1 / 26

GDPR and Health and Safety

Learn about the key purpose of GDPR, its application to personal data, rights provided, lawful bases for processing, and practical considerations for Health & Safety departments. Stay informed and ensure compliance with GDPR regulations.

deming
Download Presentation

GDPR and Health and Safety

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 20 July 2018 Stephen Thompson, Partner Darwin Gray LLP GDPR and Health and Safety

  2. Key purpose of GDPR • The real purpose is to harmonise the rules across the EU member states • To ensure that individuals understand how their data is being used, have more control over their data, and understand how to make a complaint about the use of their data • The Data Protection Act 2018 (DPA) replaces the 1998 Act

  3. What data does the GDPR apply to? • The GDPR only applies to personal data • 2 categories: - “personal data” - “sensitive personal data” If data is completely anonymised, it will fall outside of the GDPR. However, beware that complete anonymisation can be difficult to achieve.

  4. Main principles • Data processed lawfully, fairly and transparently • Collected for specified and legitimate purposes • Limited to what is necessary • Accurate and up to date data held for the intended purposes • Data kept for no longer than necessary • Processed with appropriate security • Employer responsible for compliance

  5. Rights The GDPR provides for: • The right to be informed • The right of access • The right to rectification • The right to erase • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automatic decision-making and profiling

  6. Legal basis for processing There are six lawful bases set out in the GDPR: • Consent • Contract • Compliance with a legal obligation • Vital interests • Public interests • Legitimate interests

  7. Legal basis for processing Organisations are still entitled to deal with data providing they have a legal basis for doing so. What about consent? Consent must be “freely given, specific, informed and unambiguous”

  8. Legal basis for processing Most relevant to Health & Safety • Contract • Compliance with a legal obligation • Vital interests • Legitimate interest

  9. H&S personal data Health and Safety departments are likely to hold a variety of personal data including the following: • Employee personal data including sensitive personal data • Accident reports including details of witnesses and also details of injuries and treatment given • Transcripts of interviews • Images from CCTV monitors

  10. Practical issues • Privacy Impact Assessments (PIA) • Appointment of Data Protection Officer (DPO) • General employment issues • Specific health and safety issues • Record keeping • Data breaches

  11. 1. Privacy Impact Assessments • Organisations should undertake a risk assessment to understand: • What data they are collecting and from whom • How much data is collected unnecessarily • Where the data is stored • What individuals/employees are told about how their data will be used, if anything • Identify what legal basis you are relying on • Risk assessments should be repeated in the future if the organisation undertakes a new project, or following a breach

  12. 2. Appointment of DPO • Make sure you know who your DPO/data manager is and get to know them • Work with them closely in relation to your health & safety practices and procedures • Attend and arrange regular training for you and your team • Keep abreast of changes in the law and ICO developments

  13. 3. General employment issues • Privacy Notice - applies to job applicants, employees, consultants and workers • Subject Access Requests • Changes or variation to contract clauses • Data protection policies • Data sharing agreements

  14. General employment issues • Ensure you know who the Data Protection Officer(s) is/are so you can report issues and breaches • Familiarise yourself with the relevant strategy and policy documents and comply with them – particularly agile working policies • Remember that simple mistakes such as e-mailing the wrong person, or failing to use the blind copy function are all breaches. Take care to minimise the risk of this happening

  15. General employment issues • Avoid sending personal data via e-mail as a matter of course • Hold information centrally on the server and send links to colleagues to the relevant folders – IT dept. can deal with any access issue • If you do need to send information by e-mail, ensure the e-mails are encrypted – IT dept. can help

  16. General employment issues • If you receive a Subject Access Request ensure that you pass it on promptly to the DPO or relevant person – there is a strict deadline of 28 days to comply • Also pass on any request for alleged incorrect details to be amended, or for data to be deleted • Think carefully if you receive a request to share someone’s data • Manage your e-mails effectively

  17. General employment issues • Agile working – policy dealing with working from home / remotely likely to be updated. Consider issues such as: • Use work computers / phones where provided • If using home devices, ensure they are password protected and have some anti-virus as a minimum • Don’t store login and password details on shared or personal devices • Avoid using public open Wifiwherever possible to access Office 365 etc

  18. 4. Specific H&S issues • The H&S department or system is likely to hold a wide range of personal data • Employee data such as names, addresses, job titles etc. must all be securely stored • Sensitive data must be guarded even more carefully

  19. Specific H&S issues Specific recommendations: • Understand and document current data processes and check that they meet compliance requirements • Record what personal data is held, why and where • Regularly re-assess thereafter • Assess the security of the data stored, in particular sensitive personal data

  20. Specific H&S issues Specific recommendations: • Consider what data you share with 3rd parties and why e.g. H&S consultants • Check their GDPR compliance and consider putting data sharing agreements in place • Review how long you retain personal data, why and how you destroy it

  21. 5. Record keeping • The DPA contains explicit provisions about documenting your processing activities • You must maintain records on several things such as processing purposes, data sharing and retention • Records must be kept up to date and reflect your current processing activities • The ICO have produced some basic templates to help you document your processing activities which can be found on their website

  22. 6. Data breaches Types of breach: • Data loss • Accidental deletion of data • Sending data to the wrong person – e.g. emails • Holding incorrect data • Sharing data without consent or allowing third party access

  23. Data breaches • “Breach” is more than just loss of data • “Significant” breaches must be notified to the ICO within 72 hours • Two tiers of potential fines: - the higher of €10million or 2% of your global turnover - the higher of €20million or 4% of your global turnover

  24. Data breaches • Don’t be afraid to report the breach to your DPO - most breaches are likely to be minor but should still be reported to the DPO and recorded • There should be a central register for recording breaches • Assist the DPO promptly if they need to undertake an investigation of the breach – the DPO might need to make a report to the ICO and time will be of the essence

  25. Get in touch If you would like advice or assistance with GDPR/DPA compliance please get in touch: sthompson@darwingray.com

  26. Thank you for listening @DarwinGrayLLP Darwin Gray LLP

More Related