The EU’s General Data Protection Regulations (GDPR) came into force on 25th May. Regulated by the Information Commissioner’s Office (ICO) the overall legal liabilities are much the same as health and safely law with the risk of prosecution by the ICO for breaches of GDPR and civil law suits from individuals who feel that they have a legitimate claim against an organisation for misuse of their personal data. The ICO has played down press scaremongering saying that they will act proportionately and to put it into context the ICO issued 57 monetary penalties and carried out 19 prosecutions in 2017. Notwithstanding this is a considerable expansion of current regulations and the sanctions have increased from a maximum of £500,000 per breach to the greater of 4% of group global turnover or €20 million so it needs to be taken seriously particularly by large organisations.
The general idea is that personal data should only be used for the purpose for which it was originally collected and that consent to use that data requires a positive informed decision. A key principle is that personal data should be collected for a specified, explicit and legitimate purpose and that the subject should be made aware of each an every reason a health and safety practitioner is holding or using his or her personal data.
Clearly health and safety management involves collecting accident information and the results of health and safety monitoring such as hearing tests which involves collecting personal data. Data also includes CCTV images and recordings from body cams which are now worn by many stewards and event security staff particularly where there is a risk of confrontation or ejections. Such activities do raise the question of how and how long these images should be held, for example as a record that an individual was safely and legally ejected from an event. It opens the possibility of legally savvy individuals requesting this information is deleted to merely to frustrate the organisation’s ability to defend itself against a future claim.
The collation of health and safety data normally falls under the concept of either legal obligation where there is a statutory requirement or ‘legitimate interest’ in the pursuance of managing health and safety properly. Specifically Regulation 5 of the Management of Health and Safety at Work Regulations requires employers to ‘plan organise, control, monitor and review their health and safety arrangements’ so gathering personal data for accident investigations and health and safety monitoring falls under a legal obligation. The regulations also require an individual risk assessment for new and expectant mothers which will clearly involve the recording of what could be highly sensitive personal data. In the case of the Reporting of Injuries Diseases and Dangerous Occurrences Regulations (RIDDOR) there is a legal requirement not only to collect data but to pass it on to the relevant authority. In these cases provided the information is only held or used for the purposes intended in compliance with health and safety law then consent by the individuals concerned is not required. Conversely individual employees are legally obligated under the Health and Safety at Work Act to cooperate with their employers on health and safety issues.
As part of their GDPR policy, even where there is a legal obligation or legitimate interest, companies should inform people how long their data is to be held for and why. Ultimately however, where there is a legal obligation to collect and hold data it does not have to be deleted simply because the individual has asked you to do so.
The right of erasure is not an absolute right and health records are excluded from the right to be forgotten. Notwithstanding, medical records are categorised as sensitive data and should be treated with greater security than other personal data. There are circumstance, for example health monitoring, where there is a legal requirement to hold records for long periods such as the requirement under The Control of Asbestos Regulations to hold health monitoring records of asbestos workers for 40 years. In the events industry in particular, those exposed to noise hazard should be monitored and those records held and employers are advised to keep those for up to 40 years. Whilst the HSE has yet to update its guidance material in this regard these clearly fall under the category of either legal obligation or legitimate interest.
Employers may collect personal data for the purposes of recording training particularly where it involves certification as is required, for example, by the National Rigging Council for riggers in the event and entertainment industry or the requirement for lift truck drivers and other plant operators to hold the necessary licence. IOSH itself requires the names, photo ID and National Insurance number for delegates holding certain IOSH certificates. Again this a legitimate interest and compliant provided the information is only held or shared with a third party for the purpose intended. If these records are held as part of a large database then the holder would have to able to demonstrate that the records were held securely. Whilst employers should consider how long such records need to be held there should also be a consideration that it may be in employees’ interests not to have their training records systematically deleted just for the sake of it.
In the events industry it is best practice to compile and keep an event safety file which could contain personal data in the form of accident records and medical incidents related to that event. There is a statute of limitations (usually 3 years) on civil claims and it is common practice to archive the event safety file for around 5 years if there is no known reason to retain it any longer. There is no statute of limitations in criminal law and companies may rely on the event safety file in case of a criminal prosecution which could require demonstrating consistent health and safety management and monitoring over a period of years. Event companies may wish to review their archiving policy in this regard.
GDPR cannot cover every eventuality and as with any new law there will be areas that require legal interpretation. It is up to the events industry and individual event companies to work towards forming established best practices to ensure that problems can be resolved at industry level rather than being determined by case law in the criminal or civil courts.
