Sharing information during major incidents and emergencies guidance for IG professionals

For the purpose of this guidance an emergency is defined in line with the Civil Contingencies Act 2004 as:

• an event or situation which threatens serious damage to human welfare in the United Kingdom;
• an event or situation which threatens serious damage to the environment of a place in the United Kingdom; or
• war, or terrorism, which threatens serious damage to security of the United Kingdom

This would include major Incidents as defined in the NHS Emergency Preparedness Resilience and Response Framework (opens in PDF) which are:

• events or situations with a range of serious consequences that require special arrangements to be implemented by one or more emergency responder agency

Individual organisations have their own policies and procedures built into their plans to decide when something can be considered an emergency.

While a lawful basis is always needed for sharing information, it can be difficult to thoroughly consider all aspects of a disclosure in an emergency. To mitigate this, you should plan ahead to understand common emergency information sharing scenarios so that you can make decisions based on thresholds which have already been discussed by your internal teams.

The Information Commissioner’s Office (ICO) has produced guidance on data sharing in an urgent situation or in an emergency, which emphasises that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so, and that in an emergency you should go ahead and share data as is necessary and proportionate.

If confidential patient information needs to be shared in response to an emergency, health and care organisations will need to consider how to satisfy the common law duty of confidentiality.

Where an individual’s information is being shared in an emergency to provide them with care, this can be done in line with usual practice.

Where an individual’s information is being shared for purposes outside of individual care, for example sharing with the fire service to protect people from serious harm, the common law basis for sharing the individual’s information is likely to be that the disclosure can be justified in the public interest.

A public interest common law basis can be used where the benefits of sharing the information to protect the individual or society are greater than both the public and patient’s interest in keeping the information confidential, for example, to prevent serious harm or death.

Decisions around making disclosures in the public interest should involve the Caldicott Guardian and Data Protection Officer.

For more detail and practical advice on assessing whether a disclosure can be justified in the public interest, read the General Medical Council's (GMC) guidance Confidentiality: good practice in handling patient information and GMC’s Confidentiality decision tool.

When using health information, which is classed as a special category of personal data, health and care organisations will need to identify a lawful basis under both Article 6 and Article 9 of the UK GDPR. While the appropriate lawful basis will depend on the nature of the data sharing, the most likely lawful bases to apply in an emergency are:

• article 6 1 (e) public task; and
• article 9 2 (h) health and social care; or
• article 9 2 (i) public health; or
• article 9 2 (g) substantial public interest

You must keep a record of what information you disclosed, your reasons, and any advice you received. You should ensure that you provide sufficient guidance to individuals involved in this process about how to document this information, this may be done through disclosure logs or on an individual's health record.

Each organisation should establish its own policies and procedures for information sharing in an emergency so that staff members understand their roles and responsibilities. These should set out as a minimum:

• identifying emergency situations where information might need to be shared
• identifying what information you may need to share in an emergency and who with
• key contacts for approving information sharing including Caldicott Guardians, IG teams or senior individuals responsible for IG and security within the organisation
• procedures for out of hours approvals when key decision makers are unavailable
• relevant processes for staff to follow to establish the lawfulness of ad-hoc information sharing (in particular if relying on public interest to share)
• the process for documenting information sharing including any assessments or reasoning (such as public interest tests)
• approved methods of sharing securely including encrypted emails or approved systems, as applicable
• any steps that staff may need to take to ensure that information to be shared is necessary and accurate, and that it is shared only with appropriate people

Organisations should ensure that information about the use of data during an emergency is available to service users and patients. This information should be added to the organisation’s privacy notice.

Additionally, organisations may want to consider other measures such as providing guidance to healthcare professionals to guide conversations about sharing information during emergencies.

See the ICO Guidance on Transparency for further information on how to meet your transparency obligations.

You should regularly train staff on emergency sharing procedures, emphasising confidentiality and public interest disclosures. Conducting simulation exercises can help to ensure that staff are prepared to implement protocols effectively and protect confidential data during real emergencies.

You should ensure that your organisation has communication channels in place for sharing information during an emergency that your organisation has assessed as being adequately secure for transferring health and care information.

Any sharing of information should ensure that only those who need to access information for a specific purpose can do so.

You may additionally need to consider plans for communicating if an emergency situation means that these systems become unavailable, for example, in the event of a power cut. Contingencies for this situation should be built into your policies, training and business continuity plans.

It may be possible to plan for emergency sharing beforehand, for example, you may enter into an agreement with your local fire authority about how you will share information in the event of a major fire.

Where this is possible, organisations should look to establish data sharing and processing agreements (DSPA) with relevant parties to facilitate the safe sharing of information between them.

A DSPA will help you to establish and document roles and responsibilities for parties that are sending, receiving or using data.

You should ensure that the DSPA covers all instructions and requirements of the data sharing, such as the agreed use of the data and the agreed retention of the data, and any special requirements.

NHS England have produced template data sharing and processing agreements which can be used for this purpose.