Sometimes, “universities and colleges are hesitant to share students’ personal data in an urgent or emergency situation, citing data protection as the problem”. However, the ICO states that this should not be the case and, instead, takes a more pragmatic approach.
Sharing personal data in an emergency
It is unsurprising that universities and colleges throughout the UK store a vast amount of sensitive information relating to their students. For example, data including, but not limited to, a student’s full name, home/term address and e-mail and phone number are kept. It is also not uncommon for these bodies to hold special category data, such as a student’s racial or ethnic origin, political opinions or data concerning health. In accordance with UK GDPR and the Data Protection Act 2018, it is widely understood that organisations within the UK are required to store data safely. If an organisation is found to have contravened this in any way, or has failed in its obligations or misused data, that organisation could be subject to significant fines.
The ICO recently reiterated its position on sharing personal data in an emergency within the public sector, specifically within education. It is aware that universities and colleges are (sometimes) “hesitant to share students’ personal data in an urgent or emergency situation, citing data protection as the problem”. However, the ICO wants to make it abundantly clear that this should not be the case.
The Information Commissioner, John Edwards, highlighted that universities and colleges “should not hesitate to share students’ personal data to prevent serious harm to the physical or mental wellbeing of a student in an emergency situation or protect a life”. UK data protection law allows for such information to be shared in emergency situations, if necessary.
Principal Policy Adviser in the ICO's Parliament and Government Affairs team, Viv Adams, submits, in simple terms, that university and college staff “should do whatever is necessary and proportionate to protect someone’s life. Data protection allows organisations to share personal data in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental health”.
It is worth noting that, although the ICO’s blog related to sharing personal data in an emergency situation within the HEFE sector, UK GDPR and the 2018 Act does not prevent anyone from sharing personal data where it is appropriate to do so.
In any industry or sector, no one can anticipate when an emergency situation may occur. However, the ICO points out that all types of organisations can do their bit.
The ICO advises that all types of organisations should have adequate procedures in place relating to the personal data it holds and whether, and how, organisations should share any of that information. In line with the accountability principle, the ICO reminds us that organisations should keep a record of the actions it took in the aftermath of an event if it is not possible to do so at the time.
How can we help?
If you have questions about sharing personal data, or about GDPR or data protection law generally, please get in touch with our specialist Data Protection & Cyber Security team.
This article was co-written by Katie Morrison, Trainee Solicitor.