Health and Safety - Privacy Notice
Who we are and what we do
The Council is a data controller under the Data Protection Legislation as we collect and process personal information about you in order to provide services and meet our statutory and regulatory obligations.
This notice explains why we ask for your personal information, how that information will be used and how you can access your records.
Any questions regarding our privacy practices should be sent to:
Data Protection Officer (DPO)
Cotswold District Council
Council Offices,
Cirencester
GL7 1PX
Email: data.protection@cotswold.gov.uk
Telephone: 01993 861194
What is the legal basis for collecting and processing this data
The Council has a lawful basis for collecting and processing personal information about you in order to administer Health and Safety.
The lawful basis for processing your data is:
- Article 6(1)(c) UK GDPR, processing is necessary for the compliance of a legal obligation to which to controller is subject under the Health and Safety at Work Act, and the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013,
- Article 6(1)(e) UK GDPR, processing is necessary for the performance of a task carried out in the public
- Article 6(1)(f) - Processing is necessary for the purposes of where it is necessary to defend the Council’s legitimate interests.
We process special category data under the following conditions listed in Article 9 of the GDPR:
- Article 9(2)(b) - Processing is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement
- Article 9(2)(f) - Processing is necessary for the establishment, exercise or defence of legal claims or judicial acts.
- Schedule 1, part 1 (1) - processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
The following legislation also applies, but is not exhaustive:
- Health and Safety at Work etc. Act 1974.
- Management of Health and Safety at Work Regulations 1999
- The Control of Substances Hazardous to Health Regulations 2002.
- Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013.
- Regulatory Reform (Fire Safety) Order 2005.
- Health and Safety (Display Screen Equipment) Regulations 1992 As Amended By the Health and Safety (Miscellaneous Amendments) Regulations 2002.
Why we need your information and how we use it
We collect information about you via
- Yourself, when you voluntarily provide us with information for this purpose
- Yourself, provided under a statutory obligation such as RIDDOR legislation
- Third parties such as other government departments or regulators to enable us to carry out our public duty
This data enables us to fulfil our statutory obligation to ensure your Health and Safety:
- Reporting and recording accidents and incidents
- Investigating the causes of accidents and incidents
- Investigating claims and complaints
- To communicate with Managers, Occupational Health and Human Resources regarding health and safety advice for individuals and implementing recommendations therefrom
- Provision of required training
What type of information is collected from you
We may collect and process the following types of personal data in order to provide the services:
- Your name, address, email addresses, date of birth and telephone numbers
- Information relating to accidents and / or incidents
- Occupational Health or medical reports as well as medication reports if relevant
We only ask for personal information that is appropriate to enable us to discharge our statutory duty. In some cases, you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact on our ability to provide some services to you.
Who your information may be shared with (internally and externally)
We may share or disclose your information to any of the following recipients as may be necessary in line with statutory obligations and/or to comply with contractual obligations relating to it:
- Central Government Departments such as: Health and Safety Executive, Public Health England and Care Quality Commission (CQC)
- The Council’s Insurers and Legal Department
- Occupational Health
- Other Local Government Departments
- Local Fire and Police Authorities
How long we keep your information (retention period)
We will keep your personal data in accordance with our retention schedule and will only keep your information for the minimum period necessary. Generally information is retained for a period of not more than 7 years after the case is closed.
Staff training records not concerned with asbestos, HAV’s, noise and pesticides will be held for 6 years after last date of employment (this is for legal purposes in the event of future legal proceedings and need for defence).
The right to request the removal of your data under UK GDPR information rights is not an absolute right, for example, we will need to retain your data if this information forms part of a legal requirement, public registry or an existing contract. More information on our retention schedule can be found online.
How we protect your Information
We will not transfer your personal data outside the EU without your consent. Subsequent to the end of the Transition Period on 31 December 2020 transfers of data within the EU will be in line with UK GDPR and EU GDPR Directives.
We have implemented generally accepted standards of technology and operational security in order to protect personal data from loss, misuse or unauthorised alteration or destruction.
Please note however that where you are transmitting information to us over the internet this can never be guaranteed to be 100% secure.
For any payments which we take from you online we will use a recognised online secure payment system.
We will notify you promptly in the event of any breach of your personal data which might expose you to serious risk.
Your rights
You have rights under the Data Protection Legislations:
- to access your personal data
- to be provided with information about how your personal data is processed
- to have your personal data corrected
- to have your personal data erased in certain circumstances
- to object to or restrict how your personal data is processed
- to have your personal data transferred to yourself or to another business in certain circumstances
- to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Commissioner
How you can access, update or correct your information
The Data Protection law gives you the right to apply for a copy of information about yourself. This is called a ‘Subject Access Request'.
If you wish to see a copy of your records you should contact the Data Protection Officer. You are entitled to receive a copy of your records free of charge, within a month.
The accuracy of your information is important to us to be able to provide relevant services more quickly. We are working to make our record keeping more efficient. In the meantime, if you change your address or email address, or if any of your circumstances change or any of the other information we hold is inaccurate or out of date please email us or write to us at:
Data Protection Officer (DPO)
Cotswold District Council
Council Offices,
Cirencester
GL7 1PX
Email: data.protection@cotswold.gov.uk
Telephone: 01993 861194
Further information
If you would like to know more about how we use your information, or if for any reason you do not wish to have your information used in any of the ways described here, please tell us. Contact the Data Protection Officer.
You can also complain to the Information Commissioner: https://ico.org.uk
We reserve the right to update this privacy notice from time to time by publishing a new version.