Homeworks academic service

Importance of legislation in relation to recording storing and accessing hr data

Lucy Wright, chief medical officer of OH Assist, offers guidance. Data protection is a major issue in OH.

  • Records where there are no statutory retention periods, with recommended retention periods;
  • Taxes Management Act 1970;
  • Part 1 of a statutory Code of Practice on the management of records sets out good practice in public authority records management.

The work we do depends on our patients trusting us and being comfortable that we are managing their data properly. Society in general is becoming more data aware and that means that our patients are more inclined to be concerned how their records are being stored and the information that exists about their health conditions.

As a practitioner who has had to develop an interest in data protection, I was used to considering medical confidentiality. But the DPA covers more than medical confidentiality and it is important that all those of us who work in OH have an awareness of data protection regulation.

CIPD viewpoint

Any piece of data that could be used to identify someone could be used, not is used is considered as personal data — for example, name, date of birth, address, postcode, employee number, the identification number you may use in your records; all of these may be personal data.

But a more unusual name is likely to be unique and so allows that individual to be identified — hence it is personal data.

  1. If authorities wish to obtain details of the content of any communications, a special warrant will be required.
  2. Information about workers health. Accounting records Statutory retention period.
  3. This is not the case with the DPA, as there is no allowance made for cost or difficulty in the legislation.
  4. When employers really no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.
  5. Public sector records In the UK public sector there are many detailed rules about record retention. HR has a crucial role to play in achieving the new goal of data protection by design and default.

There is a list of sensitive data in the DPA, but other data that OH may hold that is covered is also trade union membership, religion and sexuality. It is important that you only give out personal or sensitive data to those who have a right to know it, so you should consider having processes to check who you are giving the information to and make sure they have a right to know it.

In OH, we are used to legislation that uses phrases such as: This is not the case with the DPA, as there is no allowance made for cost or difficulty in the legislation.

Data protection

The DPA requires every data controller for example, organisation, sole trader who is processing personal information to register with the ICOunless they are exempt. There are eight data protection principles and it is helpful to understand them.

Data protection in occupational health: a guide

I have paraphrased to make them simpler: When you ask for a medical report from a GP and they send you a copy, do you really need all that information?

In relation to the DPA, the ICO gives a list of when processing personal data is lawful and a further list of when you are allowed to process sensitive data. If you employ staff, it also covers their information, and the data of everyone that you hold for work purposes as long as you keep it in an IT system or a filing system where it can be easily retrieved.

Subject access requests Individuals have the right to know if you are processing information about them and to see the data you hold on them; this is called a subject access request SAR. You have to give the data, not the actual documents, so consider if you want to transcribe it. But be careful, you must not leave any data out if it is covered.

Confidentiality and record-keeping in occupational health

Also be careful that you only give the right data, and not personal or sensitive data that belongs to another individual. The information required to be given in a SAR is laid out in the DPA and should be provided in an accessible form, so remember people with disabilities who may need it in a format other than the written word.

Healthcare organisations are over-represented in the list of ICO monetary penalties, and even small organisations get fined. So what does this mean for us as practitioners?

  • Occupational health records should be stored in a secure system and the confidential information should only be accessible by staff within the occupational health department;
  • Employers should always review the length of time personal data is kept, consider the purposes of information when deciding how long to retain it, and update, archive or securely delete information if it goes out of date;
  • The Information Commissioner has issued The employment practices code , together with additional guidance notes, which employers should follow carefully;
  • If you don't have a web account why not register to gain access to more of the CIPD's resources;
  • Both computerised and manual systems can be covered by the law:

Understand that the quality of your data protection is only as strong as the weakest link in your practice. Take care with laptops and make sure they are password protected and encrypted. Take care at home and make sure your records are confidential.

  1. Transferable information will generally be accessible to the employee, management, enforcing authorities such as the Health and Safety Executive and safety representatives.
  2. They should also follow both physical and electronic data security methods.
  3. But a more unusual name is likely to be unique and so allows that individual to be identified — hence it is personal data. If in doubt ask for advice if you can, use a data protection officer or a lawyer.

Be careful with paper records. Only record relevant information — data held must not be excessive. Only use personal data for the purpose for which it was obtained.


Anonymise data when possible. Only access what you need to do your job. If in doubt ask for advice if you can, use a data protection officer or a lawyer. Have processes in place to respond to a SAR.

  • See more in our factsheet on data protection and GDPR in the workplace;
  • There are, for example, specific requirements under the Control of Asbestos at Work Regulations 1987 and the Control of Substances Hazardous to Health Regulations 1988;
  • Be careful with paper records.

If you run your own business, be sure your contracts with your customers and suppliers are clear about who controls the data and whether or not you are acting as a controller or a processor. The GDPR will have a significant impact, so it is important to begin preparing now. Please note, this article should not be construed as legal advice and is for awareness raising only.