Data Protection and Covid-19
We share data across the council to help safeguard people and to provide better services for our residents. The General Data Protection Regulations (‘GDPR’) and Data Protection Act (2018) allow us to share information for a wide variety of reasons, these are known as our ‘legal bases to process data’.
Data protection considerations should never be used as a ‘blocker’ to share information, especially in times of emergency which require more collaborative working.
The examples below show where personal data including ‘special category data’ (data relating to racial/ethnic origin, political opinions, sexuality and sexual life, medical information, religion, trade union membership and genetic/biometric data) can be shared and used in a way that is compliant with GDPR without requiring consent.
We always aim to share the minimum data necessary to achieve the purpose required.
Substantial Public Interest
Article 9 (2)(G) of the GDPR
We are able to share data, both internally and externally, if it satisfies the Data Protection Act’s definition of ‘substantial public interest’ (paragraphs 6-28, Schedule 1). There are 23 specific definitions and those most relevant in a Local Authority context include using data to:
- Fulfill an explicit statutory or government purpose
- Protect the public
- Satisfy external regulatory requirements (the Ombudsman, ICO, etc.)
- Better provide support for individuals with a particular disability or medical condition
- Safeguard children and individuals at risk, and
- Safeguard the economic well-being of certain individuals
If we are clear on why we need to share data, it should be fairly easy to know which condition best fits our purpose. If the reason we need to share data is not covered by one of these conditions, we may still be able to rely on more general legislative obligations to share data.
Statutory Obligation to Share Data
(Article 9 (2)(B)) of the GDPR
GDPR allows us to share data if it is necessary to comply with the obligations set out in law. Local Authorities are given many powers in different Acts of Parliament which can be used in the context of emergency data sharing.
The list below shows some common examples, but is not exhaustive:
- Care Act (2014), this allows councils to share data to promote individual well-being, prevent the individual need for care and to support and promote the integration of health and social care
- Children’s Act (1989), this allows councils to share data to safeguard and promote the wellbeing of children
- Homelessness Reduction Act (2017), this allows councils to share data as part of taking reasonable steps to help applicants secure accommodation
- Digital Economy Act (2017), this allows councils to disclose information to improve public service delivery or to help reduce debt owed to Redbridge Council, and
- Civil Contingencies Act, this allows councils to share data as part of complying with our duty to plan and prepare for, advise about, respond to and recover from emergencies.
Other Specific Legal Bases covered under GDPR
GDPR also sets out other legal bases for sharing ‘special category data’ which can be used in specific scenarios. These include:
- Sharing data is necessary for the provision of social care, the provision of health care or treatment or for the management of a health or social care system. This condition is only met if both sharing parties are ‘health and social care professionals’ using the data to provide direct care to the individual (Article 9 (2)(H) of GDPR)
- Sharing data in the public interest in the area of public health. There needs to be a wider public benefit to share the data, not just to us as a council or to the individual. Examples include responding to pandemics or public health monitoring/statistics (Article 9 (2)(I) of GDPR)
If the need to share data corresponds with one of the Article 9 conditions described above, it is likely that this sharing is justified and is serving a larger purpose in our response to an emergency.
For any questions regarding the above, please contact us at: firstname.lastname@example.org.