The Information Commissioner’s new blog post explains how Data Protection law should be seen as a guide to when and how to share information in emergencies, not an obstacle to such sharing. In health emergencies three provisions are most likely to be relevant:
Explicit Consent (GDPR Art.9(2)(a)): where an individual chooses to disclose information, such as a health condition or disability, their university or college can discuss the different ways that information could be used or shared, and let the user choose which of them should be done or allowed.
Vital Interests (GDPR Art.9(2)(c)): where there is an imminent threat to life or serious injury and the individual (for example because they are unconscious) cannot give explicit, informed, consent.
Employment and other laws (GDPR Art.9(2)(b)): allow states to legislate to either allow or require sharing of health and other sensitive data. Recital 52 gives “prevention or control of communicable diseases” as an example of such legislation; Recital 53 “monitoring and alerting purposes”. Such laws must provide “appropriate safeguards for the fundamental rights and interests of [individuals]”. Schedule 1 Part 1 of the UK Data Protection Act 2018 provides a general framework; further details may be contained in emergency legislation.
The Information Commissioner’s Data Sharing Code of Practice includes a section on Data Sharing in an Urgent Situation or in an Emergency. This stresses that organisations should try to anticipate and plan for such emergencies, but that when an unforeseen or unplanned emergency occurs, “it might be more harmful not to share data than to [proportionately] share it”.