Should auditors have access to audiometry data?

Usually, the larger the company, the more it is infected with auditors who may be looking for something specific such as compliance with ISO standards, or more general company-wide policies, or from things like insurers. It is common for these people to ask to see audiometry (and spirometry) records to verify the system is working.

Here is an unambiguous statement on it: Auditors must never be permitted to see individual results without the explicit consent of the individuals to whom that data relates. Not just employees as a group - the specific individual whose data they want to see.

Auditors often seem to think that because they want to see it to do a job, or company policy says that is the job they should be doing, then that somehow gives them the right see individual records. IT DOES NOT.

They can see anonymous data for tests completed or status of tests due, but without explicit consent, nothing pertaining directly to an individual. No categories of results, and no retest dates as a retest date is pretty much as clear as the category of result for telling you the result that person obtained.

GDPR says data can be accessed by people with a legislative need to do so, so if you have a HSE inspector visit and they want to see it then they are allowed to see it as their inspection has the status of a legislative requirement. But, internal auditors, or auditors from an insurance company, are doing their job for other reasons than because the law says they have to - those audits are purely arising as a management tool. They can see general data such as numbers due, or overdue, percentages scoring which category of result, what batches of testing are planned in the year, etc., providing none of it can be used to link a person to their result.

Some claim that their work is the double-check that the company is meeting its general duty of care but no, that is stretching it way too far and as someone once said, such nonsense doth butter no parsnips. An internal auditor assessing compliance with in-house procedures or some ISO standard does not have that legislative backing for their wish to see individual data.