Adam Gomes

Chartered Compliance Specialist, Adam Gomes CMIOSH, discusses accident forms and how they should follow GDPR regulations and be kept secure and confidential.

 

In May of 2017 I learnt about the impending EU General Data Protection Regulations. I started to think to myself about how this would affect my consultancy clients and myself as a business owner. I knew there would be a lot of work involved to get ready for the new regulations, so I decided to research the topic and carry out three courses before it was implemented. Needless to say, May 25 2018 came around very quickly and the panic for businesses set in. I’m sure many of you were sick of receiving marketing consent emails.

Processing restrictions

 

Now that the dust has settled slightly, and procedures have been tightened up in most companies I have noticed how much personal information an accident form contains. Companies can create their own versions of an accident form however, alternatives must comply with legal requirements by following the same format as the BI 510 accident book, which was published previously by the Department of Work & pensions. I have noticed over the years though that there are many variations of accident forms that are created by businesses and they don’t always follow these guidelines. Standard forms I have seen ask for information such as full name, address, occupation of the injured person & cause and nature of the injury. This is classed under GDPR as ‘Personal Identifiable Information’ (PII). Some forms I have come across though ask for current medication and or previous medical conditions. Under the GDPR this is classed as ‘Special Category Data’ which has additional rules and processing restrictions.

 

Confidentiality

I have found on site visits in the past that on a few occasions first aiders or the staff member completing the accident form have forgotten to hand it in and have left it laying around in places such as the yard, the first aid bay, the canteen and once even in the public toilet. I think you will agree that this is very poor practice, but it can be easily done especially if the accident was of a serious nature and they weren’t thinking straight, or it slipped their mind to hand it in due to work pressures.

 

You may be thinking ‘well ok but what’s the worst that could happen if someone found an accident form?’ and I understand where you’re coming from. However, if I put it into some context then I think it puts a different light on the matter.

 

Say an individual member of staff was renovating a house for a company and unfortunately for whatever reason they received a needle stick injury. From this injury they may have a risk of diseases such as Hepatitis C. After giving first aid treatment and sending the member of staff to the hospital, the first aider completes an accident form which is unintentionally forgotten and left out on the mess room table with lunch about to start.

 

The information on this form is personal to the staff member and should be kept private and in this situation the need for securing that PII is very important. The implications of losing it could add further stress to the individual affecting their mental health and wellbeing.

 

The need for companies to implement robust accident reporting procedures that include data protection is very important. This will help reduce the chances of any data breaches, fines, bad publicity and above all keep the data subject’s information safe and secure. Another thought on this matter is that under the GDPR principle 3 (Minimisation) companies need to make sure that the information they ask for on these forms is relevant to the situation in hand and they are not acquiring info that is not needed. It may be a case that they don’t require all that information and rather than it being a positive it becomes a negative as it’s a liability for the company.

 

In conclusion I hope I have managed to help health and safety professionals remember to check for left out accident forms whilst carrying out tours/audits and I have highlighted the risks that companies face if they do not have rigid procedures in place to make sure that their forms are in line with BI 510 and that their data is secure.