Emergencies condition

In detail

• What is the emergencies condition?
• Is it appropriate to use recognised legitimate interest in every emergency situation?
• How do we apply the emergencies condition?

What is the emergencies condition?

Sometimes you may find that you need to deal with an emergency event or situation. The UK GDPR enables you to use people’s information quickly, where needed, and doesn’t stop you from using that information in ways that are necessary and proportionate to respond to an emergency. Recognised legitimate interest gives you a lawful basis for this situation.

Annex 1 of the UK GDPR says:

3. This condition is met where the processing is necessary for the purposes of responding to an emergency.

4. In paragraph 3, "emergency" has the same meaning as in Part 2 of the Civil Contingencies Act 2004.

We call this the ‘emergencies condition’. You can use this condition if the event or situation you’re faced with meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (CCA 2004). If the circumstances don’t meet this broad definition, you can’t meet the requirements of this recognised legitimate interest condition. You would need to look at a different recognised legitimate interest condition (eg the situation may relate to national security or public security) or to another lawful basis.

The definition of an emergency in part 2 of the CCA 2004 covers a wide range of circumstances:

• war and terrorism that threatens serious damage to the security of the UK;
• an event or situation that threatens serious damage to people’s welfare in the UK; and
• an event or situation that threatens serious damage to the UK environment.

In other words, it can’t be minor or trivial. It’s foreseeable the event will imminently cause significant or severe harm or destruction.

The emergency, or the impact of the event, doesn’t have to cover the whole of the UK. It can be confined to a particular area. An event or situation abroad can also be a qualifying emergency, so long as it threatens serious damage in the UK. Given the global and inter-connected nature of many infrastructure systems, you may find you need to use personal information to respond to an emergency event or situation outside the UK.

The CCA 2004 says an event or situation threatens serious damage to people’s welfare only if it involves, causes or might cause:

• loss of people’s life, illness or injury;
• homelessness or damage to property;
• disruption of a supply of money, food, water, energy or fuel;
• disruption of a system of communication; or
• disruption of facilities for transport or services relating to health.

If the threats of serious damage to people’s welfare don’t involve any of these, the emergencies condition doesn’t apply. Likewise, if the type of event or situation that might threaten the environment is not listed in the CCA 2004, the emergencies condition doesn’t apply. The list includes:

• contamination of land, water or air with biological, chemical or radioactive matter; and
• disruption or destruction of plant or animal life.

An emergency situation where it’s necessary for you to use personal information is likely to be a large-scale event that threatens people’s lives. For example, extreme weather events, pandemics or cyber-attacks on infrastructure. However, a qualifying emergency can also be a smaller event that causes disruption. And in either case, it doesn’t have to be physical (eg it may take place online).

Is it appropriate to use recognised legitimate interest in every emergency situation?

No. Many organisations that need to use personal information in an emergency event or situation are likely to:

• be a public authority (public task is likely to be the appropriate lawful basis);
• have a legal obligation to use personal information for this purpose, which may include being legally required to share information with another organisation as part of an emergency response (legal obligation is likely to be the appropriate lawful basis); or
• be a competent authority handling personal information for law enforcement purposes (this is done under part 3 of the DPA, not the UK GDPR).

But if these circumstances don’t apply, you may be able to rely on this recognised legitimate interest condition if you need to handle people’s information for this purpose.

The emergencies condition only covers situations that are in scope of the CCA 2004. So it’s not appropriate to use in any other type of emergency, such as a customer falling seriously ill on your premises, a fire at your warehouse or a personal data breach at your head office. However, there are other lawful bases that you can use depending on the situation, such as vital interests, legal obligation and legitimate interests.

In some situations, the purpose of this condition might overlap with another recognised legitimate interest condition. For example, a threat of a terrorist attack might meet the threshold for classing it as an emergency and be covered by both this condition and the national security, public security and defence condition. (For more information, see the national security, public security and defence condition.)

If this happens, you should choose the condition that provides the best overall fit in the circumstances for your use of personal information. (For more information, see Can more than one recognised legitimate interest condition apply at the same time?.)

How do we apply the emergencies condition?

If you want to use the emergencies condition, you must:

• intend to use the personal information in an event or situation that counts as an emergency (see previous section); and
• be able to demonstrate what you want to do with the personal information is necessary for responding to the emergency.

You should be clear what location the emergency covers as you may find you only need to use personal information about people who are in that particular area.

Once you’ve identified the situation is an emergency, you must decide if using people’s personal information is necessary to respond to that emergency.

This doesn’t mean that it has to be absolutely essential for you to handle their information but you must ensure it is more than just useful. You should handle it in a targeted and proportionate way to responding to, and deal with, that emergency while the event or situation is ongoing.

We appreciate that emergency situations arise without warning and you may need to make decisions quickly. It is unlikely to be time-consuming or difficult to determine if it’s necessary or proportionate to use personal information in order to respond to an emergency. In most cases you’re able to go ahead and use the information for this purpose. You should include data protection in your advance contingency planning for emergencies to help avoid delay and uncertainty if you have to make these decisions.

For example, as part of your response to an emergency situation, you may need to share personal information about some of your customers with another organisation.

The emergencies condition means you can use personal information for the purposes it covers. But it doesn’t exempt you from complying with your duties under data protection law. You must still meet all your other obligations. (For more information, see What else do we need to consider?.) As part of your accountability duty, you should document the action you took and your reasons for doing so as soon as it’s practical, if you can’t do it at the time.

You must decide on a more suitable lawful basis for any continued handling of personal information:

• when the emergency period is over; or
• if dealing with the event becomes part of a long-term and more routine response (ie you’re no longer responding to the emergency situation). For example, legitimate interests may be appropriate in these circumstances.

As you will no longer be handling personal information for the purpose of responding to the emergency, you must comply with the purpose limitation principle. (For more information, see What happens if our purpose changes?.)