Data Protection Policy
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Occupational Health and Safety Authority (OHSA) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.
Purposes for collecting data
OHSA collects and processes information to carry out its legal obligations in terms of the prevailing legislation, Health and Safety at Work Act (Chapter 646 of the Laws of Malta). All data collected is processed in compliance with Data Protection Legislation.
Recipients of data
Personal Information is only accessed by OHSA personnel who are assigned to carry out the functions of the Authority in line with its duties prescribed at law. Personal Data is not divulged however there may be exceptions when such data may be processed in those cases but only as authorised by law.
Your rights
Your rights as data subjects in connection with the processing of your personal data are:
- The right to receive a copy of your personal data undergoing processing, including information in relation to the processing activities.
- The right to request us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
- The right to request the erasure of your personal data in certain circumstances.
- The right to request the restriction of your personal data in certain circumstances.
- The right to portability of your personal data in relation to information that you have given us.
- The right to object to the processing of your personal data if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
- The right to not be subject to a decision based solely on automated processing including profiling.
- The right to withdraw your consent at any time, where applicable.
Requests to exercise your rights are free of charge and should be made in writing and sent to the Data Protection Officer of the Occupational Health and Safety Authority (OHSA). Your identification details such as ID number, name and surname must be submitted with the request for the purpose of verifying your identity. In case the controller has reasonable doubts concerning your identity, you may be requested to provide additional information necessary to confirm it.
The Occupational Health and Safety Authority aims to comply as quickly as possible with the request and is obliged to respond without undue delay and at the latest within one (1) month from receipt of request.
The right exercised by the data subject may be limited or restricted, where necessary, pursuant to the applicable law.
RETENTION POLICY
OHSA personal data will only be kept for as long as there is an administrative need to keep it to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements, as per the relevant legal basis.
As part of its operating requirements OHSA requests, keeps and maintains a wide range of documentation including personal data. Data is classified according to its type, sensitivity, and importance to business operations, as follows:
Category |
Retention Period |
Justification |
|
Operational Data including documentation in relation to investigations, inspections, enquiries and complaints. The data consist mainly of names, surnames, ID numbers and/or other identification numbers, contact details etc. |
7 years after the case closure, or as required by Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
Compliance with Chapter 646 of the Laws of Malta and Subsidiary Legislation enacted thereunder. |
|
Asbestos Related and latent diseases records. Cases involving chemicals, asbestos, and anything which may involve a long latency period. The data consist mainly of names, surnames, ID numbers and/or other identification numbers, contact details |
50 years after the case closure, or as required by Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Medical / Health Surveillance Records. The data consist mainly of names, surnames, ID numbers and/or other identification numbers, contact details |
40 years after case closure or as required by Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Financial Records including procurement documentation |
10 years |
Compliance with OHSA legislation, Public Procurement Legislation, Tax laws, accounting requirements and any other applicable legislation, inter alia, CAP 646 of the Laws of Malta, CAP 601.07, CAP 123, CAP 406, CAP 452 |
|
HR documentation and Employee Records |
5 years after the termination of employment. |
In line with Government’s HR Corporate procedures and the Public Service Management Code |
|
Sick Leave Certificates |
1 year from date of submission |
HR Legal Obligations – required for compilation of yearly sick leave utilisation information. Also pursuant to CAP 318 of the Laws of Malta |
|
Work Opportunity Schemes |
1 year from termination |
HR legal Obligations in line with Government’s Corporate procedures and the Public Service Management Code. |
|
Employee Attendance |
1 year |
HR legal Obligations in line with Government’s Corporate procedures and the Public Service Management Code and CAP 452 of the Laws of Malta |
|
Customer Data including payments of fines paid in full and settled |
18 months after the last transaction, Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
Required for financial purposes and statistical purposes pursuant to the following legislations: CAP 422 and CAP 646 |
|
Emails and Communication |
3 years, then review for further relevance. |
Case follow up and record |
|
Unsuccessful recruitment candidates |
1 year from conclusion of recruitment procedure, and application forms for the filling of positions co-financed from EU Funds 8 years from conclusion of recruitment process. |
