Safety, Health and Environment Department privacy notice

Information you need to know

The Safety, Health and Environment Department (SHE Department) is part of Liverpool John Moores University. See further information on the institution.

Liverpool John Moores University is the Data Controller.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk

LJMU takes your privacy very seriously. This privacy notice explains how we use your personal information and your rights regarding that information. We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations.

What information are we collecting?

We may collect and hold personal information such as your name, gender, location, identity number, job title or role, email address and whether you have a relevant physical or health issue.

This information will normally be obtained directly from you or from information you have previously given to the University. Some information may be provided about you by a third party - for example, if you were injured or unwell - by a Security Officer, witness or First Aider.

Special category data is personal data that needs more protection because it is sensitive. We may collect data concerning your health, which is classed as special category data, if it relates to a safety issue at work.

Why are we collecting your data and what is the legal basis for this?

LJMU will collect personal data from you for several reasons and will at all times do so in compliance with the principles of the General Data Protection Regulation (GDPR), and for one of the legal bases set out in Article 6 of the Regulation.

This could be because Health and Safety legislation says we must, or because we have a statutory task to complete in the public interest. Sometimes where we act commercially, we need to use your data, in a responsible manner, because it is in our legitimate interests to do so. In an emergency we may also need to use your personal data because it is in yours or someone’s else’s vital interests.

The personal data we collect is used, for example, for:

  • Risk assessments
  • Personal Emergency Evacuation Plans (PEEPS)
  • Display Screen Equipment assessments (DSE)
  • accident or incident investigations
  • health surveillance referrals
  • reporting to statutory authorities i.e. to the Health and Safety Executive (HSE)under The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)
  • training records
  • dealing with a SHE enquiry, concern or complaint to us
  • reducing the likelihood of future incidents or cases of work-related ill health
  • improving the University’s health and safety arrangements or culture
  • processing for trend analysis and reporting
  • legal (criminal or civil) claims

Who has access to this data?

Your personal data will be used only by relevant LJMU staff where the data is necessary for them to undertake their designated role.

Examples of relevant staff may include

  • Your Academic Tutor or Line Manager
  • Human Resources Department
  • Health & Safety Advisers
  • Safety Representatives
  • Local H&S Coordinators and Officers
  • Fire Warders and Evacuation Coordinators
  • Staff involved in accident or incident investigations

Examples of external parties we may lawfully share information with include:

  • statutory authorities and public bodies, for example the Health and Safety Executive (HSE)
  • emergency services
  • our insurers
  • third parties or contractors who we employ to help us with our roles – but who will comply to the same standards that we do
  • external auditors

Where possible we will anonymise the data before sharing.

How does the University protect your data?

The University takes data protection very seriously and at all times your personal data will be handled in line with the University’s Information Security Policy.

Paper documents containing personal data will be kept in locked cabinets within our secure offices. All Safety, Health and Environment Department staff complete the University’s mandatory data protection module. The SHE Department has a records retention and disposal schedule.

For how long does the University keep your data?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any future legal or reporting requirements. This will be in accordance with our retention and disposal schedule.

We may retain your data for a considerable time. Health records have to be kept for at least 40 years from the date of last entry because of the possibility of a long period between exposure and onset of ill health. We have to keep a record of any reportable injury, workplace disease or dangerous occurrence for three years.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request, this could be in a portable electronic format;
  • require the University to change incorrect or incomplete data if you think that it is inaccurate or out of date
  • require the University to delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing.

If you would like to exercise any of these rights, please contact the Data Protection Officer DPO@ljmu.ac.uk

What if you do not provide data?

Information may be passed to us when you seek assistance from LJMU to make adjustments to our facilities. If we do not have access to all the information we require, we may not be able to fully protect you or others.

Transfers of data outside the UK

Generally, we do not send your personal data outside the UK.  However, in some specific cases, we may transfer the personal data we collect to countries outside the UK in order to perform our contract with you/or a contract with another organisation that requires your personal data i.e. a collaboration agreement with a university based outside of the UK. Where we do this, we will ensure that your personal information is protected by way of an ‘adequacy regulation’ with the UK or by putting alternative appropriate measures in place to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the UK laws on data protection. For example model contractual clauses, data sharing/data processing agreement and binding corporate rules (where applicable).

Automated decision making

We will not make any decisions about you automatically using a computer, based on your personal data.

All decisions affecting you will be taken by a human.

How to complain to the Information Commissioner’s Office?

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations.  The Information Commissioner can be contacted:

Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.

Telephone: 0303 123 1113

Email: contact can be made by accessing www.ico.org.uk