Can employers have access to audiometric testing data?
Well here is a right can of worms and it is important as it has a direct impact on how useful the results are to you as the company employing the people being tested. Is it medical data and subject to full medical confidentiality, or is it a lesser standard of workplace safety data, or something between? It doesn't help that external audiometry service providers have several different approaches, and not all the reasons for their approaches are to do with confidentially and often can be just about locking a client in to them and making it hard for them to go elsewhere.
To tick the 'full medical confidentially' thought off first, this is not the case as, more often than not, the person doing the screening test is not a Doctor or an Audiologist and is more of a technician, so that doesn't meet the same standard as say the medical information a GP would hold. It's not the same as asking a GP to give you the medical records for one of your employees.
What the HSE say about it
To be clear, the regulations say absolutely nothing about it. Not a word. From there on it is purely guidance and even the HSE themselves seem to be in a right muddle over it.
These are some key entries in the L108 Controlling Noise at Work bible:
This bit is one example where says that the employer should only see anonymous audiometry data - basically the number of people tested and the percentages who scored which Category of result.
This entry below meanwhile says that the results should be maintained by the employer, confidentially and separate from HR records, which contradicts the previous advice.
So those two statements don't really help much.
Usefulness of anonymous grouped audiometry data
Let's be frank about the 'anonymous grouped data' bit - unless you have thousands of employees then statistics are useless, you may as well ask a passing pigeon for their thoughts on the matter for all the accuracy it will have. If you have a few dozen or even a few hundred employees, anonymous percentages may as well be a random number written on a piece of paper and pulled out of a village fete tombola during a hurricane. Absolutely useless in the real task of managing noise risks at work.
In L108, the nonsense about anonymous percentages continues with statements such as comparing tables of percentages of Cat 1, Cat 2, etc. from one year to the next and using changes in that to identify whether there are problems with the hearing conservation programme, (L108, page 122). Aside from the uselessness of these percentages without high numbers of employees, comparing percentages of results from year to year is also largely nonsense. In Year 1 and Year 2 of a programme you are testing everyone, but from then on you are not testing comparable groups of people.
In Year 3 you are testing your Cat 3s and 4s only
In Year 4 you are testing your Cat 2s, 3s and 4s but not your Cat 1s.
Then in Year 5 you are testing your Cat 1s, Cat 3s and Cat 4s but not your Cat 2s.
That makes any comparison of percentages of each Category scored utterly useless from Year 2 onwards. Sometimes I can’t help but think the Powers That Be who wrote the guidance in L108 told an unpaid work experience kid to get on with it and everyone else went to the pub for a long lunch.
Finally, in H&S you have to protect individuals and treat people as individuals, varying protection where needed, which means again means anonymous data fails to meet that basic need
Retest dates break anonymity anyway
Just to seal the nonsense of anonymous data somehow keeping the category of result secret and confidential, anyone with half a brain can easily work out what an individual's result was from their retest frequency. If they are getting retested every three years then it was clearly a Category 1, if it's every two years then it was a Category 2, while if it's every year it must be a Category 3 or 4. This makes the anonymous statistical approach even more of a nonsense as clients need to know in advance who is going to be tested and when so they can budget for it appropriately.
Advice on managing audiometry data
So, given the anonymous approach is just daft, here are my pearls of wisdom on how to manage the hearing test confidentiality thing, and who should have the data, and why.
Talk to employees
It sounds perhaps a bit obvious, but where it is coming in as a new process, rather than launching it by surprise on employees, talk to them or their reps first. You can head off a lot of potential issues that way, for both the employees and employers. For example:
Employees sometimes see it as snooping or some form of weeding-out process. You can reassure them that it most definitely is not and no job is at risk because of it. What it will do is identify people who are more at risk from noise because of already-weak hearing and allow better protection to be provided for them. It's a benefit to them.
Employees may get twitchy about the confidentiality of it. You can reassure them that only one person in the company will see all the data and if any other person needs to know about it then the employees' consent will be sought first.
It's not only shop-floor employees who benefit from increased communication. Employers get equally twitchy that they are going to get a flood of claims for hearing loss. You can reassure those in the higher stratosphere of comfy-chair management that this genuinely doesn't happen and they can relax.
Choose a provider who will give you all the audiometry data.
It is YOUR data, being generated for YOUR legislative compliance, on YOUR employees, and YOU are paying for it. It is not the screening provider’s data.
If you have the data you can choose any provider you want in the future and have the testing history to hand for continuity if it is ever needed.
