Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner's Office (ICO) and National Data Guardian (NDG).

Have we done a good job? Let us know.

Sharing information during major incidents and emergencies

Sharing with other sectors Individual rights Sharing with colleagues Confidentiality Common law UK GDPR and data protection
NHSEng_BRI_1May18_0266

This guidance provides advice for patients and service users, healthcare professionals and information governance (IG) professionals on sharing health and care information in emergency situations. It does not cover sharing staff information in an emergency.

In a large-scale emergency sharing information is critical. It can help ensure:

  • fast and effective care for those in need
  • vulnerable people are protected
  • a coordinated response for example between different emergency services.

Examples of emergencies may include:

  • public health emergencies
  • fires
  • flooding
  • natural disasters such as earthquakes or landslides
  • chemical incidents
  • biological or nuclear incidents
  • acts of terrorism

Guidance for patients and service users

In an emergency, your health and care information may be shared to:

  • provide you with care
  • help first responders coordinate care and rescue efforts. This could be police, fire or ambulance crews, for example
  • understand any specific needs you have, for example if you need help getting out of a building due to difficulty walking
  • prevent the spread of illness and protect others from harm

Who information is shared with

Information may need to be shared with those who are involved in the emergency response. Information about you could be shared with:

  • fire and rescue
  • ambulance crews
  • police
  • coastguards
  • local councils
  • health and care organisations such as hospitals

What information is shared

Only the information that is needed for the emergency response will be shared. This may include:

  • your name, age and contact details
  • information about where you are, such as your home or work address
  • contact details of your carer or your emergency contact
  • health and care information, for example:
    • about a disability to help you get out of a building
    • about an allergy to a medicine where this is needed to treat you
    • about an illness that emergency teams may need to be aware of

How is information shared

The way emergencies are managed depends on where you live. Some local areas have IT systems which they use to manage emergency responses. Information should always be kept secure. Only people with a clear need to see the information will be able to access it. This will usually be the people involved in dealing with the emergency response.

Your rights

It is unlikely you will be asked before your information is shared in an emergency. This is so you receive care as fast as possible and to protect you from serious harm.

Organisations should be clear how your information is used and shared during emergencies. You will usually find this information in a privacy notice.

You can also ask the organisations providing you with care for a copy of the information which was shared in an emergency.

Guidance for healthcare workers

In some emergency situations, such as floods, there will be established processes for sharing information about individuals who may be impacted between emergency response organisations. You may be asked to input into the planning of different emergency scenarios to help avoid having to make decisions under pressure.

In the event of an emergency, you should follow your organisation's established policies and process for sharing information, ensuring that authorised individuals are involved in the decision making. In the absence of a process or policy, you may need to make decisions yourself.

Safeguarding the lives of individuals at risk of death or serious harm will be the main priority when responding to an emergency.

Who to seek help from

If possible, before sharing information you should consult your Caldicott Guardian, Data Protection Officer (DPO), a senior clinician or the most senior manager on call who can provide advice and authorise disclosures.

Where expertise is not available (for example, out of hours) and there is an imminent risk of serious harm due to the emergency, you should use your professional judgement and record your reasoning. The decision should be recorded even if you do not share information. (See the guidance for IG professionals below for further information).

Sharing information for individual care

For individual care, for example when a paramedic shares information about an individual with a team in a hospital’s emergency department, you can do this in line with your usual practice.

Sharing information for purposes beyond individual care

When sharing information beyond the health and care team in an emergency, for example, to aid emergency services with evacuations, it is likely that the disclosure can be justified in the public interest. The General Medical Council (GMC) guidance Confidentiality: good practice in handling patient information explains that disclosures in the public interest may be justified to protect individuals or society from risks of serious harm.

You should consider the following points when deciding whether to share identifiable information based on public interest, and what to share:

  • your local policies and procedures: whether your organisation has processes for sharing information in an emergency. It is important to familiarise yourself with these and ensure you follow them.
  • sharing only necessary information: only information which is strictly necessary and not excessive should be shared. You should ensure that only information relevant to the emergency response is provided.
  • sharing accurate information: whether you are assured of the accuracy of the information you are providing. During an emergency inaccurate information can cause significant risk to individuals and first responders.
  • secure sharing: whether you have secure, approved channels to share information. This may include encrypted emails or designated emergency management systems.
  • access control: how you can ensure that your method of sharing ensures that only those who need the information will be able to access it, and that when the emergency is over, you can remove that access. This may include sharing of information through encrypted devices to ensure data is adequately protected and not open to any possible data breaches.

You should document details of the information you have shared and the decisions you have made so that there is a record of your actions and the urgent situation you responded to.

Guidance for IG professionals

Definitions

For the purpose of this guidance an emergency is defined in line with the Civil Contingencies Act 2004 as:

  • an event or situation which threatens serious damage to human welfare in the United Kingdom;
  • an event or situation which threatens serious damage to the environment of a place in the United Kingdom; or
  • war, or terrorism, which threatens serious damage to security of the United Kingdom.

