations are still entitled to deal with data providing they have a legal basis for doing so. What about consent? Consent must be “freely given, specific, informed and unambiguous”

8 Legal basis for processing
Most relevant to Health & Safety Contract Compliance with a legal obligation Vital interests Legitimate interest

9 H&S personal data Health and Safety departments are likely to hold a variety of personal data including the following: Employee personal data including sensitive personal data Accident reports including details of witnesses and also details of injuries and treatment given Transcripts of interviews Images from CCTV monitors

10 Practical issues Privacy Impact Assessments (PIA)
Appointment of Data Protection Officer (DPO) General employment issues Specific health and safety issues Record keeping Data breaches

11 1. Privacy Impact Assessments
Organisations should undertake a risk assessment to understand: What data they are collecting and from whom How much data is collected unnecessarily Where the data is stored What individuals/employees are told about how their data will be used, if anything Identify what legal basis you are relying on Risk assessments should be repeated in the future if the organisation undertakes a new project, or following a breach

12 2. Appointment of DPO Make sure you know who your DPO/data manager is and get to know them Work with them closely in relation to your health & safety practices and procedures Attend and arrange regular training for you and your team Keep abreast of changes in the law and ICO developments

13 3. General employment issues
Privacy Notice - applies to job applicants, employees, consultants and workers Subject Access Requests Changes or variation to contract clauses Data protection policies Data sharing agreements

14 General employment issues
Ensure you know who the Data Protection Officer(s) is/are so you can report issues and breaches Familiarise yourself with the relevant strategy and policy documents and comply with them – particularly agile working policies Remember that simple mistakes such as ing the wrong person, or failing to use the blind copy function are all breaches. Take care to minimise the risk of this happening

15 General employment issues
Avoid sending personal data via as a matter of course Hold information centrally on the server and send links to colleagues to the relevant folders – IT dept. can deal with any access issue If you do need to send information by , ensure the s are encrypted – IT dept. can help

16 General employment issues
If you receive a Subject Access Request ensure that you pass it on promptly to the DPO or relevant person – there is a strict deadline of 28 days to comply Also pass on any request for alleged incorrect details to be amended, or for data to be deleted Think carefully if you receive a request to share someone’s data Manage your s effectively

17 General employment issues
Agile working – policy dealing with working from home / remotely likely to be updated. Consider issues such as: Use work computers / phones where provided If using home devices, ensure they are password protected and have some anti-virus as a minimum Don’t store login and password details on shared or personal devices Avoid using public open Wifi wherever possible to access Office 365 etc

18 4. Specific H&S issues The H&S department or system is likely to hold a wide range of personal data Employee data such as names, addresses, job titles etc. must all be securely stored Sensitive data must be guarded even more carefully

19 Specific H&S issues Specific recommendations:
Understand and document current data processes and check that they meet compliance requirements Record what personal data is held, why and where Regularly re-assess thereafter Assess the security of the data stored, in particular sensitive personal data

20 Specific H&S issues Specific recommendations:
Consider what data you share with 3rd parties and why e.g. H&S consultants Check their GDPR compliance and consider putting data sharing agreements in place Review how long you retain personal data, why and how you destroy it

21 5. Record keeping The DPA contains explicit provisions about documenting your processing activities You must maintain records on several things such as processing purposes, data sharing and retention Records must be kept up to date and reflect your current processing activities The ICO have produced some basic templates to help you document your processing activities which can be found on their website

22 6. Data breaches Types of breach: Data loss
Accidental deletion of data Sending data to the wrong person – e.g. s Holding incorrect data Sharing data without consent or allowing third party access

23 Data breaches “Breach” is more than just loss of data
“Significant” breaches must be notified to the ICO within 72 hours Two tiers of potential fines: - the higher of €10million or 2% of your global turnover - the higher of €20million or 4% of your global turnover

24 Data breaches Don’t be afraid to report the breach to your DPO - most breaches are likely to be minor but should still be reported to the DPO and recorded There should be a central register for recording breaches Assist the DPO promptly if they need to undertake an investigation of the breach – the DPO might need to make a report to the ICO and time will be of the essence

25 Get in touch If you would like advice or assistance with GDPR/DPA compliance please get in touch:

26 Thank you for listening
@DarwinGrayLLP Darwin Gray LLP

Download ppt "GDPR and Health and Safety"

Similar presentations

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Practical Information Management

Practical Information Management
1 Role of the Data Protection Officer Donald Henderson Information Compliance Manager 30 September 2010.

1 Role of the Data Protection Officer Donald Henderson Information Compliance Manager 30 September 2010.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Key changes with the GDPR

Key changes with the GDPR
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust

Data Protection Update – GDPR or bust
Data Protection Legislation

Data Protection Legislation
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017

Similar presentations

Ads by Google