GDPR and health and safety representatives

Few people can be unaware of the General Data Protection Regulations (GDPR) that come into effect this Friday, if only because of the emails that we are all getting from organisations we have never heard of asking us to agree that they can keep emailing us.

However, there is a more worrying development. Some employers are using the regulations to try to stop union health and safety representatives from getting access to information they are legally entitled to.

The 1977 Safety Reps and Safety Committee (SRSC) Regulations are very clear about what we are entitled to. Regulation 7 basically states that employers “have to make available to safety representatives the information…..necessary to enable them to fulfil their functions.” There is an exception for information that relates specifically to an individual unless they have consented.

The HSE Code of Practice to the Regulations lists what information is covered, and it is pretty comprehensive, including information on accidents, audits etc.

Now we find that a lot of employers are saying that the GDPR restricts what information they can supply. Examples of this include refusing to hand over information from accident report forms, instead saying they will just give quarterly reports, or instructing their auditor to stop sharing their Safety Audits with safety representatives on the grounds they contain some personal data.

This is nonsense. These employers are making no attempt to gain consent for sharing the information or, if consent is withheld, anonymising the information.

This seems a deliberate attempt to try to stop union representatives getting information they need. Just giving general information with no detail makes these reports utterly useless,‎ as the health and safety representative can't properly investigate unless they know who the member is.

The GDPR does not change the information that can be given to union health and safety representatives in the least. Both the SRSC Regulations and the 1998 Data Protection Act already restricted personal information being given out, which is why employers had to anonymise it or get the permission of the individual. In fact, the official accident report form published by the TSO has a box asking the person to consent to the information going to the safety representative.

When I first heard that some employers were doing this I contacted the HSE just to check their view and they confirmed that “ Government Legal Department advise that the implementation of the EU General Data Protection Regulation should not adversely impact safety representatives carrying out their functions within the Safety Representatives and Safety Committees Regulations. Employers are required to provide documents and information requested by safety representatives under Regulation 7 as before .”

In other words, if an employer is now refusing to give over information, either they should not have been giving it out before, or they are using the GDPR as an excuse.

So safety representatives can still get all the information that they need. If an individual is mentioned, they can be asked to give consent or the name can be withheld. Information on any injuries, near misses or occupational diseases can still be give to representatives, as can any audit or other reports or the results of investigations.

If your employer does try it on and says that the GDPR somehow trumps the SRSC Regs then ask them where in the GDPR it says that they should not provide the information covered in Regulation 7 of the SRSC Regulations.

Of course, that does not mean that GDPR will not affect safety representatives. When handling personal data, including membership information, or details of any issues that you are handling, the information needs to be kept securely.

For electronic information, many representatives use their employer’s system and they usually follow the security standards operated by the employer, but if you are keeping information on your own computer, make sure that you are following the requirements of the new regulations. Many unions have published advice to workplace representatives on GDPR.

The same applies to paper information. Regulation 5(3) of the SRSC Regulations requires employers to give “such facilities as the safety representative may reasonably require” for safety inspections. Regulation 4A2 of the SRSC Regulations gives safety reps considerable powers to demand facilities to enable them to carry out their functions effectively. That means that, at the very least, health and safety representatives can demand a locked filing cabinet and any other secure facilities they need to keep data secure.

TUC Education did a webinar explaining the implications of GDPR for unions in March which is available on YouTube.