The General Data Protection Regulations (Regulation (EU) 2016/679 Of The European Parliament And Of The Council) became effective on 25 May 2018 and has major implications on how personal information is collected, processed, stored and used. Not only does it affect the European Union Member States; it also impacts any processing of personal information from outside of the EU.
The regulation only provides for the protection of information relating to individuals, referred to as “data subjects” and does not provide for the protection of juristic persona.
In terms of Article 3 of the Regulations categorises its application into three territorial spheres.
Firstly it applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
It also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation lastly also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
By definition a person protected under the GDPR is an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an “identifier” such as a name, an identification number, location data, an online identifier, like a username or IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
While your name and surname is “personal information” it could hardly be kept secret unless you want to be called “Hey you”. But because of the fact that “Koos Koekemoer” could be more than one individual, the “identifier” to determine which Koos is the one we are talking about, needs to be protected. For this we add an ID Number or Passport number as the “identifier”.
The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing of information is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Two of the world’s largest processors of behavioural data are Google and Facebook. Both these processors collects behavioural information of data subjects to deliver targeted messages on behalf of a wide range of advertisers. As both of these processors also owns the personal information, they are also the controllers of this data, and with other social networks like LinkedIn, are regulated under the GPDR.
How it affects Human Resources within a business outside of the EU.
Most countries have their own statutes on the protection of personal information and South Africa is soon to see the promulgation of the full content of the Protection of Personal Information Act, in November this year.
The collection of personal information is required in any business. Whilst none of these laws intends to stop this, it do however place a duty on each party in the process to use this information only for a specific purpose and to take all prescribed precautions to protect this information from unlawful use.
Some of the aspects of the recruitment process that will be outlawed is the collection of personal information that is not relevant to a specific activity. For instance, when advertising a new position, the collection of ID numbers of the applicants is not relevant at this point. Only once a recruiter has screened the applicants and developed a short-list of candidates, will the collection of ID numbers become valid as a “purpose”.
When it comes to pre-employment medical screening, in-service screening for drugs and alcohol, and routine medical surveillance, the GPDR is concerned with the “systems” used for this purpose and how the information is used, stored and protected from unauthorised release into the public domain.
As medical screening is a form of profiling, the GDPR does apply as it defines ‘profiling’ as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
It also refers to ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
There are very few industries in Africa that will not be affected by the GDPR.
How it affects the H&S Manager
Hannah Steward explains how the GDPR will affect you. “As a health and safety manager you may be deemed to be a ‘data controller’ or ‘data processor’ by proxy, meaning you should be aware of the legal responsibilities.” She wrote in an article published in healthandsafetyatwork.com.
The health and safety department or system is likely to hold a wide range of personal data. Employee or non-employee data such as names, job titles, home address, and phone numbers must all be securely stored, and data such as occupational health records and witness statements must be guarded even more stringently. Along with understanding the new regulation, it is recommended that HSE leaders should:
- understand and document current data processes, and demonstrate that they meet compliance requirements;
- document what personal data is held;
- assess the security of data stored, personal data in particular;
- document where data is shared with 3rd party organisations;
- review and define justifications for holding personal data;
- categorise the risk level associated with personal data held; and
- commit to data retention policies.
Achieving all of these steps may be a challenge, and will also take place against a background of changes in the wider organisation’s policies and procedures. However, if you can positively demonstrate that you are putting effort into having the right measures in place, regulators “will be reasonable” in the early days. It is estimated that 75% of organisations will struggle to implement appropriate procedures before 25 May.
Many health and safety professionals will have never come across these terms before, or what they imply. The easiest way to distinguish between the two is to look at the decisions that each are responsible for.
H&S Manager as a Data Controller decides:
- to collect personal data in the first place;
- which items of personal data to collect;
- the purpose the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether the subject has access rights to the data; and
- how long to retain the data, or whether to make non-routine amendments to the data.
H&S Manager as a Data Processor decides:
- what IT systems to use to collect personal data;
- how to store the personal data;
- the details of security surrounding the data;
- the means used to transfer the data from one organisation to another;
- the means used to retrieve personal data;
- the method for ensuring a retention schedule is adhered to; and
- the means used to delete the data.
GDPR should be treated seriously by health and safety personnel, but there are relatively few resources for them to understand the regulation in the specific context of health and safety practice.
David Hennessy, partner and solicitor advocate at law firm Keoghs LLP, says that awareness of the extent that the changes will impact on health and safety departments is somewhat lacking.
“As far as I’m aware, [there aren’t many papers looking] to address the implications of GDPR from the perspective of health and safety managers. The irony is that the likely impact of the GDPR has been compared to the Health and Safety at Work Act, and those working in that area will understand the sea change that followed leading to the regulatory regime in which we now operate. Like health and safety, data and cyber security are now priority boardroom issues for business,” he says.
Even for organisations that have a culture of good data governance, there will still be work to do, even if it is amending existing policy and procedures. For those that don’t have that culture, it’s a perfect opportunity to invest in policy development, tools and applications to ensure best practice and compliance.
The impact of GDPR non-compliance
Article 82(1) of the GDPR states that any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. This will be subject to the applicable laws of an EU Member State if any and does amount to a civil action.
Administrative fines have been prescribed for a collection of offences and data controllers and processors can face administrative fines up to €20 million (R291 million).
Penalties for infringements are set by EU Member States and will obviously differ in value from one to the next.
How to align your H&S Management System with the GDPR
Nicola Coote advises that with the new regulations, it is strongly advised that those dealing with health and safety should:
- Understand the current data process and identify where personal data may exist in health and safety documents; like the Safety File.
- Record what personal data is held and the document title/type of document (i.e. make a list/register);
- Identify where data is distributed with third party companies and add this to your register;
- Consider and assess the reason for possessing the personal data (do you really need to have access to this? – if not – take yourself and your responsibilities out of the equation) like requiring medical records in Safety Files where the law only allows for a Medical Certificate of Fitness.
- Clarify the risk level which comes with holding personal data (breach of data security legislation, complaints or claims from individuals who feel their personal data has been inappropriately used or shared etc). You could use a basic risk rating matrix for this in the same way as completing a general risk assessment.
- Ensure that the data in the list you have compiled is stored securely and not accessible to anyone, including inadvertently, without a valid reason; and
- Obey the data retention policies within your own organisation.
Sources: https://gdpr-info.eu | PHSC | healthandsafetyatwork.com