Impact of Data Protection Regulation

Six months remain until the EU General Data Protection Regulation comes into force and it will affect health and safety practitioners through accident reports, the use of CCTV, biometric testing, private investigators and insurance claims files.

The General Data Protection Regulation (GDPR) (EU 2016/679) will, when it comes into force on May 25th, 2018, repeal and replace the 1996 EU Data Protection Directive and supersede the Irish Data Protection Act 1988 (as amended by the 2003 Act) and regulations made under the Irish Act.

Though there is no need for Irish legislation, as the GDPR becomes law directly in all EU member states, the Irish Government has published the heads of a Data Protection Bill. The Irish Data Protection Commissioner has launched an awareness-raising campaign, which includes a dedicated website on the regulation, www.GDPRandYou.ie

The Commissioner has also issued a 12-step guide, The GDPR and You (download here). The guide makes it clear that the main concepts and principles of the GDPR are much the same as those in current Irish legislation. However, the GDPR introduces new elements and significant enhancements. The new and enhanced elements include:

  • Fines of up to €20m or 4% of global turnover for breaches of the Regulation;
  • The right of data subjects to access and to require the data controller to provide copies of data free of charge and in electronic format. This has been described as “a dramatic change”;
  • The right to be forgotten after the data is no longer relevant to the original purposes for which it was obtained.

The Commissioner advises that organisations should immediately start preparing for the implementation of the Regulation. While the responsibility for this will fall on the organisations’ data controllers, as is clear from the Commissioner’s annual reports over the years there are areas where data protection impacts on the health and safety function. Over the years the Commissioner has issued decisions on insurance claims files, private investigators, CCTV, accident report forms.

Speaking at an IOSH event in 2012, the former Data Protection Commissioner, Billy Hawkes, spoke about the application of data protection to health and safety. Among the issues Mr Hawkes spoke about were CCTV monitoring, taking photos, health data, drug testing, tracking devices in vehicles and information for insurers.

Relevant Provisions of the GDPR
Responding to queries from HSR regarding the impact of the GDPR, the office of the Data Protection Commissioner advises that Mr Hawkes’ remarks remain relevant. It also draws attention to some provisions of the GDPR, which it believes health and safety advisors should be aware of.

Data protection officer
Article 37 outlines the circumstances under which an organisation may be required to appoint a data protection officer (DPO). The Commissioner advises that safety advisors liaise with DPOs to get advice on data issues that arise. It should, the Commissioner points out, be noted that if there are breaches, reporting to the Data Protection Commissioner will be mandatory. For example, if a safety advisor misplaces records containing personal data while out on an inspection, this will become a reportable breach unless the company can be sure it is unlikely to result in a risk to employee’s data protection rights.

Record keeping
Under article 30, many organisations will be required to maintain records of their data processing activities. Where safety advisors are keeping records containing employee personal data (e.g. routine safety checks or training records), they should be aware that this type of data processing needs to be included in the overall data processing record.

Transparency
The GDPR emphasises the importance of transparency. The Commissioner advises that where personal data is processed for health and safety reasons, data controllers should make sure adequate information is provided to employees.

Information to data subjects
Employers, as data controllers, should ensure employees are fully informed where personal data is processed in accordance with a health and safety policy or procedures.

Share With Your Colleagues