Skip to content

Health and Safety team privacy notice

This notice explains what personal data (information) we hold about you, how we collect, how we use and may share information about you. We are required to give you this information under data protection law.

We keep this privacy notice under regular review and it was last updated on 1 November 2024.

Who we are

We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom), and we are responsible as ‘controller’ of that personal information for the purposes of those laws. Our Data Protection Officer is Benjamin Watts.

Our Health and Safety Team are responsible for providing competent health and safety advice and support to the organisation and facilitate systems to help manage the organisations’ health and safety responsibilities. On occasion we may need to collect and use personal data so that we can fulfil these duties.

Why we collect and use this information

Our Health and Safety Team collect, process, hold and share personal data in relation to two areas of responsibility:

  • Health and safety incident, accident, near miss and safety concern reporting which relates to the work undertaken by the council. The information is captured to enable monitoring of the health and safety culture within the organisation; to help prevent future incidents of a similar nature; and to comply with legal requirements.
  • The provision of lone working and personal safety devices to staff as part of the risk management of our staff. The lone working system collect personal data from employees who need emergency assistance if they are at risk of assault, are taken ill, if they have fallen or otherwise been injured. The devices and solutions enable staff to covertly summon assistance.

What data do we collect, process, hold and share

For health and safety incident, accident and near miss reporting, we collect via our electronic reporting HS157 form:

  • Basic personal information about the injured or nearly harmed person (employee):
    o Name, employee number (OAN), date of birth, gender, legal sex at
    birth information, address or location where the incident took occurred.
  • Basic personal information about the injured or nearly harmed person (3rd party): name, date of birth, gender, legal sex at birth information, address or location where the incident happened.
  • Health details where relevant for the reported incident, accident or near miss including injury details and treatment. This type of information is known as special category data because it is more sensitive.

This information is captured where a health and safety incident, accident or near miss is reported which involves employees of Kent County Council or members of the public (known as 3rd party) affected by the work of Kent County Council including, though not limited to:

  • Pupils and parents at Kent County Council maintained schools.
  • Service users, customers or members of public meeting Kent County Council employees were at Council premises or elsewhere.
  • Contractors or subcontractors attending the Council’s premises.
  • Councillors, volunteers, temporary and agency workers and consultants working on our behalf as well as anyone else working on behalf of Kent County Council.

We also obtain personal information from other sources as follows:

  • Witness statement(s).
  • Additional information may be added by the line manager in part 2 of the accident or incident process.
  • HSE RIDDOR reporting form F2508 or F2508a
  • Additional information may be added should a KCC HS160
  • Accident or incident managers investigation form be completed by the line manager.

For the personal safety device provision, we may collect the following information for staff:

  • Personal information about employees such as name, work email address, work phone number, preferred contact number, car registration, type, model and colour and a physical description of them.
  • Health and other sensitive information (such as domestic abuse) where relevant.

How we use your personal information

For employees this information is uploaded to their Oracle personnel file. Third party information is loaded onto an Excel spreadsheet. The master copy of this information is held on site by the responsible person. The copies received by health and safety, is securely stored and adheres to our retention schedule. All accident or incident cleansed data appears within KCC on a BI Dashboard. This is a statutory requirement.

How long your personal data will be kept

We use the retention periods below to hold your personal information:

  • Accident reporting records concerning adults should be kept for 4 years from the date of the incident.
  • Accident reporting records concerning children should be kept for 25 years from the child’s date of birth.
  • Although RIDDOR states that the date of notification is +3 years, as the accident report forms are attached to these records the RIDDOR records will be managed against the same retention period outlined as above.

Reasons we can collect and use your personal information

The lawful basis for holding and processing personal information for the purposes of health and safety incident, accident, near miss and safety concern reporting is that it is necessary for the council to comply with its legal obligations.

The lawful basis for holding and processing special category data for the purposes of health and safety incident, accident, near miss and safety concern reporting are as follows:

  • We are legally obliged to report RIDDOR accidents to the Health and Safety Executive.
  • We may report incidents of violent behaviour towards our staff to the police.

We, as an employer, have a responsibility under the Management of Health and Safety at Work Regulations 1999 to monitor and review the preventative and protective measures both for employees and members of public, who may be affected by our undertaking.

We also have a legal obligation to report certain types of incidents to the Health and Safety Executive (HSE) as per the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013.

The legal basis for holding and processing the information for the personal safety devices is an employment contract agreement. The council has a legal responsibility to do all that is reasonably practicable to keep employees safe as per the Health and Safety at Work Act (etc) 1974 and the Management of Health and Safety at Work Regulations 1999.

Who we share your personal information with

The personal information and health related details captured for health and safety incidents, accident, near miss or safety concern reporting are captured for internal use. However, they may be shared outside the organisation with the HSE if the incident needs to be reported to them in accordance with RIDDOR Regulations 2013 and/or the HSE is investigating the incident or related incidents. It may also be shared with relevant people as part of the evidence in relation to a legal claim.

The personal information, health and other sensitive information for the provision of the personal safety devices is captured on provider’s secure online portal and the provider has access to all the data on the portal. This is to enable the provider’s Alarm Receiving Centre, which may be provided by a subcontractor, to identify the person requesting assistance and to check they are ok or if they need assistance. The data will also be used to verify that the person responding to the Alarm Receiving Centre is the employee, not a perpetrator pretending to be an employee. Any medical data may be passed on to emergency responders if appropriate to ensure appropriate and safe emergency assistance.

If the initial accident or incident form is completed by a line manager, then the form will then be sent directly to the QA stage. If completed by any other, then the form will be shared with the responsible person who receives an email link to complete the manager approval stage of the form. This data sharing enables the responsible person to undertake any remedial action to prevent a recurrence of the accident or incident. Once this stage has been completed the form goes to the QA stage where Health & Safety  Business support will quality assure the form, the form will be passed to the appropriate HS Adviser(s) and HS Management Team will be notified if further investigation is required.

All accident or incident cleansed data appears within KCC on the H&S BI Dashboard.

  • The Employee Dashboard can have personal data included in the accident or incident description and manager comments.
  • The 3rd party Dashboard shows the legal sex of affected persons and witness name(s) but can contain personal data included in the accident or incident description, manager comments, HS160 manager investigation and additional QA comments.

After QA the completed form only goes to healthandsafety@kent.gov.uk. A copy is sent at submission of the other stages if the manager has a kent.gov.uk email address, as we can't send the details to most external email addresses for security reasons. However, the person submitting the stage has the opportunity to download a copy when they submit.

If a form is received:

  • in error from a non-KCC school we notify the sender of their own system, log the contact and reference the form that has not been processed.
  • relating to an illness we notify the sender the form is not required, log the contact and reference the form that has not been processed.
  • that is undeliverable due to an incorrect manager address we email the person who submitted the form and ask that they resubmit it with the correct details, we log the contact and reference the form that has not been processed.

The form is not retained, nor is any personal information.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioner's Office.

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways.

We will always seek to comply with your request. However, we may be required to hold or use your information to comply with legal duties. Your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under GDPR.

Keeping your personal information secure

Your information will be held securely by the Health and Safety Team. We will only keep it for as long as we need to fulfil our obligations and to comply with national standard for keeping certain types of data. Once the relevant retention periods are reached, the data will be securely and permanently destroyed.

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Automated decision-making and profiling

Our Health and Safety Team does not use automated decision making processes or profiling in respect of your information for any of the services we provide.

Contact

Contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk, or write to: Data Protection Officer, Sessions House, Maidstone, Kent ME14 1XQ.

GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissionerwho may be contacted on 03031 231113.

Read our corporate privacy statement.