Profiler
Tracer
Auditor
Scout
Insights
Inspections
MetricsJay Finegan, CHMM
Compliance Services Leader
April 2nd, 2018 by Jay Finegan, CHMM
This is the last post in the blog series OSHA Recordkeeping and Electronic Submission Rule Questions, Answered. To read parts 1 and 2, click the links below:
Part 1
Part 2
Answer: Of all the concerns raised when the recordkeeping rule was under development, privacy and information security were among the few that I considered to be truly substantive.
OSHA originally asserted that it would not be collecting personal information and that software will search for and scrub such information if employers submit it. Since OSHA doesn’t want this data, you would think that such submissions would be inadvertent and rare. However, such
information is part of either the OSHA 300 log, the OSHA 301 Injury Report, or both, and the new rule, at present, mandates that certain facilities submit 300 and 301 data. Consequently, I think a lot of personal data can wind up getting submitted, primarily through the unrestricted inquiries in fields 14 through 16 on the 301 form. These are the fields where you would explain the tasks that the worker was performing, how the injury occurred, and the nature of the injury or illness. This puts the onus on the scrubber, and I have my doubts that it will be as effective as it needs to be – especially not initially.
In addition, I would point to recent hacks of a host of government computer systems, including the OMB, the IRS, and the SEC. OSHA’s ITA system was itself breeched last summer.
We also now know that OSHA itself may have some lingering doubts. According to the regulatory agenda OSHA published in December, 2017, OSHA is thinking about eliminating the requirement to submit 300 and 301 data. Other than this aspirational agenda, OSHA hasn’t published
anything formally or informally, but it is definitely something to keep an eye on.
Fortunately, the 300A data that OSHA collected in December contains no personal information, so for now, this is a non-issue.
I believe that concerns over the safety and security of PII were and continue to be well-founded.
Answer: The burden is and always has been on the employer. It may sound a bit like a sales pitch, but it is also time for safety professionals, and environmental professionals as well, to think beyond spreadsheets, which usually means involving the IT department.
First, unless the safety professional relishes spending all that time manually transcribing the data into OSHA’s ITA or preparing the upload spreadsheet, she or he should consider an EHS information system. Switching to such a system will almost assuredly involve the IT department, for evaluating system security, implementing and configuring the tools, or collecting and uploading historical data into the new system.
Second, while EHS professionals – and business professionals in general – love EXCEL, I recently found an interesting article by Brandon Weber of Microsoft, published in the journal of the European Spreadsheet Risks Interest Group. This article discussed certain hazards with spreadsheets, starting out by discussing how so many organizations establish tight controls on their documented policies and procedures – a necessary element of all management systems. But what about the spreadsheet tools upon which they most directly rely for compliance? All too often, these spreadsheets are not managed using these same formal document controls. As a result, these compliance-critical tools are exposed to a variety of risks, such as undocumented – or worse, unauthorized – changes and obsolescence.
Answer: Actually, it was delayed multiple times, including two deferrals in December alone, from December 1st to the 15th, then again from the 15th to the 31st. As noted previously, the next reporting deadline is July 1st, when companies are expected to report the data supporting their 2017 300A Annual Summary, the 300 log, and each of the individual injuries included on the log (the 301 data).
With regard to the 300A data, another extension is unlikely. This is the same data submitted last December, just one year later. But here we are in early April – and I checked yet again this morning – and OSHA has still not released any guidance on how to upload 300/301 data. As noted, OSHA may eliminate this requirement altogether, but even if OSHA doesn’t, an extension of the deadline for submitting this data is very likely.
Compliance Services Leader
