Skip to main content
Hafan

Emergencies condition

Contents

At a glance

  • You may be able to use this condition if: 
    • the event or situation meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (CCA 2004); and 
    • your use of the personal information is necessary to respond to that emergency. 
  • These aren’t minor or trivial events. It covers situations that threaten serious damage to people’s welfare or to the environment, and serious threats of damage to UK security caused by war and terrorism.

In detail

What is the emergencies condition?

Sometimes you may find that you need to deal with an emergency event or situation. The UK GDPR enables you to use people’s information quickly, where needed, and doesn’t stop you from using that information in ways that are necessary and proportionate to respond to an emergency. Recognised legitimate interest gives you a lawful basis for this situation.

Annex 1 of the UK GDPR says:

“3. This condition is met where the processing is necessary for the purposes of responding to an emergency.

4. In paragraph 3, “emergency” has the same meaning as in Part 2 of the Civil Contingencies Act 2004.”

We call this the ‘emergencies condition’. You can use this condition if the event or situation you’re faced with meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (CCA 2004). If the circumstances don’t meet this definition, you can’t rely on this recognised legitimate interest condition. You need to look at a different recognised legitimate interest condition (eg the situation may relate to national security or public security) or to another lawful basis.

The definition of an emergency in part 2 of the CCA 2004 covers a wide range of circumstances:

  • war and terrorism that threatens serious damage to the security of the UK; 
  • an event or situation that threatens serious damage to people’s welfare in the UK; and
  • an event or situation that threatens serious damage to the UK environment. 

In other words, it can’t be minor or trivial. It’s foreseeable the event will imminently cause significant or severe harm or destruction. 

The emergency, or the impact of the event, doesn’t have to cover the whole of the UK. It can be confined to a particular area. An event or situation abroad can also be a qualifying emergency, so long as it threatens serious damage in the UK. Given the global and inter-connected nature of many infrastructure systems, you may find you need use personal information to respond to an emergency event or situation outside the UK.

The CCA 2004 says an event or situation threatens serious damage to people’s welfare only if it involves, causes or might cause:

  • loss of people’s life, illness or injury;
  • homelessness or damage to property;
  • disruption of a supply of money, food, water, energy or fuel;
  • disruption of a system of communication; or
  • disruption of facilities for transport or services relating to health.

If the threats of serious damage to people’s welfare don’t involve any of these, the emergencies condition doesn’t apply. Likewise, if the type of event or situation that might threaten the environment is not listed in the CCA 2004, the emergencies condition doesn’t apply. The list includes: 

  • contamination of land, water or air with biological chemical or radioactive matter; and 
  • disruption or destruction of plant or animal life.

An emergency situation where it’s necessary for you to use personal information might be a large-scale event that threatens people’s lives. For example, extreme weather events, pandemics or cyber-attacks on infrastructure. However, it can also be a smaller event that causes disruption and in either case it doesn’t have to be a physical disaster. 

The emergencies condition doesn’t cover situations where you may need to handle personal information to help someone who is experiencing a personal emergency. However, this doesn’t mean you can’t use their personal information in that case. For example, depending on the circumstances you may be able to apply the vital interests lawful basis if what you want to do with the personal information is necessary to protect someone’s life.

Further reading – ICO guidance

How do we apply the emergencies condition?

If you want to use the emergencies condition, you must:

  • intend to use the personal information in an event or situation that counts as an emergency (see section above); and  
  • be able to demonstrate what you want to do with the personal information is necessary for responding to the emergency. 

You should be clear what location the emergency covers as you may find you only need to use personal information about people who are in that particular area. 

Example

An extreme weather event takes place in the south-west of England and threatens serious damage to people’s welfare. 

A company with offices across the UK decides it needs to share certain personal information about its employees with another organisation to respond to this emergency. 

It limits the scope of this information handling to employees based in its south-west England office because it notes it’s not necessary to process the personal information of people in its other UK operational areas.

Once you’ve identified the situation is an emergency, you must decide if using people’s personal information is necessary to respond to that emergency.

This doesn’t mean that it has to be absolutely essential for you to handle their information but you must ensure it is more than just useful. You should handle it in a targeted and proportionate way to responding to, and deal with, that emergency while the event or situation is ongoing.

We appreciate that emergency situations arise without warning and you may need to make decisions quickly. It is unlikely to be time-consuming or difficult to determine if it’s necessary or proportionate to use personal information in order to respond to an emergency. In most cases you are able to go ahead and use the information for this purpose. You should include data protection in your contingency planning for emergencies to help avoid delay and uncertainty if you have to make these decisions.

For example, as part of your response to an emergency situation, you may need to share personal information about some of your customers with another organisation. 

Example

A local community group has for many years offered a helping hands service where volunteers run errands for local people. 

At the start of a pandemic, those susceptible to infection are advised by government to minimise their contact with others. The area’s local council is leading the efforts to support residents who are shielding at home. 

As part of its response to the pandemic, the community group decides it needs to share the personal information of people who use their service with the local council. This is because it believes this will enable people who may not already be on the council’s list to quickly receive the emergency support they need from the council. 

The group relies on recognised legitimate interest and the emergencies condition as its basis to share the personal information that is necessary to do this with the local council.

The emergencies condition means you can use personal information for its purposes. But it doesn’t exempt you from complying with your duties under data protection law. You must still meet all your other obligations. (For more information, see What else do we need to consider?.)

You must decide on a more suitable lawful basis for any continued handling of personal information: 

  • when the emergency period is over; or 
  • if dealing with the event becomes part of a long-term and more routine response (ie you are no longer responding to the emergency situation). For example, legitimate interests may be appropriate in these circumstances. 

Further reading – ICO guidance

What if the emergencies condition isn’t the only recognised legitimate interest condition that applies?

There may be situations where both the condition for emergencies and the condition for national security, public security and defence might be relevant. For example, if the emergency relates to war or terrorism. 

The key difference is that the emergencies condition covers using personal information as part of a necessary response to the emergency. In other words, something is happening or has happened and you need to respond to that. 

However, the national security, public security and defence condition applies if you need to use personal information to protect or guard people or institutions from harm which may not relate to an imminent or currently occurring situation.

It is possible that different conditions might apply to different activities within the same event or situation. (For more information see Can more than one recognised legitimate interest condition apply at the same time?.)