Privacy Concerns Lead OSHA to Rescind its Electronic Filing Requirement
In response to concerns raised by employers and to protect worker privacy, the Occupational Health & Safety Administration (OSHA) recently amended its recordkeeping regulations to eliminate the requirement that larger employers submit certain information electronically. The final rule rescinds the mandate that establishments with 250 or more employees had to electronically submit information from OSHA Form 300 (Log of Work-Related Injuries and Illnesses) and OSHA Form 301 (Injury and Illness Incident Report) to OSHA each year.
OSHA’s electronic recordkeeping rule, enacted during the Obama administration, required large employers to submit a wide range of sensitive data, including descriptions of workers’ injuries and body parts affected, that might be traced back to identify particular employees. Employers raised numerous concerns about how the data might be used if it were to become publicly available either intentionally, inadvertently, or under the Freedom of Information Act (FOIA), noting that the disclosure of such information would pose a serious breach of employees’ privacy. Many of these concerns were expressed in comments submitted by the E-Recordkeeping Coalition, a group of employers and trade associations. Indeed, data security concerns were validated during a test run of OSHA’s injury tracking application when the Department of Homeland Security informed OSHA of a possible breach of the system. While that potential security issue has since been resolved, it gave credence to the Coalition’s belief that such a large collection of sensitive data would inevitably encounter malware or incentivize cyber-attacks on the U.S. Department of Labor’s IT system.
As OSHA itself acknowledged, by preventing routine government collection of information that may be quite sensitive, OSHA is avoiding the risk that such information might be publicly disclosed under FOIA or otherwise. While the new rule does not address all of the concerns that have been raised, it will better protect personally identifiable information or data that could be traced back to specific individuals. The final rule does not alter an employer’s duty to maintain OSHA Forms 300 and 301 on-site, and OSHA will continue to obtain these forms as needed through inspections and enforcement actions.