How GDPR Applies to Accident Reporting?

Under the new GDPR rules, I’ve heard that consent is required to process personal data. How does this affect the collection of information for the accident book?

Under GDPR, the first principle is to process all personal data lawfully, fairly and in a transparent manner. Processing (including collection, recording, organisation, structuring and storage) must have a “lawful basis”.

At least one of the following must apply:

  • Consent: the individual has given clear consent for you to process their data for a specific purpose;
  • Contract: processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;
  • Legal obligation: processing is necessary for you to comply with the law (not including contractual obligations);
  • Vital interests: processing is necessary to protect someone’s life;
  • Public task: processing is necessary for you to perform a task in the public interest or your official functions, the task or function having a clear basis in law;
  • Legitimate interests: processing is necessary for legitimate interests (or those of a third party) unless there is good reason to protect the individual’s data which overrides this.

According to The Social Security (Claims and Payments) Regulations 1979, details to be recorded in the accident book include:

  • Full name, address and occupation of injured person;
  • Date and time of accident;
  • Location of accident;
  • Cause and nature of injury;
  • Name, address and occupation of person giving notice, if other than the injured person.

These requirements would satisfy the “legal obligation” basis and a specific statement of consent would not be required. You shouldn’t need to change your accident report form, but as under GDPR you must, at the time you collect their personal data, inform individuals of your purposes for processing the data, your retention periods and who it will be shared with, it may be a good idea to include this on the accident book.

So What Message Should You Communicate?

The purpose of processing accident and incident data is for collecting information and producing a range of statistics that communicates anything from the number of incidents per annum or man hours worked, analysis of causes, types on accident of incidents occurring, etc.  From this information you can identify trends, problem areas which in turn allows you to put in place suitable and sufficient control measures to prevent re occurrence.

Epica Health & Safety recommend that all injuries recorded in the accident book should be retained for a minimum of 3 years, in line with any potential civil claims.  Occupational health claims must be made 3 years from diagnosis,

Epica Health & Safety recommend retaining all health records including any incidents relating to occupational health incidents noted in the accident book for a 40 year period, as some occupational health problems take time to become apparent.

Generally the information will be shared with your insurance company, directors, health and safety and HR professionals engaged with the company.  This is not exhaustive so you will need to consider the incident and decide who is likely to require such information.

If you would like to ask the expert at Epica Health & Safety, then send your question to enquiries@epica.org.uk