In an effort to better protect personally identifiable information, the Department of Labor has issued a Notice of Proposed Rulemaking which would rescind the requirement for establishments with 250 or more employees to electronically submit information from OSHA Forms 300 and 301. OSHA is amending provisions of the “Improve Tracking of Workplace Injuries’ and Illnesses” rule to protect sensitive worker information from potential disclosure under the Freedom of Information Act (FOIA). The agency believes the risk of disclosing personal information, the costs of collecting and using the information, and the reporting burden on employers are unjustified given the benefit of collecting such information is uncertain. Furthermore, OSHA is confident that this proposal maintains safety and health protections for workers while also reducing the burden to employers of complying with the current rule
Injury/Illness Reporting 101
29 CFR Part 1904 requires employers to collect an assortment of information on occupational injuries and illnesses. Employers covered by these rules must capture any recordable employee injury and illness on an OSHA Form 300 “Log of Work-Related Injuries and Illnesses”. They must also prepare a supplementary OSHA Form 301 “Injury and Illness Incident Report” to provide additional details about each case documented on Form 300. Under certain circumstances, OSHA requires employers to provide these records to others, but limits the disclosure of personally identifying information.
At the end of each year, employers are then required to prepare a summary report of all injuries and illnesses on the OSHA Form 300A “Summary of Work-Related Injuries and Illnesses” and post this form in a conspicuous location within the workplace. Form 300 requires employers to log specific information, i.e., descriptions of injuries and the body parts affected, for each individual worker and incident. By contrast, Form 300A simply summarizes incident data without any traceable connection to individual employees.
In 2016, the regulations were amended by OSHA to require most employers to submit this information electronically on an annual basis.
Necessity of Safeguarding Sensitive Information
The injury and illness data submitted electronically from Form 300A to OSHA gives the agency a great deal of information to use in identifying high-hazard establishments for enforcement targeting. However, OSHA has provisionally determined that electronic submission of Forms 300 and 301 adds indeterminate enforcement benefits, while significantly increasing the risk to worker privacy, considering that those forms, if collected by OSHA, could be found by courts to be disclosable under the Freedom of Information Act.
Additionally, the electronic gathering of personal data is subject to cyber-attacks on the Department’s IT system. Last summer, OSHA received an alert from the United States Computer Emergency Readiness Team (US-CERT) in the Department of Homeland Security that indicated a potential compromise of user information for OSHA’s Injury Tracking Application (ITA). As a precaution, the ITA was taken off-line and a complete scan was conducted by the National Information Technology Center (NITC). The NITC confirmed that there was no breach of the data and that no information in the ITA was compromised. Public access to the application was restored within 10 days of the alert. While this incident validated that the security provisions of the ITA works as designed, it also demonstrated that such a large data collection will inevitably encounter malware.
Capturing Employer Identification Number (EIN)
In its 2013 Notice of Proposed Rulemaking (NPRM 78 FR 67254), OSHA limited the data collection to records that employers were already required to collect under part 1904. The May 2016 final rule only required the electronic submission of such records. Providing the Employer Identification Number (EIN) was not, and currently is not, required when submitting illness and injury data. However, that may change with this proposed new rule.
OSHA wants to add a requirement for employers to submit their EIN along with their injury and illness data and now seeks comment as such on this proposed new rule. The agency believes this requirement could reduce or eliminate duplicative reporting and that collecting EINs would increase the likelihood that the Bureau of Labor Statistics (BLS) would be able to match data collected by OSHA to data collected by BLS for the Survey of Occupational Injury and Illness (SOII). The ability to accurately match the data is critical in supplementing the SOII, which in turn would enhance the ability of OSHA and other users of the SOII data to identify occupational injury and illness trends and emerging issues. Additionally, the ability of BLS to match the OSHA-collected data has the potential to reduce the burden on employers who are required to report injury and illness data both to OSHA (for the electronic recordkeeping requirement) and to BLS (for the SOII).
The comment period for OSHA’s Notice of Proposed Rulemaking expires September 28, 2018.