Main navigation

Recovery Guidance - Generic Issues

Data protection and sharing

Background and Context

Data protection and data sharing have long been issues for the public and private sectors. In a number of emergencies, problems, either perceived or real, surrounding interpretation of Data Sharing and related Human Rights legislation have prevented public bodies from carrying out their duties effectively. The Indian Ocean Tsunami, the Bichard Inquiry (into the Soham murders) and the Victoria Climbie Inquiry all identified areas of uncertainty in the interpretation and application of data protection and sharing rights and responsibilities.

Most recently, as part of the government’s lessons identified programme following the 7 July 2005 London bombings, it was found that limitations on the sharing of data between a number of Category 1 and 2 responders hampered the connection of survivors to appropriate support services. Subsequent investigation found that many of these limitations were self-imposed and resulted from incorrect application of duties perceived to be imposed on public organisations by the Data Protection Act and other legislation.

Data sharing within and between the public and private sectors, and between Category 1 and 2 responders, cuts across a range of scenarios and responsibilities – the duty to properly risk assess at local and regional levels; to construct effective and realistic emergency plans; during the response to an emergency; and to recovering from and managing the consequences of emergencies.

Policy and Guidance

England

The range of guidance available, reflect that this is an issue that cuts across all workstreams and the public/private sectors at national and local levels. Guidance touches on many roles and responsibilities, from legal powers of local authorities, to the detailed restrictions on the sharing of medical histories, through to the sharing of utilities data to aid in risk assessment.

• Data Protection and Sharing – Guidance for Emergency Planners and Responders [PDF]
• Government’s Vision for Information Sharing [External website]
• The DCA Toolkit for Data Sharing and Data Sharing Library [External website]
• Information Commissioners' Office (ICO) [External website]

Patient Confidentiality and Access to Health Records

There are significant differences between sharing certain types of personal data (name and address for example) and sensitive personal data (health details for example), and both the Cabinet Office guidance on data sharing in emergencies and DH guidance[External website] make this clear.

Recent experience has clearly indicated that compiled and refreshed guidance is needed. Both the Information Commissioner’s Office (ICO) and the Ministry of Justice are developing complementary guidance on data sharing and protection issues that takes account of experience, case history, and balancing the needs of the general public and public and private organisations.

Devolved Administrations

Data sharing is a pan-UK issue. The Data Protection Act itself applies to the entire UK. The Civil Contingencies Act covers the UK, but with differences in the responsibilities placed on devolved administrations. However, the underlying principles of a pragmatic, sensible and balanced approach to data protection and sharing are universal.

Roles and Responsibilities

Local and Regional

Category 1 and 2 responders have a duty under the Civil Contingencies Act 2004 to share information to aid resilience planning, response and recovery. This obviously necessitates an understanding of the relevant legislation and the responsibilities of those requesting and those providing information. Both public and private sector organisations are bound by the Data Protection Act and related legislation.

Lead Government Department

In relation to enhancing resilience capabilities, data sharing comes in two parts – pre-emergency, mainly for planning purposes, and post-emergency, mainly for providing support services. The Lead Government Department indicated below can offer advice where relevant, but in an emergency, responders should be prepared to make a decision without formal advice.

The Lead Government Department for the Data Protection Act and the Human Rights Act is the Ministry of Justice.

The Information Commissioner’s Office is the independent authority set up to promote access to official information and to protect personal information. The remit of the Information Commissioner includes the Data Protection Act and the Freedom of Information Act amongst others. Whilst their main role is to protect and promote the public’s interests, the ICO can offer a view on specific cases.

Other Government Involvement

Cabinet Office (in the form of the Civil Contingencies Secretariat - CCS) co-ordinated the publication of Data Protection and Sharing – Guidance for Emergency Planners and Responders [PDF], and are owners of the lesson identified from the 7 July London attacks. Information relating to the Civil Contingencies Act and information sharing can be found on the UK Resilience website .

Links to Other Topic Sheets

• Recovery structures and processes
• Recovery evaluation and lessons identified processes

Case Studies (Incidents and Exercises)

• Buncefield: 11 December 2005
• Carlisle flooding: 8 January 2005
• Indian Ocean Tsunami, 26 December 2004

List of Contacts

• The Ministry of Justice[External website] helpline to answer urgent queries on the Data Protection and Human Rights Acts is 020 7210 8034 or www.dca.gov.uk/ccpd/lcdcontacts.htm[External website]
• Information Commissioner’s Office [External website] for online enquiries
  Helpline 01625 545745
• Civil Contingencies Secretariat, via the UK Resilience website