Privacy Concerns Lead OSHA to Rescind Its Electronic Filing Requirements

In response to concerns raised by employers and to protect worker privacy, OSHA recently amended its recordkeeping regulations to eliminate the requirement that larger employers submit certain information electronically.
The final rule rescinds the mandate that establishments with 250 or more employees had to electronically submit information from OSHA Form 300 (Log of Work-Related Injuries and Illnesses) and OSHA Form 301 (Injury and Illness Incident Report) to OSHA each year.
OSHA’s electronic recordkeeping rule, enacted during the Obama administration, required large employers to submit a wide range of sensitive data, including descriptions of workers’ injuries and body parts affected, that might be traced back to identify particular employees.

Employer Concerns

Employers raised numerous concerns about how the data might be used if it were to become publicly available either intentionally, inadvertently, or under the Freedom of Information Act, noting that the disclosure of such information would pose a serious breach of employees’ privacy.
Many of these concerns were expressed in comments submitted by the E-Recordkeeping Coalition, a group of employers and trade associations.
Indeed, data security concerns were validated during a test run of OSHA’s injury tracking application when the Department of Homeland Security informed OSHA of a possible breach of the system.
While that potential security issue has since been resolved, it gave credence to the coalition’s belief that such a large collection of sensitive data would inevitably encounter malware or incentivize cyberattacks on the U.S. Department of Labor’s IT system.
As OSHA itself acknowledged, by preventing routine government collection of information that may be quite sensitive, OSHA is avoiding the risk that such information might be publicly disclosed under FOIA or otherwise.
While the new rule does not address all the concerns that have been raised, it will better protect personally identifiable information or data that could be traced back to specific individuals.
The final rule does not alter an employer’s duty to maintain OSHA Forms 300 and 301 on-site, and OSHA will continue to obtain these forms as needed through inspections and enforcement actions.

About the author: Jean Tomasco is an employment lawyer at Robinson+Cole where she is a member of the firm’s Managed Care + Employee Benefit Litigation and its Labor, Employment, Benefits + Immigration Groups. The above article is also available on Robinson+Cole’s Data Privacy + Security Insider blog.
Register now for the OSHA 10-Hour for General Industry Outreach program, Feb. 12–13 at the CBIA Conference Center in Hartford.