Think of it as renting a bit of kit to do a specific job to meet a need within your business and to comply with your legislative requirements, and as the kit is specialist is comes with someone to operate it for you and gather the data for you, that's all. It is YOUR data. Do not fall for the nonsense that you aren't capable of holding onto it as though you are somehow otherwise leaving HR paperwork scattered all over the staff canteen for all and sundry to see. (Or a genuine case I heard recently, an employer was told they could have the data but had to lock it up in a specific dedicated filing cabinet and send the provider the only key for it - absolutely bonkers!).
You know how you will store your data, you have no control over how the provider stores it.
For GDPR, you know how you are storing your data but do you know the detail of how a service company is storing it? How secure are their servers, their backups, their cloud service providers, etc. Where in the world, literally, are their cloud service or backup providers located so where in the world is your data going? What levels of encryption are used on their data stores and backups? Who are they employing who has access to it? If you want to have complete confidence in the safety of your data storage, store it yourself.
GDPR says you shouldn't retain data which is of no further use. You can manage that, the provider won't.
GDPR prohibits the retention of data which has no business or compliance use. At least 98% of all the medical data collected during the audiometry process is of no future use once the test is done as it is no longer relevant or becomes out of date, especially information on the questionnaires. But, it is highly personal, not only to the individuals concerned but even their relatives, (for example - history of medical issues within the family). GDPR specifically says this data should not be retained however I guarantee no service provider is deleting bits of the hearing health questionnaires they retain to comply with this, so don't let them keep the information in the first place. I would even go so far as to say that you, the employer, shouldn't keep the questionnaires either - just give them back to the employee or destroy them as any relevant information will be noted with the audiogram, which is the pertinent information GDPR permits retention of, and that way all the rest is then given back to the employee.
Unless you have thousands of employees, statistics are useless to you.
Statistical analysis is utterly utterly vacuous and so pointlessly useless for most companies that I am surprised the HSE wrote that into their guidance, (again, not law, guidance). Unless you have thousands of employees then being told you have 71% Category 1, 10% Category 2 and so on is totally useless. The numbers involved are so small that statistically it is completely unreliable and irrelevant. Also what are you supposed to do with that data? Comparing one year against another is hopeless as you are testing different groups of people in different years. And this leads on it...
You have to protect individuals and treat people differently where needed, so you need individual data.
Having individual data means you can protect individuals, not just groups. A basic part of health and safety is that you are not allowed to treat everyone the same. You have to acknowledge that for some risks, some people may be more vulnerable than others and then make sure the most vulnerable are also protected. For example, it is decades-long established in law that an employer has to provide extra protection to someone with one eye rather than two as the potential outcome of an eye injury is not good either way, but is so much more severe if they lose their one good eye. The same is true with noise - some people with poor hearing can have a small additional loss in their hearing and it can have a major impact on their life whereas for others the same annual drop in ability will be negligible. Anonymised grouped data means the employer cannot comply with this basic duty.
You know who can access the data if you have it.
If you have the data you know who has access to it, you know who they are and their background. Do you know what the 3rd party screening company’s recruitment policy is? Who at their end has access to the data? Who in their office has access to the data? What contractors used by them, from IT systems to cleaners, have possible access to your data? What is the background of everyone in their company who can see and access your data?
When screening providers say they and only they can see the data as only they can properly safeguard it, it is such utter nonsense as to be almost laughable. It's an entirely unjustified over-inflated sense of their own self-importance and also contains a clear implication that you are somehow less worthy. You are better at looking after your data than anyone else. As you may tell, this properly winds me up!
Audiometric test record keeping advice
Appoint one person in the company to manage the testing process and hold the data. And to repeat the information above, this must be separate from HR records. HR love to control all records relating to an employer but the HSE are very clear on this one that audiometry records must not be kept in the general personnel files.
As for 3rd party suppliers, clearly they do need to keep an electronic copy of the result as it is then used in future testing for comparison and Category 4 calculations, and that's fine, just don't ever fall for the nonsense that they are somehow better at it than you and that you shouldn't have it at all.
Circulation of hearing test data at work
This is where I perhaps make it a bit more complicated for the poor sod who didn't sit down fast enough when the music stopped and got lumbered with arranging and managing the audiometry programme...
There are other people within the company who may have an interest in the results - a safety committee for example, senior management, etc. For this I would recommend that the audiometry report has two sections, one with the actual data and one with the HSE's beloved trends only. This way the committee or management can be reassured with soothing noises that the programme is progressing and being managed, while the person responsible for it has all the information they need to take individual-specific action.