Occupational Health & Safety the new standard
Shockingly, 6300 people per day lose their lives from work-related accidents or diseases. Yes, you read that statistic correctly. According to the International Labour Organisation 2.3 million people die every year because of work. Although high standards are sought and maintained by many employers, it is obvious that a new standard must be carefully decided upon and put into action.
The current standard in use is OHSAS 18001. The new standard will use the Annex SL approach. This will aid companies who implement multiple ISO management strategies, because they will no longer have the issues of similar or identical requirements, but differing definitions. In sourcing from the International Labour Organisation’s guidelines, national standards and other international standards, the new ISO 45001 hopes to cut occupational injuries, absences due to illness, or injury and early retirements.
The latest update from the ISO states the standard is delayed and still in development. Good Guidance ISO 45001 should provide excellent guidance for any size of organisation. A small to medium business will need a much simpler system than a large corporation. The requirements of the standard should integrate seamlessly with processes already suitable and in place. There is no prescriptive directive or checklist of criteria. The organisation should implement as applicable, but will have an oversight of whether they have covered the wellbeing of employees and all needs are being met correctly. There will be no legal requirement, the document will be a management tool for voluntary use, which will help minimise any risks. In preventing harm business reputation will be enhanced.
The benefits of the standard are obvious. Any company utilising the recommendations will gain the reputation of being a safe place to work. If implemented, costs associated with illness and injury will be reduced, regulations and compliance checklists will be far easier to manage and administrate. Productivity should be boosted and there may even be the financial gain of lower insurance premiums.
Many large companies that frequently rely on a supply chain, insist on ISO certification. Gaining the standard advertises the fact that you are a responsible employer and this can only be a beneficial influence on potential clients. As mentioned earlier, the standard is currently being developed and we will report on the progress as it becomes available. Do you require certification from your suppliers? Wish there was an autonomated way to evaluate certificates? Contact us for more information about Rallivo. We significantly help with ISO-related decisions, due to automated supplier validation.
The European GDPR applies to all organisations handling the data of EU citizens; HR must prepare now for its introduction. Despite Brexit, the UK government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR), which will apply from 25 May 2018. Even if it had decided not to, companies dealing with data relating to EU citizens would still be required to comply because the GDPR will – subject to limited exceptions such as national security – affect not only organisations operating within the EU, but also to those outside the EU that offer goods and services to individuals within the EU.
The GDPR will apply to companies that fall into two broad definitions: ‘controllers’ and ‘processors’. The definitions are similar to those defined in the Data Protection Act 1998 (DPA) in that controllers say how and why personal data is processed, and processors act on the controller’s behalf. If you are a processor, the GDPR will place specific legal obligations and liabilities on you; for example, you will be required to maintain records of personal data and processing activities. If you are a controller, you are not relieved of your obligations where a processor is involved.
The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. While the principles are similar to those in the DPA 1988, there are some additional requirements that UK companies need to be aware of. The most significant is accountability. The GDPR requires you to demonstrate compliance by design. This means ensuring you have adequate systems, contractual provisions, documented decisions about processing, and training in place.
Personal data
Pertinent to a HR manager – and, as with the DPA 1988 – the GDPR will apply to ‘personal data’ held about employees. However, the GDPR’s definition is broader. Any data that can be used to identify an individual is considered to be personal data. It can include things such as genetic, mental, cultural, economic or social information, and IP addresses. Even ‘pseudonymised’ data may fall within scope depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data known as ‘special categories of personal data’ is broadly similar to the DPA 1988 but there are some minor changes that will need to be addressed. It will include genetic data and biometric data where processed to uniquely identify an individual.
The issue of ‘consent’, where it validates the use of personal data, is also a significant development. Organisations need to ensure they are explicit when seeking consent and detail how they will use the information. An individual’s silence or inactivity will generally no longer be considered as consent.
Tips for HR professionals
HR professionals need to start acting now to ensure they’re compliant. Here’s our list of actions to consider:
Do you need to appoint a data protection officer?
Under the GDPR, some companies will be required to have one, including public authorities processing personal information; organisations whose ‘core activities’ require ‘regular and systematic monitoring of data subjects on a large scale’; or where there is large-scale processing of special categories of data.
Do you protect privacy by design? This emphasises the importance of measures such as privacy impact assessments (PIAs). As data controllers, PIAs will assess where privacy breach risks exist and how to minimise them.
Have you adequate systems in place to manage data breaches that may arise and to comply with the notification requirements? The GDPR requires your local data protection authority to be notified of a data breach within 72 hours of discovery.
Will you be able to comply with the right to be forgotten if the data subject requests it?
Will you be able to ensure compliance with the more restrictive principles of not holding data longer than absolutely necessary, and not changing how you use such data from the original purpose(s) specified?
So why is all this so important? Why do you need to consider this now? Simply, because the penalties that can be imposed will increase substantially. Depending on the ’tier’ of the breach, fines can be up to £20,000,000 or 4 per cent of the total annual global turnover, not profit, based on the preceding financial year, whichever is the greater. If that wasn’t enough, we are all aware of the effects on PR for those organisations that have recently been victims of data breaches. So, while it seems some way off, there is a lot to be done between now and May 2018. Data controllers and processors need clarity on what data they hold and how the personal data is used. You need to make sure the systems protect privacy by design internally and externally, and that contractual provisions are in place with your clients and your service providers to ensure compliance and adequate indemnities exist.