Health and Safety team privacy notice

This notice explains what personal data (information) we hold about you, how we collect, how we use and may share information about you.  We are required to give you this information under data protection law.

Who we are

Kent County Council collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws. Our Data Protection Officer is Benjamin Watts.

The health and safety team provides expert and proportionate advice to KCC staff, in all aspects of health and safety management, through its team of advisers.

Team members are skilled professionals who are able to adjust with the changing needs of the organisation. They are competent in a wide range of specialisms that support the organisation’s strategic and service delivery objectives.

Personal information we collect and use

Information collected by us

In the course of receiving accident/incident electronic reporting we collect the following personal information when you provide it to us:

  • your name
  • job title
  • date of birth
  • OAN number
  • gender
  • address (third party only)
  • information relating to the accident/incident
  • where the accident occurred including date and time
  • any injury and the affected area of the injury
  • names and address of any witness
  • name of first aider
  • name, job title and email address of line manager.

We also obtain personal information from other sources as follows:

  • witness statement.
  • additional information may be added by the line manager in part 2 of the accident/incident process.
  • F2508 (RIDDOR)
  • HS160.

How we use your personal information

For employees this information is uploaded to their Oracle personnel file. Third party information is loaded onto an Excel spreadsheet. The master copy of this information is held on site by the responsible person. The copies received by health and safety, is securely stored and adheres to KCC’s retention schedule. All accident/incident cleansed data appears within KCC on a BI Dashboard. This is a statutory requirement.

How long your personal data will be kept

We will hold your personal information for:

  • accident reporting records concerning adults should be kept for 4 years from the date of the incident
  • accident reporting records concerning children should be kept for 25 years from the child’s date of birth
  • although RIDDOR states that the date of notification +3 years as the accident report forms are attached to these records the RIDDOR records will be managed against the same retention period outlined as above.

Reasons we can collect and use your personal information

We rely on Legal Obligation as the lawful basis on which we collect and use your personal data.

  • We are legally obliged to report RIDDOR accidents to the Health and Safety Executive.
  • We may report incidents of violent behaviour towards our staff to the police.

The personal and sensitive data is collected as KCC has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority.

The provision of personal and sensitive data is required from you to enable us to analyse the data provided to ensure that we record health and safety accidents, events and near-misses that happen on our premises or to our staff (both on and off-site). This could include capturing information about members of the public involved in an accident, individuals that threaten members of staff, and details of witnesses.

Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents re-occurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. The information is also retained in the event of any claims for damages.

Who we share your personal information with

The initial accident / incident form is shared with the responsible person who receives the email link to complete part two of the form.

This data sharing enables the responsible person to undertake any remedial action to prevent a recurrence of the accident / incident. However this email link only contains the affected persons name; the OAN, gender, data of birth, address (third party only) is removed at the stage.

The master PDF which is emailed on completion does contain personal information.

Cleansed accident / incident information is available within KCC on a BI Dashboard. Employees OAN and manager’s name is shown. The third party Dashboard may only have personal data if included in the accident / incident description.

We will share personal information with law enforcement or other authorities if required by applicable law.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioner's Office

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under GDPR.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


Please contact the Information Resilience and Transparency Team at to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at, or write to: Data Protection Officer, Sessions House, Maidstone, Kent ME14 1XQ.

GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissionerwho may be contacted on 03031 231113.

Read our corporate privacy statement.