Employer access to audiometry data
Well here is a right can of worms and it is important as it has a direct impact on how useful the results are to you as the company employing the people being tested. Is it medical data and subject to full medical confidentiality, or is it a lesser standard of workplace safety data, or something between? It doesn't help that external audiometry service providers have several different approaches, and not all the reasons for their approaches are to do with confidentially and often can be just about locking a client in to them and making it hard for them to go elsewhere. I was going to lump GDPR into this page as well but it became such a subject in its own right that there is now a separate page on audiometry and GDPR. Please do have a look at that page as well as this one.
In-house hearing testing
This one is pretty easy. One person within the organisation is designated as responsible for doing the audiometry, be they a nurse or someone else appointed and trained to do them. It doesn't have to be a nurse or occupational health professional doing it.
They arrange the tests, do them, and then hold the data safely and securely, giving recommendations to other management as individual cases or group results make them see fit. Easy.
External hearing testing providers and employer access to data
This is where it can get more complicated. To tick the 'full medical confidentially' thought off first, this is not the case as, more often than not, the person doing the screening test is not a Doctor or an Audiologist and is more of a technician, so that doesn't meet the same standard as say the medical information a GP would hold. It's not the same as asking a GP to give you the medical records for one of your employees.
What the HSE say about it
To be clear, the regulations say absolutely nothing about it. Not a word. From there on it is purely guidance and even the HSE themselves seem to be in a right muddle over it.
These are some key entries in the L108 Controlling Noise at Work bible:
This bit is one example where says that the employer should only see anonymous audiometry data - basically the number of people tested and the percentages who scored which Category of result.
This entry below meanwhile says that the results should be maintained by the employer, confidentially and separate from HR records, which contradicts the previous advice.
So those two statements don't really help much.
Usefulness of anonymous grouped data and percentages
Let's be frank about the 'anonymous grouped data' bit - unless you have thousands of employees then statistics are useless, you may as well ask a passing pigeon for their thoughts on the matter for all the accuracy it will have. If you have a few dozen or even a few hundred employees, anonymous percentages may as well be a random number written on a piece of paper and pulled out of a village fete tombola during a hurricane.
In L108, the nonsense about anonymous percentages continues with statements such as comparing tables of percentages of Cat 1, Cat 2, etc. from one year to the next and using changes in that to identify whether there are problems with the hearing conservation programme, (L108, page 122). Aside from the uselessness of these percentages without high numbers of employees, comparing percentages of results from year to year is also largely nonsense. In Year 1 and Year 2 of a programme you are testing everyone, but in Year 3 you are testing your Cat 3s and 4s only, and in Year 4 your Cat 2s, 3s and 4s but not your Cat 1s. The in Year 5 you are testing your Cat 1s, Cat 3s and Cat 4s but not your Cat 2s. That makes any comparison of percentages of each Category scored utterly useless from Year 2 onwards. Sometimes I can’t help but think the Powers That Be who wrote the guidance in L108 told an unpaid work experience kid to get on with it and everyone else went to the pub for a long lunch.
Finally, in H&S you have to protect individuals and treat people as individuals, varying protection where needed, which means again means anonymous data fails to meet that basic need.
My advice in light of how I do it
So here are my pearls of wisdom on how to manage the hearing test confidentiality thing, and who should have the data, and why.
Talk to employees
It sounds perhaps a bit obvious, but where it is coming in as a new process, rather than launching it by surprise on employees, talk to them or their reps first. Trust me, you can head off a lot of potential issues that way, for both the employees and employers. For example:
Employees sometimes see it as snooping or some form of weeding-out process. You can reassure them that it most definitely is not and no job is at risk because of it. What it will do is identify people who are more at risk from noise because of already-weak hearing and allow better protection to be provided for them. It's a benefit to them.
Employees may get twitchy about the confidentiality of it. You can reassure them that only one person in the company will see all the data (see below for how to manage it) and if any other person needs to know about it then the employees' consent will be sought first.
It's not only shop-floor employees who benefit from increased communication. Employers get equally twitchy that they are going to get a flood of claims for hearing loss. You can reassure those in the higher stratosphere of comfy-chair management that this genuinely doesn't happen and they can relax.
Decide if you want all the audiometry data or not
Where the hearing testing is being done by an external provider, decide if you want all the data (i.e. all the audiograms and categories for each person) or if you just want the summary data. Some providers give you everything, some give you very little.
My advice is:
Choose a provider who will give you all the audiometry data.
It is YOUR data, being generated for YOUR legislative compliance, on YOUR employees, and YOU are paying for it. IT IS NOT THEIR DATA. Some will hold on to it to coerce clients to come back time and again by making it hard for you to go elsewhere. Some seem to think it is the same level of data as that held by a GP or hospital - no, it isn't. If you have the data you can choose any provider you want in the future and have the testing history to hand for continuity if it is ever needed.
