Health and Safety Incident and Near Miss Reporting Privacy Notice
This Privacy Notice explains how we will collect, use, disclose and protect your personal data.
This Privacy Notice applies to staff, students, honorary and emeritus contracts, contractors, temporary workers, visitors and members of the public, and explains how and why we collect and use personal data about you, what personal data is collected and held about you when you report an accident or near miss to Lancaster University, our purposes and lawful bases for processing, who we share your personal data with, how long we retain your personal data for, and how you can exercise your privacy rights.
Throughout this notice, “University”, “we”, “our” and “us” refer to Lancaster University. The University is the Data Controller in respect of the personal data you provide when you report an accident or near miss.
The University is registered as a Data Controller with the Information Commissioner’s Office (ICO). We manage personal data in accordance with the General Data Protection Regulation (GDPR) and our Data Protection Policy.
When you report or are involved in an incident or near miss, we will collect and process the following information:
Name
Staff or student ID number (if applicable)
Internal or external
Email address
Address (work and/or home)
Telephone number
Date of birth
Date of incident
Location of incident
Risk Assessments
We may also process the following “special categories” of more sensitive personal data:
Incident cause
Injury type
Affected body part
Whether first aid was given
Attendance at hospital
Description of reported injury or ill health
Information about your health, any disability and/or medical condition
Health and sickness records, details of time off work
Treatment given
Follow up measures
Photographs of injuries
We may collect further personal data directly from you as part of our investigation into your reported injury or ill health.
The personal data collected as described under this Privacy Notice will either be collected directly from yourself, the reporter of the incident or near miss and/or relevant, appropriate third parties, such as the University’s Occupational Health provider.
Use of personal data
Lawful basis
To appropriately report specific health and safety incidents, occupational diseases or work-related ill health to the Health and Safety Executive (HSE), which meet the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) or other regulatory reporting requirements
Legal Obligation, Employment, social security and social protection, Substantial Public Interest – DPA 2018, Schedule 1, Part 2, paragraph 6 Statutory or government purposes under relevant Health and Safety legislation
To log, investigate and conduct follow up activities relating to accidents or other events on campus to assist with ensuring the health, safety and welfare of our staff, student and visitors
Legal Obligation, Legitimate Interests – our legitimate interests include learning from incidents and near miss incidents so as to further protect the health, safety and welfare of our staff, students and visitors, Employment, social security and social protection, Substantial Public Interest – DPA 2018, Schedule 1, Part 2, paragraph 6 Statutory or government purposes under relevant Health and Safety legislation
To log, investigate and conduct follow up activities relating to accidents, to assist with assessing and controlling risks to protect our staff
Legal Obligation, Legitimate Interests – our legitimate interests include learning from incidents and near miss incidents so as to further protect the health, safety and welfare of our staff, students and visitors, Employment, social security and social protection, Substantial Public Interest – DPA 2018, Schedule 1, Part 2, paragraph 6 Statutory or government purposes under relevant Health and Safety legislation
To log, investigate and conduct follow up activities associated with health and safety incidents and near miss incidents not meeting the RIDDOR requirements
Legal Obligation / Legitimate Interests – our legitimate interests include learning from incidents and near miss incidents so as to further protect the health, safety and welfare of our staff, students and visitors. Substantial Public Interest – DPA 2018, Schedule 1, Part 2, paragraph 6 Statutory or government purposes under relevant Health and Safety legislation
For Occupational Health and Health monitoring purposes for long term, work-related health conditions.
Legal Obligation / Legitimate Interests – our legitimate interests include learning from incidents and near miss incidents so as to further protect the health, safety and welfare of our staff and students
The University will ensure that the sharing of personal data is in line with data protection legislation and our Data Protection Policy. We may disclose personal data about you to the following third parties:
Line manager/tutor
University insurance provider
University insurance broker
Health and Safety Executive
University Occupational Health provider
University or third-party legal advisors/representatives
The above sharing of special category data will be carried out under one of the following lawful bases: Establishment, exercise or defence of legal claims or judicial acts, Employment, social security and social protection, Substantial Public Interest – DPA 2018, Schedule 1, Part 2, paragraph 20: Insurance, Substantial Public Interest – DPA 2018, Schedule 1, part 2, paragraph 6 Statutory or government purposes under relevant Health and Safety legislation.
Sometimes we, or data processors acting on our behalf, may need to share your personal data with other organisations based within or outside the UK and/or the European Economic Area (EEA)
When it is necessary to share your data with organisations outside of the UK and/or the EEA, we will ensure that there are appropriate safeguards in place, thereby offering a comparable level of protection of your data as within the EEA.
The University has robust Information Security policies in place to protect your information. All staff in the University have a responsibility to make sure that your data is handled securely.
If you wish to exercise your rights, you are advised to first read this information as there are some exceptions to using your rights and many of them are not absolute rights.
Any requests to use your rights over your personal data should be made to the University’s designated Data Protection Officer.
Lancaster University’s designated Data Protection Officer is:
Contact Mike if you have any concerns or complaints about this Notice or about the way your personal data is being used.
Lancaster University is the Data Controller for the personal data that it holds about you. The University’s contact details are:
Lancaster University Bailrigg Lancaster LA1 4YW United Kingdom
If you are not happy with the way the University has handled your concern or complaint then you may submit a complaint to the Information Commissioner’s Office.
