Data sharing in an urgent situation or in an emergency
At a glance
In an emergency you should go ahead and share data as is necessary and proportionate.
An example of an emergency situation is the risk of serious harm to human life.
You should plan ahead for urgent or emergency situations as far as possible.
In more detail
- What should we do in an urgent or emergency situation?
- How can we plan ahead for data sharing in urgent or emergency situations?
Much of this code envisages that you are carrying out data sharing on a routine basis and that you have the opportunity and time to plan carefully ahead. However this might not always be the case.
What should we do in an urgent or emergency situation?
Urgent or emergency situations can arise that you may not have envisaged, and you have to deal with them on the spot.
In an emergency, you should go ahead and share data as is necessary and proportionate. Not every urgent situation is an emergency. An emergency includes:
- preventing serious physical harm to a person;
- preventing loss of human life;
- protection of public health;
- safeguarding vulnerable adults or children;
- responding to an emergency; or
- an immediate need to protect national security.
Tragedies over recent years such as the Grenfell Tower fire, individual instances of self-harm, major terrorist attacks in London and Manchester, and the crisis arising from the coronavirus pandemic have illustrated the need for joined-up public services responses where urgent or rapid data sharing can make a real difference to public health and safety. In these situations, it might be more harmful not to share data than to share it. You should factor in the risks involved in not sharing data to your service.
How can we plan ahead for data sharing in urgent or emergency situations?
In an urgent or emergency situation, you have to take decisions rapidly. Often, forward planning helps. In the same way as emergency services plan for various scenarios, you should plan ahead for your organisation and train your staff accordingly. In urgent or emergency situations, when there is less time to consider issues in detail, it can be particularly difficult to make sound judgements about whether to share information.
Likewise, there can be reasons why organisations and agencies are hesitant about the concept of sharing information when carrying out emergency planning, or about sharing it in the recovery phase of an incident, where the need to share information may appear less urgent.
The key point is that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so. It is particularly relevant to factor into your considerations, training and procedures for this type of situation the risks involved in not sharing data.
Where possible, if you are likely to be involved in responding to emergency or critical situations, you should consider the types of data you are likely to need to share in advance. As part of this it would be useful to consider any pre-existing DPIA, and also refer to your business continuity and disaster recovery plans. As part of your planning, you should bear in mind that criminals might use a major incident or crisis as an opportunity to try to obtain personal data unlawfully. Therefore, the security measures outlined earlier in this code still remain relevant and necessary in times of urgent sharing.
All this should help you to establish what relevant data you hold, and help to prevent any delays in an emergency or crisis situation.
All types of organisations might have to face an urgent but foreseeable situation, so you should have procedures about the personal data you hold and whether, and how, you should share any of this information. As part of your accountability duty, you should document the action you took after the event, if you can’t do it at the time.
Example
The police, the fire service and local councils met to plan for identifying and assisting vulnerable people in their area in an emergency situation such as a flood or major fire. As part of the process, they determined what type of personal data they each held and had a data sharing agreement to set out what they would share and how they would share it in an emergency.
They reviewed this plan at regular scheduled intervals.