Health and safety - Privacy notices

Why do we process personal data?

We need to process your data to comply with health and safety legislation regarding recording, investigating and reporting accidents and incidents at work. In some cases, we need to process data to ensure that we are complying with our legal obligations to provide a safe and healthy workplace for employees and to protect people from workplace risks.

Processing employee data allows us to:

  • maintain accurate and up-to-date employment records and contact details
  • operate and keep a record of sickness absence to investigate causes of accidents and incidents
  • obtain occupational health advice
  • respond to a First Aid incident via the First Aider Notification Teams Form
  • ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law and capability process, and ensure that employees are receiving the pay or other benefits to which they are entitled
  • record and investigate workplace accidents, incidents and risks, including placing a member of public on the Council’s Difficult visits and Interview Register

We also have a legitimate interest in processing personal data during and after the end of the employment relationship for the following reasons:

  • ensuring effective general HR and business administration
  • responding to and defend against insurance claims, and claims for compensation
  • maintaining accurate and up-to-date details of whom to contact in the event of an emergency

We may process special categories of personal data, such as information about your health, ethnic origin, sexual orientation, health, religion or belief only so far as it relates to the incident or accident that is being investigated, for the purpose of recording, investigating and reporting.

Who has access to your personal data?

Employees information will be shared internally with members of the HR team, your line manager, managers in the business area in which you work, the Health & Safety Officer (Operations) (in relation to accidents and incidents involving the Direct Services Organisation [DSO] or DSO employees), and IT staff where access to the data is necessary for performance of their roles.

We share your data with third parties that provide occupational health services. We also share data with enforcement authorities including the Health & Safety Executive and the Police. If you or anyone else makes a claim for compensation following an accident at work, we will share your details with our insurance brokers and insurance company and our legal advisers. We will not transfer your data to countries outside the European Economic Area.

The agencies we will share the information with where necessary are:

  • Open HR or also known as HRPro (HR system)
  • HMRC
  • DWP/Pension Services
  • Surrey Pension Fund
  • National Fraud Initiative
  • BUPA (Occupational Health Service Provider)
  • Health and Safety Executive
  • Police
  • Our insurance brokers and insurance companies
  • Our legal advisers
  • Other statutory bodies
  • Other organisations where consent was given by the employee

We will share information on individuals who have been involved in an aggression incident and have been placed on Council’s Difficult visits and Interview Register internally and with contractors who undertake visits on our behalf so that we can meet our requirement to safeguard staff.

How do we protect personal data?

We take the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Data will only be processed by members of staff authorised by us for this purpose. Access to HR system is limited to members of the HR team whose job role requires access to the employee data. Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

How long do we keep your personal data?

If you are an employee, we will hold your personal data for the duration of your employment. In general, we will delete records after 6 years. If an incident involved a child, then the data will be retained until the child is at least 21 years old. If the individual involved had a health issue, we may need to hold the data indefinitely.

Information on individuals placed onto the Council’s Difficult Visits and Interview Register will be stored on a secure folder for 24 months and will be viewable only to those who have an immediate requirement within their role. After 24 months if the individual is no longer considered a risk they will be removed from the list however the data will be archived for 5 years and only accessible to Health and Safety leads, after which it will be securely destroyed.

Your rights

As a data subject, you have a number of rights, including access to your data. A request for access can be made via our website or by sending an email to foi@runnymede.gov.uk

Data Protection Subject Access Request(SAR) | Introduction – Runnymede Borough Council

To find out more about your rights please see the ‘Your Rights’ section of our main privacy statement

If you believe that Runnymede Borough Council has not complied with your data protection rights, you should initially try to resolve it with the relevant department. If you are unable to resolve the issue to your satisfaction contact our Data Protection Officer (DPO) who will investigate. If you remain dissatisfied with the outcome of the DPO’s review you can make a complaint to the Information Commissioner. You can find out further information on making a complaint to the Information Commissioner on their website Information Commissioner's Office (ICO)