Hi Wendy
I don't think some companies realise that a 'general questionnaire' asking about employees health and lifestyle is not justified under the present DPA. Every so often I am asked to review these forms by such companies and when I ask why they are collecting this data and what is the purpose of my involvement the answer is often 'we thought it was a good idea' and can you check they are fit to do their job. There then has to be a difficult discussion about the DPA and part 4 in particular and the reasons why I cannot professionally do what they ask unless there is a justified reason. I hope the GDPR makes some difference to this type of practice.
Karen
-----Original Message-----
From: [log in to unmask] <[log in to unmask]> On Behalf Of Wendy Jones
Sent: 13 April 2018 10:21
To: [log in to unmask]
Subject: [OCC-HEALTH] GDPR - data portability; and non-OH professionals gathering health data
I was looking at GDPR and two things occurred to me which might be worth further discussion. Both stem from a construction industry perspective but might have applicability elsewhere.
a) Portability of data
The GDPR gives individuals the right to ask for an organisation which has their data to pass it on to another organisation – that is the way that banks and electricity companies make it easier for you to change your provider.
Will this affect OH providers? The provision only applies where data is ‘processed automatically’, so I don’t know if that affects OH data held on a software system. There is a major challenge in construction in that workers often get health checks done through multiple providers and the data never gets joined up. Obviously they already have the right to ask for access to their data under existing legislation, but generally they don't. I wonder if this will make ‘joined up’ OH provision to this population more achievable e.g. if one provider encouraged the workforce they were looking after to pursue it?
b) Sensitive data (I don’t think this necessarily changes the obligations under GDPR compared to the DPO, but it does make the consequences of breach greater)
Companies without OH provision often assess health by means of a ‘responsible person’ e.g. to assess HAVS symptoms or to look for evidence of dermatitis. Construction companies sometimes take this further and ask workers to complete broader health questionnaires so they can check they are fit for work, or decide who to refer to their OH provider (which is not good practice, but I don't know if it actually contravenes any laws if information is given freely by the workforce.) Because this is health information, it is automatically ‘sensitive data’ – I wonder whether companies are aware of this and make sure that they manage/process data accordingly?
Wendy
Researcher in Construction OH
Loughborough University
********************************
Please remove this footer before replying.
OCC-HEALTH ARCHIVES:
http://www.jiscmail.ac.uk/lists/occ-health.html
CONFERENCES AND STUDY DAYS:
http://www.jiscmail.ac.uk/cgi-bin/filearea.cgi?LMGT1=OCC-HEALTH
********************************
Please remove this footer before replying.
OCC-HEALTH ARCHIVES:
http://www.jiscmail.ac.uk/lists/occ-health.html
CONFERENCES AND STUDY DAYS:
http://www.jiscmail.ac.uk/cgi-bin/filearea.cgi?LMGT1=OCC-HEALTH
|