HR legal Obligations in line with Government’s Corporate procedures and the Public Service Management Code. |
|
Jobsplus report |
1 year from end of recruitment process |
To comply with HR legal obligations |
|
Visitor Logs |
6 months from visit |
In line with applicable standard operating procedures |
|
Course details (Internal and External) |
2 years |
To comply with HR legal obligations |
|
Documents relating to EU Funding programmes |
10 years after the project completion or after the conclusion of that EU programming period (whichever comes last). |
Compliance with EU funding programmes |
|
Documentation in relation to all forms of litigation including arbitration |
7 years from final judgement (includes Court of Appeal were applicable) |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Facebook messages involving complaints |
5 years |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Phone complaints |
5 years |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Application form for Awards |
2 years |
Keeping records for statistical and financial data |
|
Attendance for events |
5 years |
Audit requirements imposed by EU |
|
Photos and videos of events and conferences (which do not possess any historical or value to the Authority) |
15 years |
Promotional and advertising purposes. The legal basis is consent. |
|
Consent form for photos and videos |
15 years |
Record keeping purposes |
|
Photos and videos of events and conferences which have been co-funded |
10 years |
Compliance with EU requirements |
|
OHSA competent person register |
18 months after the last prescribed renewal date |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Files containing reference to inspection including all ancillary documentation, where no further action was necessitated |
18 months |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Published judgements or decisions on OHSA website |
18 months after their expired published date |
Public interest |
|
Data on Special Compromise Fines |
18 months |
Case follow up and record keeping |
|
Cases where any legal action, be it criminal or civil, is instituted |
18 months from case closure or from when the case is no longer actionable |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Files related to accident investigations where no further action was necessitated |
18 months |
Compliance with Chapter 646 of the Laws of Malta and subsidiary Legislation enacted thereunder |
|
Social media posts and photos |
10 years |
Posterity purposes |
Any personal data processed by the OHSA, for example as part of a project or case, or for managing staff is kept for as long as there is a business need, otherwise it should be destroyed at the earliest opportunity. OHSA will make a proportionality assessment on a case-by-case basis, namely personal information that is interwoven throughout the record will remain part of the casework file to ensure the records are complete and an accurate account of the work conducted throughout the case. Personal data collated as a consultation, will be disposed of and only the responses kept for reference.
Although OHSA has stipulated retention periods detailed above, we also have implemented a review period into our records. This ensures that we regularly review our records to determine if we should keep these records for longer or shorter periods of time.
Security of Documentation
Documentation is maintained in an accessible but secure location with adequate access provided to officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.
In the case of personal data, the GDPR also stipulates that only those required to process personal data should have access to personal records and this on a need-to-know basis.
Access to data should be restricted based on job roles and responsibilities. Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.
Manual vs Electronic Records
In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual information.
Data Storage and Management
This data retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of information which is no longer required and is being archived unnecessarily.
Upon reaching the end of its retention period, data is disposed of securely and in a manner that prevents data recovery. Electronic data is deleted using methods that render the data unrecoverable, and physical records are shredded or incinerated.
It is to be noted that anonymized or statistical data do not fall within the parameters of this data retention policy, since they do not constitute identifying personal data.
Policy Review and Updates
This policy will be reviewed annually or more frequently if necessary to reflect changes in legal requirements, business operations, or technology. Amendments will be communicated to all relevant parties.
The Data Protection Officer
The Data Protection Officer may be contacted on:
17, Edgar Ferro Street, Pietà
Telephone: 138
Email: gdpr@ohsa.mt
The Data Controller
OHSA’s Chief Executive Officer as the Data Controller of the Authority, may be contacted at:
Telephone: 138
Email: ohsa@ohsa.mt
The Information and Data Protection Commissioner
You have the right to lodge a complaint with the supervisory authority, which could be reached at the following contact details:
The Information and Data Protection Commissioner
Airways House,
Triq il-Kbira
Tas-Sliema SLM 1549
Telephone: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt
OHSA, April 2025