What is the impact of GDPR on audiometric testing at work?
On the surface there are contradictory obligations on the employer arising in the Noise Regs and in GDPR, where some obligations placed on the employer by the Noise Regs could possibly be prevented from being done via GDPR, but there are elements within each set of rules which provide a route through it.
It should be stated from the off that GDPR does make allowances for data which is gathered for compliance with other regulations, meaning there is no prohibition on gathering data for occupational health screening purposes, but it does add extra provisions to that data gathering, most notably by restricting the obtaining and retention of data which is not necessary.
Obtaining consent for audiometry
GDPR also doesn't say that you have to have the consent of individual if there is another lawful basis for gathering it or if the company has a 'legitimate interest' in holding and processing the data. This means a company can collect the data without explicit consent so GDPR does not day consent has to be obtained for screening audiometry. This applies as there is a legal requirement to gather it and the employer has a legitimate interest in it.
This also means an employee cannot stop an audiometric testing screening process completely by refusing consent for giving their information to anyone at all, just that you have to be sensitive on how you manage it.
The legal requirement for individual employees to attend and to co-operate with the audiometric test process, including the historical health data and results, remains in place and is not superseded by GDPR.
Limiting the health data gathered in audiometry at work
GDPR only permits companies to gather data on individuals which they absolutely need to provide their service or for which permission has been given and this does impact the pre-test hearing health data gathered as part of the screening. For example:
For a workplace hearing test where referrals are via employee to the employee's GP (which is most hearing testing programmes) with the employer overseeing it, the employee's home address is not needed. The employee's home address is excess data as it is not needed by the screening company in any step of the process.
Even where the screening company writes to the GP on behalf of the employer, the address is no longer needed beyond that letter so should not be retained - the GDPR is very specific that once data is no longer legitimately needed it should be deleted.
Many health questionnaires ask about family history of health problems however their parents or siblings or children haven't given consent for their data to be disclosed and retained by either the employer or the screening company. Be very careful when retaining any data which links to people beyond the employee concerned.
These points are not the complete extent of how data gathered should be limited and all the health questionnaire systems used by everyone should be reviewed to ensure only the minimum amount of data needed is collected, and that it does not include data belonging to other people who are not present and who have not given their consent.
Once gathered, limiting how long the data is held for
Once the testing has been completed, there is a mass of data on each person, but, for the vast majority of the data, this is of no future relevance once the audiometric test is complete and is not needed for future testing. GDPR specifically prohibits this data from being held and retained as there is no longer a legitimate interest in holding it.
I really do mean 'vast majority' here. For most people coming for an audiometric test there are no problems, therefore all that needs to be retained is the result (in terms of the audiogram or table of results) and category of their result, and that's it. All the rest of the health data obtained during the testing process is now irrelevant and in reality will never be looked at again. Meanwhile, for people who do have a hearing issue, of the 30-odd bits of data collected on the health questionnaire, only maybe three or four will be relevant to their case, so again all the rest is excessive and should not be retained.
As it is no longer needed, it should be disposed of. This does mean both screening providers and employers should not keep hold of completed health questionnaires ‘just in case’.
Keeping audiometry and health data current
There is another reason to get rid of all the excess old data in that GDPR specifically requires that data is update and kept accurate (see 5 (d) here). If a screening company gathers data on tens of thousands of individuals every year and retains all the data gathered, not only is that data largely useless but there is also a legal requirement to keep it up to date. God knows how that can be complied with where the screening company is either not going back to the place where the tests were done frequently, or where they do go back but don't have a specific system for updating old records. In reality, that data is never ever going to be updated again. Which is not allowed any more.
Secure storage and transmission
Data must be processed and importantly stored securely. This means that the data must be stored in an encrypted form and should not be accessible by anyone without some form of password or other security measure to open it. That means no copying data onto standard unencrypted USB sticks, and critically, no emailing of identifiable data without some form of protection on it - email is not a secure medium. That could (would) mean the audiometry report and any re-test schedule should be encrypted and password protected as the frequency of re-tests easily tells people what the results were and is therefore giving personally identifiable data.
Employee requesting deletion of audiometry data
A key part of GDPR is that an individual can request deletion of data held about them. However, this does not apply if the data has been gathered and held in order to comply with another legal obligation and is needed for that purpose. So, the retention of the audiometry result or any health information which is specifically pertinent to that individual's audiometric test result does not have to be deleted on request.
If you receive a request to delete data then it has to be enacted within one month, or if you decide the data is necessary to comply with the health screening requirements of the Noise Regs, you have one month to reply to the individual stating this and the reasoning for it.
The guidance for the Noise Regs states you should keep audiometry data for as long as the individual remains in your employment but your insurer may have separate policies requiring it to be kept for far longer. (Page 120, paragraph 39 - employers should keep the health record as long as an individual remains in their employment... [and] may wish to retain it for longer...). Someone may leave your employment and be diagnosed with noise induced hearing loss ten years later and it would be prudent of the employer to be able to still prove what standard their hearing was at the time they left the company. GDPR does not prohibit data retention for this purpose which is a legitimate interest in the data.