Design notes: how OWHS was built

OWHS · essay two of two · July 2026 · read the case first

A data standard is a long series of judgement calls, and the reader deserves to know which calls were made, why, and which ones we are least sure about. These notes summarise the reasoning behind version 0.1. The full specification carries the detail, including a section we think every standard should have and few do: an honest list of our own most disputable decisions.

Borrow definitions, never invent them

The first rule of the design: where an authoritative UK definition exists, OWHS adopts it verbatim and cites it, and where none exists, OWHS says so openly rather than dressing an invention up as an anchor. Absence reasons use the ONS taxonomy, so an organisation's rate is comparable with the national series. The psychosocial constructs anchor to the HSE Management Standards' six domains, in HSE's own words. Return-to-work adjustments use the statutory fit note's "may be fit" categories, which turn out to be a ready-made controlled vocabulary that nobody had treated as data. Statutory entitlement follows Statutory Sick Pay's own rules. The one place we had no incumbent to borrow from is the one government itself flags as unmeasured: return-to-work outcomes. Our five-value outcome list is honest invention, marked provisional, with one deliberate refinement: an exit through ill-health retirement is recorded distinctly, so that "did not return" can never quietly absorb the most serious outcome an absence can have.

Privacy is conformance, not a promise

Most data specifications treat privacy as guidance for implementers. Workplace-health data is too dangerous for that, because the person the data describes works for the organisation that holds it. So OWHS makes the privacy rules part of the standard's definition of validity. A payload containing a name, an email address or a date of birth is not a badly behaved record: it is structurally invalid, rejected by the schema itself. Aggregates below five people are not hidden by polite convention: a conforming producer refuses to emit them, ten for severe-distress measures, in line with the small-cell suppression used in official statistics. Safeguarding-category signals, bullying and harassment among them, never appear in employer-visible output at any group size, because the employer may be the source of the harm. And every aggregate travels with its completion rate and a record of what was suppressed, so a reader can always see what is not being said.

The most contestable decision in the whole design sits here, and we prefer to name it ourselves. There is a small, exhaustively enumerated class of information an employer may lawfully hold about an identified individual: a released occupational-health fitness opinion, a reasonable adjustment under the Equality Act, a return-to-work plan the worker is party to. We created a visibility class for exactly these, the only class exempt from the aggregation floor, carrying no clinical content, ever. A privacy purist would argue a workplace-health standard should refuse to normalise any individual-level, employer-visible field. We think that position makes the occupational-health and adjustments entities useless to the small-company manager who lawfully holds this information anyway, and that the bounded, schema-enforced version is safer than the unstandardised status quo. But it is a judgement, not a fact, and it is flagged as such in the specification.

Identity that cannot leak

Records need to link within an employer over time, and must never link across employers or back to a person. OWHS does this with a keyed one-way hash: each organisation holds one secret, the pseudonym is derived from it, and the secret never appears in any payload. The same person at two employers produces two unrelated identifiers, and no party holds a key that could join them. Cross-employer linkage is not forbidden by policy; it is impossible by construction. A cryptographer would note that a per-worker-salt design in dedicated hardware would be stronger, and they would be right. It would also be unimplementable by a twelve-person company, and a standard small employers cannot implement protects nobody. We chose one secret, one library call, and said so.

A vendor-neutral core, with a boundary that gets tested

Every field in the core passed one test: would a competing broker, an HR software vendor and an occupational-health provider all recognise this as their concept too? Anything that failed went behind the profile boundary, a labelled extension mechanism through which any vendor can carry product-specific machinery without touching the core. A profile may narrow the core but never widen it, and above all may never weaken a privacy rule. The first profile is the steward's own, and that is deliberate: if the company that wrote the standard can express its own product entirely as an extension, without a single special accommodation in the core, the boundary is in the right place. The standard's first conformance test is aimed at its own author.

Occupational health, handled with respect

The hardest scoping call was occupational health, which sits closer to a clinical record than anything else an employer touches. We put the referral-to-opinion envelope in the core, because it is precisely what small employers buy OH for, and the categorical fitness opinion is the operational output a manager acts on. But the boundary is enforced in schema: no diagnosis, no symptoms, no report text, no clinical codes can appear in an OHEpisode, and an opinion appears only where its release to the employer is recorded. Statutory health surveillance and sector-specific screening live in a named profile, so the core is never burdened with hazard-specific machinery most companies will never need.

What we deliberately left open

A proposal published before the national definitions exist should hold its provisional choices loosely, and the specification does this in the open. The sustained return-to-work checkpoints are recommendations, not locked values, because the Workplace Health Intelligence Unit may define different windows. Disability participation, the WHIU's third measure, is a reserved entity, deliberately minimal, because inventing semantics government is about to define would help nobody. A namespace is reserved throughout for national definitions to supersede ours. And the safeguarding-category list, the line that decides what an employer never sees, is explicitly a governance decision rather than an implementer's one: it ships provisional, and ratifying it is designated one of the first formal acts of the co-steward governance body, because a line that important should not be drawn by one firm alone.

That last sentence is the design philosophy in miniature. The specification includes its own list of disputable decisions, its own inventory of assumptions the national unit could contradict, and a public decision log that started before the standard was announced. We would rather publish our reasoning and be corrected than publish conclusions and be believed.

The full specification, schemas, worked examples and the honesty pass are available on request ahead of public release: hello@openworkplacehealth.org. For why the standard exists at all, read the case.