Health and Safety team privacy notice
This notice explains what personal data (information) we hold about you, how we collect, how we use and may share information about you. We are required to give you this information under data protection law.
Who we are
Kent County Council collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws. Our Data Protection Officer is Benjamin Watts.
The health and safety team provides expert and proportionate advice to KCC staff, in all aspects of health and safety management, through its team of advisers.
Team members are skilled professionals who are able to adjust with the changing needs of the organisation. They are competent in a wide range of specialisms that support the organisation’s strategic and service delivery objectives.
Personal information we collect and use
Information collected by us
In the course of receiving accident/incident electronic reporting we collect the following personal information when you provide it to us:
- your name
- job title
- date of birth
- OAN number
- address (third party only)
- information relating to the accident/incident
- where the accident occurred including date and time
- any injury and the affected area of the injury
- names and address of any witness
- name of first aider
- name, job title and email address of line manager.
We also obtain personal information from other sources as follows:
- witness statement.
- additional information may be added by the line manager in part 2 of the accident/incident process.
- F2508 (RIDDOR)
How we use your personal information
For employees this information is uploaded to their Oracle personnel file. Third party information is loaded onto an Excel spreadsheet. The master copy of this information is held on site by the responsible person. The copies received by health and safety, is securely stored and adheres to KCC’s retention schedule. All accident/incident cleansed data appears within KCC on a BI Dashboard. This is a statutory requirement.
How long your personal data will be kept
We will hold your personal information for:
- accident reporting records concerning adults should be kept for 4 years from the date of the incident
- accident reporting records concerning children should be kept for 25 years from the child’s date of birth
- although RIDDOR states that the date of notification +3 years as the accident report forms are attached to these records the RIDDOR records will be managed against the same retention period outlined as above.
Reasons we can collect and use your personal information
We rely on Legal Obligation as the lawful basis on which we collect and use your personal data.
- We are legally obliged to report RIDDOR accidents to the Health and Safety Executive.
- We may report incidents of violent behaviour towards our staff to the police.
The personal and sensitive data is collected as KCC has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority.
The provision of personal and sensitive data is required from you to enable us to analyse the data provided to ensure that we record health and safety accidents, events and near-misses that happen on our premises or to our staff (both on and off-site). This could include capturing information about members of the public involved in an accident, individuals that threaten members of staff, and details of witnesses.
Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents re-occurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. The information is also retained in the event of any claims for damages.
Who we share your personal information with
The initial accident / incident form is shared with the responsible person who receives the email link to complete part two of the form.
This data sharing enables the responsible person to undertake any remedial action to prevent a recurrence of the accident / incident. However this email link only contains the affected persons name; the OAN, gender, data of birth, address (third party only) is removed at the stage.
The master PDF which is emailed on completion does contain personal information.
Cleansed accident / incident information is available within KCC on a BI Dashboard. Employees OAN and manager’s name is shown. The third party Dashboard may only have personal data if included in the accident / incident description.
We will share personal information with law enforcement or other authorities if required by applicable law.
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you (subject access request)
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioner's Office
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.