Does the General Data Protection Regulation (GDPR) apply to Incident Reporting?
BSAC collects incident data for the purpose of research into the monitoring, statistical analysis and reporting on diving incidents to improve diver safety. All published reports are anonymised and do not identify individuals.
GDPR is only concerned with information which can be used to identify living people. GDPR does not apply as BSAC research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier).
Personal data is processed securely by Data processors under the authority of a Data controller and is not shared with any third party.
Data controller - means any person who decides the reason for collecting personal data and how it will be used.
Data processor - means any person who processes the data on behalf of the data controller.
Why we ask for certain information:
BSAC collects information on diving incidents using a standardised form helping ensure relevant information relating to an incident can be analysed to understand incident causes and trends. This data may be used for the following purposes:
- to compile an Annual Diving Incident Report
- to investigate and report on specific trends or contributing factors
- to respond to requests from other researchers for specific anonymised data extracts
How we collect information about you:
You may provide information using a standardised form, or any other format, to ensure that relevant information relating to an incident. The types of personal information we collect includes:
- your name and contact details (allowing acknowledgement of receipt of report and any follow up if necessary)
- diving and instructor qualifications and experience
- Diving affiliation(s)
- gender, age
- medical history where relevant to the incident (eg following a DCI being diagnosed with a PFO)
- any other relevant personal information you may provide
You do not need to disclose any personal information if you do not wish to but all such information is handled in confidence and is not disclosed in any report.
How do BSAC process incident data?
Information received from any source relating to diving incidents is processed into an incident database including:
- a synopsis of the incident that records the factual sequence of events without identifying details
- coding specific factors that are not published but can be used for analysis
Is personal information disclosed?
No personal data is disclosed to any party internally or externally outside of the data processor and data controllers.
Only anonymised data is published or provided to external researchers.