Data collection and compliance

Information about the data collected on Health and Safety systems and how we use it

The University is required to make records of its work so that it can comply with its legal obligations. This includes collecting data about staff, students and visitors where obligated to do so. Details about these obligations and legal bases for collecting data are listed below:

Health and Safety systems

The University is legally required to record details of incidents that take place to persons under its care and on its premises. This includes not only incidents that happen to employees in our buildings, but also to students, visitors and members of the public in our buildings, and to employees and students off site undertaking activities organised by the University. This includes fieldwork, both in the UK and abroad, events organised by departments, and activities organised by University sports clubs.

Expand All

The Social Security (Claims and Payments) Regulations 1979 requires employers to record all accidents and investigate them in a book. The IRIS system replaces the need for a book and fulfils these requirements in its place.

Find out more about the Social Security (Claims and Payments) Regulations 1979

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013 requires employers to report and keep records of certain categories of incidents that take place. These include any work-related incident where there is: 

  • a fatality 
  • a specified serious injury as detailed in the RIDDOR regulations 
  • an industrial disease as detailed in the RIDDOR regulations 
  • any injury resulting in an employee being incapacitated for more than seven consecutive work days from their normal duties 
  • certain dangerous occurrences 
  • any injury to a person who is not at work, such as a member of the public or student, which are caused by an accident at work and which results in the person being taken to hospital from the site for treatment 

Reports of these types of incidents are made to the Health & Safety Executive (HSE) and local authorities by the Safety Office within prescribed timeframes as defined in these regulations. 

Additionally, RIDDOR regulations also require employers to keep records of incidents that result in employees being incapacitated for over 3 days from their normal duties. These incidents, however, do not need to be reported to the HSE.

Find out more about the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013

For information about confidentiality, medical records and the retention of data relating to Cority, please visit the Occupational Health website:

Confidentiality and medical records  

The University is legally required to record details of workers registered to work with ionising radiation sources. This includes staff, students and visitors undertaking activity on our premises. 

The University is also obligated to keep records of sources of ionising radiation at the University, and machines and other equipment related to their use. This includes details about their use, storage and how they are disposed of.

Expand All

The Ionising Radiation (Medical Exposure) Regulations 2017 sets out the requirements for the University to keep exposure to ionising radiation as low as reasonably practicable.

Find out more about the Ionising Radiation (Medical Exposure) Regulations 2017

The Environmental Permitting (England and Wales) Regulations 2016 aims to protect the environment, encourage best practice in the operation of regulated facilities and minimise the regulatory administrative burden to the University.

Find out more about the Environmental Permitting (England and Wales) Regulations 2016

The Nuclear Safeguards (EU Exit) Regulations 2019 sets out additional reporting requirements for work with certain isotopes.

Find out more about the Nuclear Safeguards (EU Exit) Regulations 2019

The Carriage of Dangerous Goods and Use of Transportable Pressure Equipment Regulations 2009 governs the transport of dangerous goods including radioactive materials and waste.

The Carriage of Dangerous Goods and Use of Transportable Pressure Equipment Regulations 2009

GDPR and your rights as a data subject

Whenever an employer wants to collect and process data about people, whether it’s their employees or members of the public, they must have a legal basis to do this as prescribed by the General Data Protection Regulation (GDPR). The University’s legal basis for collecting and processing incident data stems from the legal requirements set out in legislation detailed on this page. 

As the University has a legal requirement to collect and process this information as defined by the aforementioned regulations, it is under no obligation to explicitly inform the data subject at the time that they are collecting this data about them. 

Access to this data is restricted to those who have a legitimate need to know in each department of the University so that they can fulfil their health and safety-related obligations to protect the health and wellbeing of employees at work.

You have the right to seek confirmation of whether incident data is held about you on our systems. If this is the case, you also have the right to request a copy of this data. 

To see what information is held about you, you can submit a Subject Access Request (SAR) to the University’s Compliance Team. For more information on this process, please visit the Subject Access Request webpage.

You have the right to have inaccurate personal data about yourself corrected on our systems 

Requests to make corrections to data held about you by the University can be made by emailing the Information Commissioner's Office.

The University is legally required to retain data for set periods of time. These are defined in UK health and safety legislation including (but not limited to) requirements defined in the Control of Substances Hazardous to Health (COSHH) Regulations 2002, Ionising Radiation Regulations 2017, and records relating to children under the age of 18. 

At the end of any applicable retention periods, the personal data within an accident record and any subsequent investigation is permanently redacted. 

For more information on how to exercise your rights under GDPR, please visit the Individual Rights webpage on the Compliance Team site.