Confidentiality of audiometry data
Well here is a right can of worms and it is important as it has a direct impact on how useful the results are to you as the company employing the people being tested. Is it medical data and subject to full medical confidentiality, or is it a lesser standard of workplace safety data, or something between? It doesn't help that external audiometry service providers have several different approaches, and not all the reasons for the approach they take are to do with confidentially and often can be just about locking a client in to them and making it hard for them to go elsewhere. I was going to lump GDPR into this page as well but it became such a subject in its own right that there is now a separate page on audiometry and GDPR. Please do have a look at that page as well as this one.
In-house hearing testing
This one is pretty easy. One person within the organisation is designated as responsible for doing the audiometry, be they a nurse or someone else appointed and trained to do them. It doesn't have to be a nurse or occupational health professional doing it.
They arrange the tests, do them, and then hold the data safely and securely, giving recommendations to other management as individual cases or group results make them see fit. Easy.
External hearing testing providers
This is where it can get more complicated. To tick the 'full medical confidentially' thought off first, this is not the case as, more often than not, the person doing the screening test is not a Doctor or an Audiologist and is more of a technician, so that doesn't meet the same standard as say the medical information a GP would hold. It's not the same as asking a GP to give you the medical records for one of your employees.
From then on there is a lot of interpretation and even the HSE themselves seem to be in a right muddle over it.
These are some key entries in the L108 Controlling Noise at Work bible:
This bit says that the employer should only see anonymous audiometry data - basically the number of people tested and the percentages who scored which level of result.
This entry below meanwhile says that the results should be maintained by the employer, confidentially and separate from HR records, which contradicts the previous advice.
So those two statements don't really help much. This final paragraph adds another dimension to it and says that audiometric test results and the associated health questionnaires are considered confidential and consent is needed to pass them to anyone else, but doesn't say who should hold it initially.
My advice in light of how I do it
So here are my pearls of wisdom on how to manage the hearing test confidentiality thing, and why.
Talk to employees
It sounds perhaps a bit obvious, but where it is coming in as a new process, rather than launching it by surprise on employees, talk to them or their reps first. Trust me, you can head off a lot of potential issues that way, for both the employees and employers. For example:
- Employees sometimes see it as snooping or some form of weeding-out process. You can reassure them that it most definitely is not and no job is at risk because of it. What it will do is identify people who are more at risk from noise because of already-weak hearing and allow better protection to be provided for them. It's a benefit to them.
- Employees may get twitchy about the confidentiality of it. You can reassure them that only one person in the company will see all the data (see below for how to manage it) and if any other person needs to know about it then the employees' consent will be sought first.
- It's not only shop-floor employees who benefit from increased communication. Employers get equally twitchy that they are going to get a flood of claims for hearing loss. You can reassure those in the higher stratosphere of comfy-chair management that this genuinely doesn't happen and they can relax.
Decide if you want all the audiometry data or not
Where the hearing testing is being done by an external provider, decide if you want all the data (i.e. all the audiograms and categories for each person) or if you just want the summary data. Some providers give you everything, some give you very little.
My advice is:
- Choose a provider who will give you all the audiometry data. It is YOUR data, you are paying for it, not theirs. Some will hold on to it to coerce clients to come back time and again by making it hard for you to go elsewhere. If you have the data you can choose any provider you want in the future and have the testing history to hand if it is ever needed. Think of it as renting a bit of kit to do a specific job, and as the kit is specialist is comes with someone to operate it for you, that's all. It is YOUR data.
- For GDPR, you know how you are storing your data but how do you know how a service company is storing it? How secure are their servers, their backups, their cloud service providers, etc. Where in the world, literally, are their cloud service or backup providers located so where in the world is your data going? What levels of encryption are used on their data stores and backups? Who are they employing who has access to it?
- Again, GDPR prohibits the retention of data which has no business or compliance use. 98% of all the medical data collected during the audiometry process is of no future use once the test is done as it is no longer relevant or becomes out of date. But, it is highly personal, not only to the individuals concerned but even their relatives, (for example - history of medical issues within the family). GDPR specifically says this data should not be retained however I guarantee no service provider is deleting hearing health questionnaires, so don't let them keep them in the first place. I would even go so far as to say that you, the employer, shouldn't keep the questionnaires either - just give them back to the employee or destroy them as any relevant information will be noted with the audiogram, which GDPR permits retention of, and that way all the rest is then given back to the employee.
- Statistical analysis is utterly utterly vacuous and so pointlessly useless for most companies that I am surprised the HSE wrote that into their guidance, (not law by the way, guidance). Unless you have thousands of employees then being told you have 71% Category 1, 10% Category 2 and so on is totally useless. The numbers involved are so small that statistically it is completely unreliable. Also what are you supposed to do with that data? And this leads on it...
- Having individual data means you can protect individuals, not just groups. A basic part of health and safety is that you are not allowed to treat everyone the same in risk management. You have to acknowledge that for some risks, some people may be more vulnerable than others and then make sure the most vulnerable are also protected. For example, it is decades-long established in law that an employer has to provide extra protection to someone with one eye rather than two as the potential outcome of an eye injury is not good either way, but is so much more severe if they lose their one good eye. The same is true with noise - some people with poor hearing can have a small additional loss in their hearing and it can have a major impact on their life whereas for others the same annual drop in ability will be negligible. Anonymised grouped data means the employer cannot comply with this basic duty. I would even go so far as to argue that anonymised group data is actually illegal.
hearing test record keeping advice
Appoint one person in the company to hold the data. And to repeat the information above, this must be separate from HR records. HR love to control all records relating to an employer but the HSE are very clear on this one that audiometry records must not be kept in the general personnel files.
Circulation of hearing test data at work
This is where I perhaps make it a bit more complicated for the poor sod who didn't sit down fast enough when the music stopped and got lumbered with arranging and managing the audiometry programme...
There are other people within the company who may have an interest in the results - a safety committee for example, senior management, etc. For this I would recommend that the audiometry report has two sections, one with the actual data and one with the HSE's beloved trends only. This way the committee or management can be reassured with soothing noises that the programme is progressing and being managed, while the person responsible for it has all the information they need to take individual-specific action.
Cut through some of the bullshit
Some audiometric testing service providers may say a company should not know the category of result for individual attendees as it's secret stuff that only they as special rarified Audio Gods can know. But, employers and line managers also need to know who is due a hearing test in any particular session so they can release them as needed. With that it doesn't take a genius to work out that it's three years since Brian last had a test so he must be a Category one, while Joe seems to be getting called back every session so he must be a Category 3. This really does expose the idea of an occupational health screening provider withholding the data from the employer to be the nonsense it is.