This would include Major Incidents as defined in the NHS Emergency Preparedness Resilience and Response Framework (opens in PDF) which are:

  • events or situations with a range of serious consequences that require special arrangements to be implemented by one or more emergency responder agency

Individual organisations have their own policies and procedures built into their plans to decide when something can be considered an emergency.

Emergency sharing

While a lawful basis is always needed for sharing information, it can be difficult to thoroughly consider all aspects of a disclosure in an emergency. To mitigate this, you should plan ahead to understand common emergency information sharing scenarios so that you can make decisions based on thresholds which have already been discussed by your internal teams.

The Information Commissioner’s Office (ICO) has produced guidance on data sharing in an urgent situation or in an emergency, which emphasises that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so, and that in an emergency you should go ahead and share data as is necessary and proportionate.

Common law duty of confidentiality

If confidential patient information needs to be shared in response to an emergency, health and care organisations will need to consider how to satisfy the common law duty of confidentiality.

Where an individual’s information is being shared in an emergency to provide them with care, this can be done in line with usual practice.

Where an individual’s information is being shared for purposes outside of individual care, for example sharing with the fire service to protect people from serious harm, the common law basis for sharing the individual’s information is likely to be that the disclosure can be justified in the public interest. A public interest common law basis can be used where the benefits of sharing the information to protect the individual or society are greater than both the public and patient’s interest in keeping the information confidential, for example, to prevent serious harm or death. Decisions around making disclosures in the public interest should involve the Caldicott Guardian and Data Protection Officer.

For more detail and practical advice on assessing whether a disclosure can be justified in the public interest, see GMC’s guidance Confidentiality: good practice in handling patient information and GMC’s Confidentiality decision tool.

UK GDPR

When using health information, which is classed as a special category of personal data, health and care organisations will need to identify a lawful basis under both Article 6 and Article 9 of the UK GDPR. While the appropriate lawful basis will depend on the nature of the data sharing, the most likely lawful bases to apply in an emergency are:

  • article 6 1 (e) public task; and
  • article 9 2 (h) health and social care; or
  • article 9 2 (i) public health; or
  • article 9 2 (g) substantial public interest

Documenting information sharing

You must keep a record of what information you disclosed, your reasons, and any advice you received. You should ensure that you provide sufficient guidance to individuals involved in this process about how to document this information, this may be done through disclosure logs or on an individual's health record.

Establishing local policies and procedures

Each organisation should establish its own policies and procedures for information sharing in an emergency so that staff members understand their roles and responsibilities. These should set out as a minimum:

  • identifying emergency situations where information might need to be shared
  • identifying what information you may need to share in an emergency and who with
  • key contacts for approving information sharing including Caldicott Guardians, IG teams or senior individuals responsible for IG and security within the organisation
  • procedures for out of hours approvals when key decision makers are unavailable
  • relevant processes for staff to follow to establish the lawfulness of ad-hoc information sharing (in particular if relying on public interest to share)
  • the process for documenting information sharing including any assessments or reasoning (such as public interest tests)
  • approved methods of sharing securely including encrypted emails or approved systems, as applicable
  • any steps that staff may need to take to ensure that information to be shared is necessary and accurate, and that it is shared only with appropriate people

Transparency

Organisations should ensure that information about the use of data during an emergency is available to service users and patients. This information should be added to the organisation’s privacy notice.

Additionally, organisations may want to consider other measures such as providing guidance to healthcare professionals to guide conversations about sharing information during emergencies.

See the ICO Guidance on Transparency for further information on how to meet your transparency obligations.

Training and awareness

You should regularly train staff on emergency sharing procedures, emphasising confidentiality and public interest disclosures. Conducting simulation exercises can help to ensure that staff are prepared to implement protocols effectively and protect confidential data during real emergencies.

Secure communication

You should ensure that your organisation has communication channels in place for sharing information during an emergency that your organisation has assessed as being adequately secure for transferring health and care information.

Any sharing of information should ensure that only those who need to access information for a specific purpose can do so.

You may additionally need to consider plans for communicating if an emergency situation means that these systems become unavailable, for example, in the event of a power cut. Contingencies for this situation should be built into your policies, training and business continuity plans.

Data Sharing and Processing Agreements (DSPA)

It may be possible to plan for emergency sharing beforehand, for example, you may enter into an agreement with your local fire authority about how you will share information in the event of a major fire.

Where this is possible, organisations should look to establish data sharing and processing agreements (DSPA) with relevant parties to facilitate the safe sharing of information between them.

A DSPA will help you to establish and document roles and responsibilities for parties that are sending, receiving or using data.

You should ensure that the DSPA covers all instructions and requirements of the data sharing, such as the agreed use of the data and the agreed retention of the data, and any special requirements.

NHS England have produced template data sharing and processing agreements which can be used for this purpose.

NHSEng_BRI_1May18_0266