Health Data: Access Controls
UPDATE 15th Feb 2025
To ensure continued compliance with GDPR and Data Protection legislation, we have introduced stricter access controls for Health Surveillance, DSE records, which can contain sensitive personal information classified as 'special category data'.
Key Changes
Previously, all OCC managers could view these records for their staff (but not other managers unless they had access at a higher level within the company hierarchy) .
Now, an additional authorisation is required to access this data.
This authorisation is not automatically granted to all OCC managers, as some may be line-managed by others and should not have access to their records. So this permission may not be appropriate for assistant managers.
How to Get Access
If you need access, you have two options:
Request authorisation from Opus.
Request authorisation from a colleague who already has the permission.
Once granted, you can assign this authorisation to others in your organisation.
NB resolved injury accidents do not require an additional authorisation but will need the access audit process to be completed. See main main article for details.
Authorisation
Who can access tasks and records that have sensitive health data?
Any manager who:
Has access to the site where the employee works AND Has been granted health data access authorisation.
How to grant authorisation?
The authorisation for sensitive health data can be found on the manage employee record just above site access:
If you have the authorisation yourself, you can add it to an employee record by clicking on site access and ticking the checkbox:
The authorisation will show on the employee record just above site access:
Accessing Records that contain Sensitive Health Data
If you have any Health Surveillance or DSE corrective action tasks, the data will appear redacted (randomly obscured) and marked with a sensitive label that displays a padlock symbol:
If you don't have authorisation and click on the task, you will a message like this:
If you need access then please ask someone in you company who already has it. There will be at least one person who has this authorisation.
Access Process
If you do have the authorisation you will see this access screen that you need to complete for audit purposes.
Access Reason – e.g., "Line manager resolving health surveillance" or "H&S Manager reviewing open tasks".
Access Expiry – Set how long you need access for. Choose the minimum period of time that you need. (Different types of sensitive tasks will have different maximum expiration periods)
Access Site – Select the scope of access. Select a single employee if you are just going to be accessing one person's records. But if you need to access other records, use the All Employees or Company level to access all records for this period of time.
Once you complete this you can access the task as normal.
Note - once you have access, the tasks will be unredacted according to the scope of access you have applied for.
Injury Accidents
These records will also contain health data - for resolved accidents an access process step is required as these will be labelled with a sensitive / injury label. Unlike 'sensitive / health' and 'sensitive / DSE' labelled tasks this does not require an additional authorisation i.e. any OCC manager can still access these.
Access Tracking & Audit Trail
The task side panel for sensitive tagged tasks will show:
Current temporary access holders.
Past 7-day access history (including expired access).
Hover over a name to see their reason for access.
A full audit trail is retained for compliance which you can find under Audit Trail under Manage site - additional options.
Why Is The Access Process Necessary?
1. Authorisation Does Not Mean Unlimited Access
Being authorised means a user can access records, but it doesn’t mean they should have unrestricted access at all times.
Health data is sensitive and protected by GDPR, which means access must be justifiable, time-bound, and monitored.
2. Legal & Regulatory Compliance (GDPR & Data Protection Requirements)
GDPR (General Data Protection Regulation) requires that access to sensitive personal data be:
Justified – You must state a reason for access.
Limited in scope – You should only access records relevant to your role at that moment.
Logged for accountability – Every access event must be auditable.
🚨 If we bypass the audit process, we risk breaching GDPR, which can lead to regulatory fines and legal action 🚨
3. Protecting Employee Privacy & Trust
Employees have a right to privacy regarding their health surveillance and DSE records.
Without an audit check, an authorised user could access records without a valid reason, which might be seen as an invasion of privacy or even data misuse.
By requiring a justification before access, we ensure that employees' personal data is only accessed when necessary and for the right reasons.
4. Reducing Business Risk & Protecting the Company
If a data breach or misuse of health records occurs, the Access Audit Log serves as evidence of who accessed what and why.
Without this safeguard, the company would have no clear record of who viewed sensitive information, exposing it to legal disputes and regulatory scrutiny.
5. Minimising Unnecessary Access ("Need-to-Know" Principle)
The Access Audit process prevents casual or habitual access to sensitive records.
Without it, an authorised user might repeatedly view records without immediate necessity, increasing the risk of data leaks or internal misuse.
Balancing Compliance & Usability
We understand the importance of efficient workflows. However, the slight friction of completing an Access Audit is a necessary safeguard to:
✅ Keep your company compliant with GDPR and Data Protection legislation.
✅ Protect employee privacy and ensure trust in the system.
✅ Reduce legal and reputational risks for your business.