Think of it as renting a bit of kit to do a specific job to meet a need within your business and to comply with your legislative requirements, and as the kit is specialist is comes with someone to operate it for you and gather the data for you, that's all. It is YOUR data. Do not fall for the nonsense that you aren't capable of holding onto it as though you are somehow otherwise leaving HR paperwork scattered all over the staff canteen for all and sundry to see. (Or a genuine case I heard recently, an employer was told they could have the data but had to lock it up in a specific dedicated filing cabinet and send the provider the only key for it - absolutely bonkers!).
You know how you will store your data, you have no control over how the provider stores it.
For GDPR, you know how you are storing your data but how do you know how a service company is storing it? How secure are their servers, their backups, their cloud service providers, etc. Where in the world, literally, are their cloud service or backup providers located so where in the world is your data going? What levels of encryption are used on their data stores and backups? Who are they employing who has access to it?
GDPR says you shouldn't retain data which is of no further use. You can manage that, the provider won't.
Again, GDPR prohibits the retention of data which has no business or compliance use. 98% of all the medical data collected during the audiometry process is of no future use once the test is done as it is no longer relevant or becomes out of date. But, it is highly personal, not only to the individuals concerned but even their relatives, (for example - history of medical issues within the family). GDPR specifically says this data should not be retained however I guarantee no service provider is deleting hearing health questionnaires, so don't let them keep them in the first place. I would even go so far as to say that you, the employer, shouldn't keep the questionnaires either - just give them back to the employee or destroy them as any relevant information will be noted with the audiogram, which GDPR permits retention of, and that way all the rest is then given back to the employee.
Unless you have thousands of employees, statistics are useless to you.
Statistical analysis is utterly utterly vacuous and so pointlessly useless for most companies that I am surprised the HSE wrote that into their guidance, (again, not law, guidance). Unless you have thousands of employees then being told you have 71% Category 1, 10% Category 2 and so on is totally useless. The numbers involved are so small that statistically it is completely unreliable and irrelevant. Also what are you supposed to do with that data? And this leads on it...
You have to protect individuals and treat people differently where needed, so you need individual data.
Having individual data means you can protect individuals, not just groups. A basic part of health and safety is that you are not allowed to treat everyone the same in risk management. You have to acknowledge that for some risks, some people may be more vulnerable than others and then make sure the most vulnerable are also protected. For example, it is decades-long established in law that an employer has to provide extra protection to someone with one eye rather than two as the potential outcome of an eye injury is not good either way, but is so much more severe if they lose their one good eye. The same is true with noise - some people with poor hearing can have a small additional loss in their hearing and it can have a major impact on their life whereas for others the same annual drop in ability will be negligible. Anonymised grouped data means the employer cannot comply with this basic duty. I would even go so far as to argue that anonymised group data is actually illegal.
You know who can access the data if you have it.
If you have the data you know who has access to it, you know who they are and their background. Do you know what the 3rd party's recruitment policy is? Who at their end has access to the data? Who in their office has access to the data? What contractors used by them, from IT systems to cleaners, have possible access to your data? What is the background of everyone in their company who can see and access your data?
When screening providers say they and only they can see the data as only they can properly safeguard it, it is such utter nonsense as to be almost laughable. It's an entirely unjustified over-inflated sense of their own self-importance and also contains a clear implication that you are somehow less worthy. You are better at looking after your data than anyone else. As you may tell, this properly winds me up!
Hearing test record keeping advice
Appoint one person in the company to manage the testing process and hold the data. And to repeat the information above, this must be separate from HR records. HR love to control all records relating to an employer but the HSE are very clear on this one that audiometry records must not be kept in the general personnel files.
As for 3rd party suppliers, clearly they do need to keep an electronic copy of the result as it is then used in future testing for comparison and Category 4 calculations, and that's fine, just don't ever fall for the nonsense that they are somehow better at it than you and that you shouldn't have it at all.
Circulation of hearing test data at work
This is where I perhaps make it a bit more complicated for the poor sod who didn't sit down fast enough when the music stopped and got lumbered with arranging and managing the audiometry programme...
There are other people within the company who may have an interest in the results - a safety committee for example, senior management, etc. For this I would recommend that the audiometry report has two sections, one with the actual data and one with the HSE's beloved trends only. This way the committee or management can be reassured with soothing noises that the programme is progressing and being managed, while the person responsible for it has all the information they need to take individual-specific action.
Retesting cuts through some of the bullshit anyway
Some screening audiometry service providers may say a company should not know the category of result for individual attendees as it's secret stuff that only they as special rarified Audio Gods can know. But, employers and line managers also need to know who is due a hearing test in any particular session so they can release them as needed. With that it doesn't take a genius to work out that it's three years since Brian last had a test so he must be a Category one, while Joe seems to be getting called back every session so he must be a Category 3.
This final detail really does expose the idea of an occupational health screening provider withholding the data from the employer to be the absolute nonsense it is.