Tread carefully when sharing personal health and safety data

These include keeping people safe, responding quickly to potential risks, maintaining legal privilege and responding to queries from the regulator and civil claims. At times, some interests can feel competing.

However, over recent years, there has been an increased awareness of the privacy rights of individuals. The pandemic brought into sharp relief the need to carefully balance privacy and health and safety rights. So, what takes priority?

Handling information relating to injuries and medical conditions

Accident reports, witness statements, CCTV (closed-circuit television) footage and details of training will all constitute the personal data of the individuals concerned. As such, the UK GDPR (UK General Data Protection Regulation) – which applies post-Brexit – sets out the legal requirements which must be met when handling the information.

As information about individuals’ injuries will concern their physical and/or mental health, this will be ‘special category data’ for the purpose of UK data protection legislation. This means that additional safeguards need to be in place for the management of such information.

Laura Gillespie: "Accident reports, witness statements, CCTV (closed-circuit television) footage and details of training will all constitute the personal data of the individuals concerned."

Lawful basis for processing

When handling personal information, the ‘controller’ (that is, the company or organisation who decides what information to collect and why), must ensure that it has a lawful basis to hold the information. This includes where the processing is necessary for compliance with a legal obligation or where it is for the ‘legitimate interests’ of the controller or a third party – so long as it does not override the individual’s right to privacy.   

If the information concerned contains medical information about an individual, then an additional ground for processing must be met. This includes where it is necessary for the defence of a legal claim or to protect the vital interests of the data subject where they are not able to give consent.

Need for transparency

Hard wired into the privacy legislation is the need to be fair, lawful and transparent when handling people’s private information. Usually this is achieved through the publication of a ‘privacy notice’ wherein it is explained what information an organisation will hold about an individual and with whom it might be shared.

Can personal data be shared with regulators, insurers or the supply chain involved in an investigation?

While the utterance of ‘data protection act’ can often be used as a reason not to share information, it is not impossible to do so.

What it does require is that health and safety professionals take four key steps:

1: Identify whether there is a lawful basis to share the information with the party concerned

2: Consider whether the need for transparency has been satisfied

3: Only share what is necessary, and

4: Document the reasons for the decision. 

The Information Commissioner’s Office (ICO) has recently published a new Data Sharing Code of Practice, which aims to reassure when it is possible to lawfully share personal information and what steps should be out in place when doing so.

ICO Data Sharing Code of Practice: bit.ly/3yhvSo5

Laura Gillespie is a partner in Pinsent Masons’ Litigation and Regulatory Compliance team. She specialises in data privacy and cyber security matters. Contact her at: bit.ly/3krCCfS