Since GDPR came into force in May (implemented in UK law under the Data Protection Act 2018) it has caused many questions for businesses across the UK and the rest of the EU. A number of customers have asked whether our accident books, which are designed to record personal details of the person involved in the accident and the person completing the record, comply with GDPR.
The short answer is yes, our accident books are GDPR compliant. GDPR does not overwrite existing UK laws around health and safety, including RIDDOR and the Social Security Regulations, which require employers to keep accident records. The personal details on accident forms does not require consent, as under GDPR, data processing is lawful if it’s “necessary for compliance of a legal obligation to which the controller is subject”. It does however have implications for how organisations handle these records, and how long they keep them.
What do I need to do with my accident records?
The law in the UK requires accident records to be kept for a minimum of 3 years (unless they fall under COSHH regulations). However, beyond this period, these records may need to be destroyed. GDPR states that:“The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.”
Essentially, organisations are obliged to delete data when it’s no longer needed. Furthermore, the subject of the data (i.e. either the person involved in an accident or the one who completed the record) has the right to have access, for free, to the data concerning them, and there is also a ‘right to be forgotten’ (i.e. erasure) if the retention of their data is no longer legally required and hasn’t already been erased, in this case after three years (except relating to a COSHH incident).
Should an organisation attempt to keep these personal details beyond the period required by UK law, they must legally share this data with the concerned persons when requested and therefore may face themselves having to justify the retention of this data (opening them up to penalties if they cannot do so). If organisations are able to justify the retention of personal data, GDPR sets no maximum time period for how long they may do so, but does require them to review the data they hold on an ongoing basis to determine if its retention is still necessary. Personal data may not be held indefinitely.
If organisations wish to keep accident reports longer than three years, a simple step is to ‘anonymise’ these reports so that they no longer contain personal detail, but may continue to inform health & safety policy and risk assessments into the future. In doing so, organisations must ensure none of the personal details from the accident records is retained unnecessarily. As accident book records are physical records, the easiest way to do this is to transfer the accident details into an electronic format and physically destroy the original paper records. There is also the possibility that you may keep the original records including personal data for longer than the legal minimum if you obtain affirmative consent from those involved.
Organisations are still required to hold personal data securely, and there are tough penalties for organisations that fail to do so, or breach other aspects of GDPR around consent or data transfer. Lesser offences can result in fines of up to 10 million Euros or two percent of a firm’s global turnover (whichever is greater), which increases to up to 20 million Euros or four percent of global turnover for serious offences.
You can read the Data Protection Act 2018 which implements GDPR into UK law in its entirety here. The full GDPR text is here. The Information Commissioner’s Office’s guide to GDPR can be found here.