Keeping records is an integral part of health and safety, requiring a regular assessment of what records should be kept, how long they should be kept and who should control them. The coming into force of the European General Data Protection Regulation (GDPR) on 25 May 2018 makes these considerations even more important, says Gordon Tranter.

The General Data Protection Regulation

The GDPR acts directly in the UK. It should be read in conjunction with the Data Protection Act 2018, which details and clarifies how the Regulation applies in the UK and replaces the Data Protection Act 1998. The new legislation is designed to “harmonise” data privacy rules across Europe. Many of the GDPR’s requirements are substantially the same as the Data Protection Act 1998. However, there are significant changes: new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines.

GDPR requirements

The GDPR requires companies to provide a reasonable level of protection for personal data. The processing of that data must be carried out in a manner that is lawful, fair and transparent and only for specified, explicit and legitimate purposes. For the purposes of the Regulation, processing means any operation or operations that are performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring and storage.

Personal data includes that included in employee and non-employee records such as name, job title, home address, email address and phone number — anything that could allow the identification of the person. The personal data collected should be relevant, adequate, limited to what is necessary and kept up to date. The Regulation requires that the data should be kept in such a manner and with such management to protect the data against unlawful or unauthorised processing or accidental loss or destruction. Hence there is a strong case for an assessment of what records are kept, how long they should be kept, and who has access to them. This includes health and safety records.

Why keep records?

Organisations must consider what records are kept, how long they are kept, how they are kept and who has access to them.

There are a variety of reasons for keeping health and safety records.

  • The business is legally required to do so. Certain legislation includes specific requirements for keeping medical and health surveillance records, inspection records, atmospheric monitoring records, accident, incident and disease records. This duty is more extensive in high risk industries, eg under the Control of Major Accident Hazards Regulations 2015. Other legally required records include safety policies, employers’ liability insurance certificates, risk assessments and working time records.

  • To demonstrate compliance with legal duties and to show effective health and safety management procedures are in place. Health and Safety Executive (HSE) inspectors and union health and safety representatives have a legal right to inspect health and safety records. HSE inspectors can ask to see the health surveillance records made under the Control of Vibration at Work Regulations 2005. Inspectors appointed under the Regulatory Reform (Fire Safety) Order 2005 can ask to see fire risk assessments, fire safety arrangements, fire drill and other relevant records.

  • To use as part of a defence against prosecutions or claims for compensation. Under the Woolf Reforms of civil procedure the defendant can be asked for disclosure of relevant records. For an injury this includes the following documents:

    • the Accident Book report and Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) reports, if applicable

    • treatment records

    • health and safety committee minutes where the accident was discussed

    • health and safety training records

    • service or maintenance records of the work equipment

    • all relevant risk assessments.

    The defendant can ask for other relevant documents when other Regulations are likely to be at issue, eg in cases where the Control of Substances Hazardous to Health Regulations 2002 (COSHH) are relevant, there are 16 documents listed including the risk assessment, records of the maintenance of personal protective equipment and the examination of local exhaust ventilation.

  • To provide data to monitor health and safety performance statistics and to show trends or problems in health and safety procedures.

  • To provide information for employees, eg safety policies and risk assessments.

How long should records be kept?

Statutory requirements

Certain legislative provisions require records to be kept for specified periods of time.

  • The Accident Book and RIDDOR reports: under RIDDOR .

  • Health records and health surveillance records: under COSHH, the Control of Asbestos Regulations 2012 (CAR), the Control of Lead at Work Regulations 2002 (CLAW), the Work in Compressed Air Regulations 1996, and the Ionising Radiations Regulations 2017 (IRR).

  • Reports of inspections of equipment and plant; under the Construction (Design and Management) Regulations 2015, Provision and Use of Work Equipment Regulations 1998 (power presses), the Lifting Operations and Lifting Equipment Regulations 1998, the Pressure Systems Safety Regulations 2000 and the Work at Height Regulations 2005.

  • Monitoring records including air monitoring under COSHH, CAR and CLAW, and dose records and dose assessment after an accident under IRR.

  • Examinations and inspections of control measures (local exhaust ventilation and respiratory protective equipment) to protect against hazardous materials; under COSHH, CAR, CLAW and IRR.

  • Working time information; under the Working Time Regulations 1998.

Note that some records must be kept for up to 50 years.

Other requirements

Apart from statutory requirements the decision on how long to keep records is difficult. An employee who wants to claim compensation for an injury at work from his employer must generally bring a claim within three years of the accident or injury, limiting the time records relating to the incident must be kept. However, work-related medical conditions may take years before they become apparent. Here the claim must be made within three years from the time the employee became aware of the condition. Consequently, where employees are exposed to substances that can cause diseases with long latency periods, eg asbestos-related diseases, records (including health, training, air monitoring, and supervision) may be required decades later.

For criminal proceedings, summary offences that are heard in a magistrate’s court must be brought within six months of the alleged offence. However, proceedings in respect of an indictable offence to be heard at the Crown Court may be brought years after the alleged offence was committed.

Records retention schedules set out the periods for which an organisation's records should be retained to meet its operational needs and to comply with legal and other requirements, enabling the confident disposal of records no longer needed, and ensuring the retention of the minimum volume of records consistent with the organisation’s assessed needs and to assist with GDPR compliance.

How should records be kept?

Employers may keep records in any format, provided they are kept readily accessible and retrievable at any reasonable time for examination. There should be appropriate technical and organisational measures to ensure a level of security necessary to maintain ongoing confidentiality.

Particular concerns exist about the ability to access and read electronic records over time, since the rapid pace of change in technology can make the software used to create the records obsolete, leaving the records unreadable. Regular audits of the data should both demonstrate, and provide assurance of, its compliance with good practice standards such as ISO 15489, the international standard on records management. This is particularly relevant to the storage of health records and air monitoring records required by COSHH, CAR, CLAW and IRR, which are required to be kept for up to 50 years.

Data protection

  • Employers must justify the retention of confidential information. It must be necessary for health and safety reasons or to satisfy other legal obligations and the employee must have freely given explicit consent.

  • The processing of personal data must comply with principles designed to ensure that it must only used in a way that is fair, lawful and proportionate and accurate.

  • Access must be allowed only to staff who are required to have access.

  • The data must be kept safely.

  • Records must not be kept for longer than absolutely necessary.

  • Information about individuals must never be passed to those with no legitimate interest.

These requirements apply to health and health surveillance records, exposure records and fit notes.

Further information

For more detailed information, see your topic on Records and Record Keeping.

Last reviewed 10 May 2018