General Data Protection Regulations (GDPR) –v- HSAW Act 1974 & SRSC Regs 1977:
To: All Branches
The impact of GDPR on Health and Safety was raised with Royal Mail Group prior to the introduction date and we were assured that “minimal disruption” was expected which was welcomed.
However since then the Health, Safety & Environment Department has been receiving increasing numbers of queries and complaints from Royal Mail Group based CWU Safety Reps on a number of things as managers around the country are starting to react to the GDPR with a lack of understanding and common sense and we are clearly going through the same loop again as we did with the original Data Protection Act 1998, only worse.
My department is receiving communications from ASRs on a variety of issues where GDPR is cropping up e.g.
• Accident on Duty notifications and reports,
• RTC information,
• ZAP Reports,
• Sharepoint Weekly Safety Dashboard,
• First Aiders,
• Fire Wardens,
• Safety Committees,
• H&S Audits,
• Training Records,
• Vehicle Licence Checks,
According to guidance issued by the TUC and HSE, there isn’t anything in the GDPR which indicates specifically from a workplace health and safety perspective that there will be any new restrictions on giving Safety Representatives the information necessary to enable them to fulfil their role and functions or change the general duties and obligations on employers regarding consultation with and involvement of Trade Union Safety Representatives as set out in the Health and Safety at Work Act 1974, the Safety Representatives and Safety Committees Regulations 1977, the Health and Safety (Consultation with Employees) Regulations 1996 and other specific Health and Safety Regulations.
The HSE has made it clear in the past that Trade Union Health and Safety Reps must be ‘proactively’ involved and consulted in line with Health and Safety Legislation and that data protection regulations must not stop Union Health and Safety Representatives getting information they are legally entitled to.
Few people can be unaware of the General Data Protection Regulations (GDPR), if only because of the emails that we are all getting from organisations we have never heard of asking us to agree that they can keep emailing us.
However, the above quoted list of examples are worrying developments and the matter has been raised with Royal Mail Group’s Head of Safety, Health and Environment Standards and Reporting.
We have requested that Managers must be told not to use the GDPR Regulations to try to stop Union Health and Safety Representatives from getting access to information they are legally entitled to.
The 1977 Safety Reps and Safety Committee (SRSC) Regulations are very clear about what Safety Reps are entitled to. Regulation 7 basically states that employers “have to make available to safety representatives the information necessary to enable them to fulfil their functions.”
The HSE Code of Practice to the Regulations lists what information is covered, and it is pretty comprehensive, including information on accidents and safety audits etc.
Since its introduction, local Safety Reps are finding that some managers are saying that the GDPR restricts what information they can supply. Examples of this include refusing to hand over information from accident report forms, instead saying that they will in future only give periodic statistics reports, and health and safety auditors are being instructed to stop sharing their Safety Audits with CWU Safety Representatives on the grounds they contain some personal data etc. We have made it clear that this is nonsense and is not acceptable to the CWU.
This seems to be a deliberate attempt by some managers to try to stop Union Health and Safety Representatives getting the information they need and are entitled to. Just giving general information with no detail makes the information utterly useless in some cases, as Health and Safety Representative can’t properly investigate incidents, accidents, near misses and complaints unless they know which members are involved.
The TUC and HSE advice is that the GDPR does not change the information that can be given to Union Health and Safety Representatives in the least. Both the SRSC Regulations and the 1998 Data Protection Act already restricted certain personal information being given out generally but providing information to Safety Representatives is covered by Health and Safety Legislation.
When it was reported to the Health, Safety & Environment Department what some managers were doing, the HSE were contacted in order to check their view and the HSE confirmed that the “Government Legal Department advise is that the implementation of the EU General Data Protection Regulation should not adversely impact Trade Union Safety Representatives carrying out their functions within the Safety Representatives and Safety Committees Regulations. Employers are required to provide documents and information requested by Safety Representatives under Regulation 7 as before.” In other words, if an employer or managers are now refusing to give over information they are misusing the GDPR or using it as an excuse not to comply with Health and Safety Law.
So the fact is that Trade Union Health and Safety Representatives can still get all the information that they need. Information on any accidents, injuries, near misses or occupational diseases, audits, safety training etc., can still be given to Safety Representatives, as can any audit or other reports or the results of investigations etc.
If managers think that the GDP Regulations somehow trumps the SRSC Regulations then the question is “where in the GDPR does it say that the employer should not provide the information covered in Regulation 7 of the SRSC Regulations?”
Of course, that does not mean that GDPR will not affect Safety Representatives. When handling personal data, including membership information, or details of any cases or issues that they are handling, the information needs to be treated accordingly and kept securely.
For electronic information, many representatives use the employer’s system and they usually will continue to follow the security standards operated by the employer, but if Reps are keeping information on their own computer, GDPR doesn’t state Safety Reps can’t have it, it states that they should make sure that they are following the requirements of the new Regulations.
The CWU SDGS has published advice on behalf of the CWU to Branch Representatives on GDPR in LTBs 227 and 310 which Reps should follow in maintaining data privacy.
The same applies to paper information. Regulation 5(3) of the SRSC Regulations requires employers to give “such facilities as the safety representative may reasonably require” for safety inspections. Regulation 4A2 of the SRSC Regulations gives safety reps considerable powers to demand facilities to enable them to carry out their functions effectively. That means that, at the very least, health and safety representatives can demand lockable secure facilities to keep data secure and private.
To maintain our productive joint working arrangements and commitments, this GDPR mess that’s developing in Royal Mail Group needs addressing urgently.
The TUC Education Department did a webinar explaining the implications of GDPR for unions in March which is available on YouTube at the following Link:-
Further reports will be made in due course. ASRs should use the RMG/CWU nationally agreed Health and Safety Disputes Escalation Procedure as necessary.
National Health, Safety & Environment Officer