Data collection and compliance

The University is legally required to record details of incidents that take place to persons under its care and on its premises. This includes not only incidents that happen to employees in our buildings, but also to students, visitors and members of the public in our buildings, and to employees and students off site undertaking activities organised by the University. This includes fieldwork, both in the UK and abroad, events organised by departments, and activities organised by University sports clubs.

The Social Security (Claims and Payments) Regulations 1979 requires employers to record all accidents and investigate them in a book. The IRIS system replaces the need for a book and fulfils these requirements in its place.

Find out more about the Social Security (Claims and Payments) Regulations 1979.

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013 requires employers to report and keep records of certain categories of incidents that take place. These include any work-related incident where there is:

  • a fatality
  • a specified serious injury as detailed in the RIDDOR regulations
  • an industrial disease as detailed in the RIDDOR regulations
  • any injury resulting in an employee being incapacitated for more than seven consecutive work days from their normal duties
  • certain dangerous occurrences
  • any injury to a person who is not at work, such as a member of the public or student, which are caused by an accident at work and which results in the person being taken to hospital from the site for treatment

Reports of these types of incidents are made to the Health & Safety Executive (HSE) and local authorities by the Safety Office within prescribed timeframes as defined in these regulations.

Additionally, RIDDOR regulations also require employers to keep records of incidents that result in employees being incapacitated for over 3 days from their normal duties. These incidents, however, do not need to be reported to the HSE.

Find out more about the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013.

Whenever an employer wants to collect and process data about people, whether it’s their employees or members of the public, they must have a legal basis to do this as prescribed by the General Data Protection Regulation (GDPR). The University’s legal basis for collecting and processing incident data stems from the legal requirements set out in the Social Security (Claims and Payments) Regulations 1979 and the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013.

As the University has a legal requirement to collect and process this information as defined by the aforementioned regulations, it is under no obligation to explicitly inform the data subject at the time that they are collecting this data about them.

Access to this data is restricted to those who have a legitimate need to know in each department of the University so that they can fulfil their health and safety-related obligations to protect the health and wellbeing of employees at work.

You have the right to seek confirmation of whether incident data is held about you on IRIS. If this is the case, you also have the right to request a copy of this data.

To see what information is held about you, you can submit a Subject Access Request (SAR) to the University’s Compliance Team. For more information on this process, please visit the Subject Access Request webpage.

You have the right to have inaccurate personal data about yourself corrected in IRIS.

Requests to make corrections to data held about you by the University can be made by emailing the Information Commissioner's Office.

The University is legally required to retain all incident data for 3 years from the date of the last entry relating to the incident. Other additional, longer retention periods, as defined by UK health and safety legislation, are sometimes applicable. These include (but are not limited to) requirements defined in the Control of Substances Hazardous to Health (COSHH) Regulations 2002, Ionising Radiation Regulations 2017, and records relating to children under the age of 18.

At the end of any applicable retention periods, the personal data within an accident record and any subsequent investigation is permanently redacted.

For more information on how to exercise your rights under GDPR, please visit the Individual Rights webpage on the Compliance Team site.

Report an incident on IRIS

Report an incident


Log in to the IRIS system

Safety officers only

You must be connected to the University's network or VPN

Log in to IRIS  


IRIS links


Email the team

Can't find a solution to an issue in the FAQ's or guidance materials?

Email the IRIS team


Other resources