Understanding ISO 45001 Clause 6.1.3 Determination of Legal Requirements and Other Requirements

In this article, I’m going to cover clause 6.1.3 Determination of legal requirements, and other requirements which falls under the overarching clause 6 Planning. I’m going to break this clause down and turn it into something you can all understand. 

You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you.  

Before we get stuck into the actual clause requirements it is important to note that the title of this clause includes Legal requirements and Other requirements. So, we probably all understand what legal requirements are referring to, but what about Other requirements? It’s a bit vague isn’t it? If you use the process of deduction, obviously the Other requirements are NOT the Legal requirements – so what could these Other requirements be?

They can be:

• Your own organization's requirements – so your own system, policies, and procedures.
• Contractual requirements – which could be from your customers or even suppliers. Your customers may have specific OH&S requirements for you to access their worksite for instance.
• Employment agreements – your organization will more than likely have in place employee agreements that do state certain OH&S requirements.
• Industry standards – depending on what industry you are in your overarching industry body or organization may have OH&S requirements.
• Voluntary associations – your organization may have taken on board a voluntary cause that may support an OH&S cause, like a mental health cause for example.

So, you can see just a few examples of what might fall under this vague heading of Other requirements. 

There are 3 key points in this clause that all link back to the opening statement of

The organization shall establish, implement and maintain a process(es) to ... and then the 3 key points are provided. I’m now going to share these 3 key points knowing that you have the understanding that these are all about being established, implemented, and maintained as processes in your OH&S management system. That way I don’t have to repeat that sentence over and over again!

To start off we have ... 

a) determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks, and OH&S management system.

Two statements here stand out to me – determine and have access to. The first step is that you need to determine what the legal requirements and other requirements are that are relevant to your activities, products, and services – and of course, the hazards identified – which we covered in clause 6.1.2.1 Hazard identification.

So, where can you find out what requirements are relevant to your business?

It really depends on the resources you have within your organization. I say this as I see a lot of larger businesses have their own internal legal teams. These legal teams are the experts in identifying and determining what is relevant.

We don’t always have access to these resources. If we are a smaller business, it is more than likely that we won’t have our own internal legal team! What I normally see in these circumstances is that the business will have a consultant or a subscription that provides this information.

A subscription I see around a lot is SafetyLaw which falls under a company called Environmental Essentials (yes, they provide both EnviroLaw and SafetyLaw). 

Having this provided externally does take a lot of pressure off you and puts it in the hands of the professionals. That way you can spend your time doing what you’re good and knowledgeable at. However, if you do want to take this on yourself OH&S law is reasonably accessible online. You just need to make sure that you access the requirements of each state, particularly if your business conducts activities in different states. If your business conducts activities internationally you also need to be aware of what is relevant and where, when it comes to OH&S legislation in other countries.

Now, remember the 2 keywords – determine and have access to that I mentioned earlier? All of this so far is about how you will determine your requirements. Don’t forget that once you have determined them you need to ensure that you have access to them also. This might not mean just having access to the legal jargon documents, it will also mean access to how you will apply the requirements within your business through your activities, products, and services.

This is a great segue to the next point in this clause which states

b) determine how these legal requirements and other requirements apply to the organization and what needs to be communicated.

So somehow you have to interpret what the legal requirements and other requirements are and figure out what actions or processes you will take within your OH&S management system to ensure they are applied. This is where it is handy to have a legal team (I wish) or a consultant. Even with a subscription they do tend to turn it into language that we understand and then we know how to apply it to our activities, products, and services. And of course, don’t forget to communicate the application of these requirements internally and externally (whatever is relevant to your business) to whoever is required to be aware of this.

Then the third key point states:

c) take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system.

These legal and other requirements should be embedded into your OH&S management system. So, they become ‘just the way you operate’. These requirements don’t sit in a corner with people too scared to go over there! If they are applied and integrated into your OH&S management system, it becomes part of your day-to-day operations. And of course, it’s important to stay up to date with any changes and then if any changes influence your OH&S management system then it is simply updated. The method you use to determine your relevant requirements will be the method you use to keep up to date with changes.

Then finally, the last sentence of this clause states:

The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes.

So, if you are implementing a system, please ensure that you have documented information on how this is conducted as well as evidence of what has been identified and applied.

This is not something that should just be kept in your head. It’s here in black and white that documented information is to be maintained (so a process) and retained (so evidence) on your legal and other requirements. Ensure that what you identify and how it’s applied can be easily demonstrated through your system, procedures, or even a legal register. And of course, be updated when there are changes – which I have already mentioned earlier on when talking about currency.

Now that I’ve explained all of these requirements, can you see more clearly how you could action and demonstrate this within your management system and what it might look like also – seeing as you need to maintain documented information?

Learn even more by completing a qualification in one of our ISO 45001 courses.