Audiometry and GDPR
The advent of GDPR has the potential to mean huge changes to the way a workplace audiometric testing screening programme is run, particularly regarding data gathering, consent for its use, further dissemination, employee access and rights of an individual to have it deleted.
On the surface there are contradictory obligations on the employer arising in the Noise Regs and in GDPR, where some obligations placed on the employer by the Noise Regs could possibly be prevented from being done via GDPR, but there are elements within each set of rules which provide a route through it.
It should be stated from the off that GDPR does make allowances for data which is gathered for compliance with other regulations, meaning there is no prohibition on gathering data for occupational health screening purposes, but it does add extra provisions to that data gathering, most notably by restricting the obtaining and retention of data which is not necessary.
It was common practice in the past for consent for data collection to be presumed to be given by the attendee, with employees then having the option to withhold that consent from their employer seeing the data if they chose. If an external company was being used to conduct the screening then there was no option for an employee to withhold consent from that external provider both seeing and holding the data. To me that has always been a weak spot as the employee has a closer relationship with their employer than they do with an external company which they have had no choice in selecting.
Under GDPR the practice of presuming consent is no longer allowed - people should actively give consent for their data to be processed. BUT, and this is very important as it fundamentally changes the consent provisions: GDPR also doesn't say that you have to have the consent of individual if there is another lawful basis for gathering it or even if the company has a 'legitimate interest' in holding and processing the data. This means a company can collect the data without explicit consent so GDPR does not day consent has to be obtained for screening audiometry. This applies as there is a legal requirement to gather it and the employer has a legitimate interest in it.
This also means an employee cannot stop an audiometric testing screening process completely by refusing consent for giving their information to anyone at all, just that you have to be sensitive on how you manage it.
The legal requirement for individual employees to attend and to co-operate with the audiometric test process, including the historical health data and results, remains in place and is not superseded by GDPR.
Limiting the health data gathered in audiometric testing
GDPR only permits companies to gather data on individuals which they absolutely need to provide their service or for which permission has been given and this does impact the pre-test health data gathered as part of the screening. For example:
- For a workplace hearing test where referrals are via employee to the employee's GP (which is most hearing testing programmes) with the employer overseeing it, the employee's home address is absolutely not needed and now not allowed to be collected and retained. In these cases the technician conducting the audiometric test tells the employee to see their GP and gives them a letter to take, and the employer may then oversee the referral to ensure they go and to implement any recommendations arising from it. In this case the employee's home address is excess data as it is not needed to be collected by the screening company in any step of the process.
- Even where the screening company writes to the GP on behalf of the employer, the address is no longer needed beyond that letter so should not be retained - the GDPR is very specific that once data is no longer legitimately needed it should be deleted.
- At the extreme end, for a workplace hearing test, even the employee's name technically isn't needed by the external service provider if the employer has payroll numbers as that is a unique identifier for each employee. That distances the external service provider's data from being linked to a specific individual and is an even better standard - GDPR is often about grades of data gathering and retention rather than a binary yes/no. All the external service provider needs is the company name and unique identifier as the employer can link that to a person privately.
- Many health questionnaires ask about family history of health problems however their parents or siblings or children haven't given consent for their data to be disclosed and retained by either the employer or the screening company. Be very careful when retaining any data which links to people beyond the employee concerned.
These four points are not the complete extent of how data gathered should be limited and all the health questionnaire systems used by everyone should be reviewed to ensure only the minimum amount of data needed is collected, and that it does not include data belonging to other people who are not present and who have not given their consent.
Once gathered, limiting the ongoing data held
Once the testing has been completed, there is a mass of data on each person, but, for the vast majority of the data, this is of no future relevance once the audiometric test is complete and is not needed for future testing. The GDPR specifically prohibits this data from being held and retained as there is no longer a legitimate interest in holding it.
I really do mean 'vast majority' here. For most people coming for an audiometric test there are no problems, therefore all that needs to be retained is the result (in terms of the audiogram or table of results) and category of their result, and that's it. All the rest of the health data obtained during the testing process is now irrelevant and in reality will never be looked at again. Meanwhile, for people who do have a hearing issue, of the 30-odd bits of data collected on the health questionnaire, only maybe three or four will be relevant to their case, so again all the rest is excessive and should not be retained.
Keeping data current
There is another reason to get rid of all the excess old data in that GDPR specifically requires that data is update and kept accurate (see 5 (d) here). If a screening company gathers data on tens of thousands of individuals every year and retains all the data gathered, not only is that data largely useless but there is also a legal requirement to keep it up to date. God knows how that can be complied with where the screening company is either not going back to the place where the tests were done frequently, or where they do go back but don't have a specific system for updating old records. In reality, that data is never ever going to be updated again. Which is not allowed any more.
Secure storage and transmission
Data must be processed and importantly stored securely. This means that the data must be stored in an encrypted form and should not be accessible by anyone without some form of password or other security measure to open it. That means no copying data onto standard unencrypted USB sticks, and critically, no emailing of identifiable data without some form of protection on it - email is not a secure medium. That could (would) mean the audiometry report and any re-test schedule should be encrypted and password protected as the frequency of re-tests easily tells people what the results were and is therefore giving personally identifiable data.
Deletion of audiometric test data
A key part of GDPR is that an individual can request deletion of data held about them. However, this does not apply if the data has been gathered and held in order to comply with another legal obligation and is needed for that purpose. So, the retention of the audiometry result or any health information which is specifically pertinent to that individual's audiometric test result does not have to be deleted on request|
If you receive a request to delete data then it has to be enacted within one month, or if you decide the data is necessary to comply with the health screening requirements of the Noise Regs, you have one month to reply to the individual stating this and the reasoning for it.
The guidance for the Noise Regs states you should keep audiometry data for as long as the individual remains in your employment but your insurer may have separate policies requiring it to be kept for far longer. (Page 120, paragraph 39 - employers should keep the health record as long as an individual remains in their employment... [and] may wish to retain it for longer...). Someone may leave your employment and be diagnosed with noise induced hearing loss ten years later and it would be prudent of the employer to be able to still prove what standard their hearing was at the time they left the company. GDPR does not prohibit data retention for this purpose.