The right to be forgotten – GDPR and the retention of safety incident records
On 25 May 2018 the General Data Protection Regulation (GDPR) made its grand entrance into EU and UK law, sword raised at the ready to defend the rights of individuals in relation to their personal data.
At the heart of the GDPR is the principle of data minimisation. Article 5 demands that organisations only keep personal data - being any information relating to an identified or identifiable person - in a form which permits identification of data subjects for as long as is necessary to carry out the purposes for which it was collected. The GDPR does recognise that this principle may be restricted where it is necessary and proportionate to safeguard matters of public interest, such as compliance with other legal duties and the establishment and the exercise or defence of a legal claim.
In the health and safety sphere, personal data is collected by an organisation following a health and safety incident to create or process documents, such as incident reports and witness statements. This information should only be retained for as long as is necessary to enable its purpose, such as:
- To learn and respond to health and safety lessons
- To monitor trends
- To comply with obligations to furnish information under Section 20 of the Health and Safety at Work etc. Act 1974 (HSWA)
- To defend a potential health and safety prosecution.
Consent is not something that is generally required in health and safety matters as it falls into one of the permitted categories. That said we are aware that, out of courtesy, some do choose to inform relevant employees that material containing their personal data has been requested and will be handed over to the police or HSE. Whilst treading carefully to avoid being accused of ‘tipping off’, it can be good practice.
Article 17 of the GDPR provides individuals with the right to have their personal data erased. This right to be forgotten is not absolute and only applies in certain circumstances. If the processing of the data is justified then the request can be refused. However, if a valid request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems.
Due to an absence of a limitation period for investigation and prosecution under the HSWA, there is no clear guidance as to how long personal data relating to a health and safety incident can be retained. As a result, we suggest that it is best practice to actively and regularly review the appropriateness of retaining any such personal data. In doing so, the rights of individuals to control data created about them must be balanced with your own legitimate needs.
Such a review would sensibly take into consideration:
- The nature of the incident
- The time that has elapsed
- Whether incidents of that nature had occurred within your organisation previously
- The level of the authorities’ interest in the matter.
Until official guidance on this issue is published, organisations retaining incident records and witness statements - and wishing to avoid the swing of the GDPR sword - should ensure that all personal data is carefully considered, categorised as special data on internal systems and safeguarded as much as possible.
Related item: GDPR (General Data Protection Regulation)