GDPR Compliance: Navigating Personal Data Protection in Emergency Communication Systems

Navigating Personal Data Protection in Emergency Communication Systems

 

Background

The effective use of emergency communication systems can be a matter of life and death. We, as system owners and our users often need to process personal data to function effectively, making it crucial to navigate the nuances of data protection regulations such as the General Data Protection Regulation (GDPR).

Doing this before you hit a critical situation will take one less source of pressure from your burden.

The GDPR not only ensures the protection of personal data but also stipulates how such data should be handled in various scenarios, including emergencies. In this context, understanding the intersection of GDPR and emergency communication systems becomes pivotal to ensure both regulatory compliance and efficient, respectful communication.

In the following article, we’ll delve into the specifics of GDPR compliance for emergency communication systems, focusing on areas like legitimate interest, data minimisation, transparency, and the handling of special category data.

Legitimate Interest and Emergency Communications

Firstly, allow me to take you on a journey into “legitimate interest“. This is a concept defined under Article 6(f) of GDPR which outlines conditions under which personal data can be lawfully processed.

In the context of emergency communications, it’s often considered that there’s a legitimate interest to communicate certain information. Emergencies can range from natural disasters to health crises or safety threats, where the primary objective is to protect life, health, or property.

Your communications will probably involve sending out notifications or alerts, or mobilising resources, which could require the processing of personal data like names, phone numbers, email addresses, and sometimes even more sensitive data like location or in rare cases, health information.

However, even in such scenarios, the principle of necessity and proportionality comes into play. The data processing should only be as extensive as absolutely needed for the communication, and should only target the individuals who need to be reached.

For example, if you need to alert your employees about a sudden office closure due to a weather emergency, it would likely be seen as a legitimate interest to use employees’ contact details to send out the necessary notifications. The interests or rights of the employees (the data subjects in this case) are unlikely to override the organisation’s interest in ensuring their safety and communicating the office closure.

Data Minimisation – Keeping it simple

The principle of “data minimisation,” outlined in Article 5(1)(c) of GDPR, insists that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This means you should only gather the bare minimum data that you need. For instance, if your emergency communication just needs a person’s name and email address, there is no need to also gather their home address, date of birth, etc.

The UK’s Information Commissioner’s Office (ICO) also suggests conducting a “Legitimate Interests Assessment (LIA)” (see below) before relying on legitimate interests as a basis for processing. This involves identifying the legitimate interest, showing that the processing is necessary to achieve it, and balancing it against the individual’s interests, rights, and freedoms. The LIA should be kept on record.

Other areas of GDPR impacting Emergency Communication Apps

In addition to the “legitimate interest”, Article 7 of GDPR puts forth the principle of “consent“. It says that consent should be freely given, specific, informed, and unambiguous. So, even in emergencies, it’s good practice to acquire explicit and informed consent when possible. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity.

GDPR puts a high emphasis on “transparency” under Article 5(1)(a). This principle implies that any information and communication relating to the processing of personal data should be easily accessible, easy to understand, and clearly defined. Make sure to inform individuals about why you are processing their data, who it will be shared with, where it will be stored, and how long it will be kept.

Under Article 32, we are mandated that “security” measures be put in place to ensure the integrity and confidentiality of personal data. This could include as a minimum encryption of personal data, ensuring ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Data Accuracy” is emphasized in Article 5(1)(d) of GDPR. It’s crucial to take every reasonable step to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without delay. Inaccurate information can lead to confusion and inefficiencies in emergency communications.

Accountability is another key principle of GDPR, outlined in Article 5(2). It requires you and your provider to demonstrate that you comply with the principles and states explicitly that this is your responsibility. Hence, maintain appropriate measures and records to be able to demonstrate your compliance.

Finally, if you, or your emergency communications provider’s solution involves transferring your data outside the EU, you need to ensure compliance with Articles 44 to 50 of GDPR which govern the “transfer of personal data to third countries or international organisations”. These articles mandate that the recipient country provides an adequate level of data protection or that appropriate safeguards are in place. You need to know where your data is, has been and could be located.

Remember, this is a complex area, and the specific details of the emergency situation and the personal data being processed can significantly influence whether “legitimate interest” can be appropriately invoked.

As always, if you’re in any doubt, it’s best to seek legal counsel.

Do I need a Legitimate Interests Assessment?

A Legitimate Interests Assessment (LIA) is a risk assessment that you might carry out when  planning to process personal data on the basis of ‘legitimate interests’, which is one of the legal grounds for data processing under Article 6(1)(f) of the General Data Protection Regulation (GDPR).

Considering an LIA is important because it helps you systematically analyse, record, and demonstrate that your processing activities are justified and compliant with GDPR requirements.

An LIA typically consists of three parts:

Purpose test

You need to identify a legitimate interest for the data processing. This could be either your interest or a third party’s interest. The interest could include commercial interests, individual interests, or broader benefits defined by you or your organisation.

Necessity test

You need to demonstrate that the data processing is necessary to achieve the identified purpose. This doesn’t mean that it has to be absolutely essential, but you need to show that there isn’t another reasonable and less intrusive way to achieve the same result.  Given we are in the realms of Emergency Communications this is possibly the easy part.

Balancing test

You must balance your interests against the individual’s interests, rights, and freedoms. In doing so, you have to take into account the nature of the data, the possible impact of the processing, and the safeguards you have put in place. If the individual could reasonably expect the processing, and if it has a minimal impact on their privacy, it’s likely that your interests will take precedence. Conversely, if the processing would significantly impact the individual and they wouldn’t reasonably expect it, their interests may override yours.

You should keep a record of your LIAs to help demonstrate compliance in line with the GDPR’s accountability principle. Regular reviews of your LIAs should also be performed to ensure they remain accurate and valid, especially if there is a significant change in the purpose, nature, or context of the processing.

Special Category Data and Emergency Communications

The General Data Protection Regulation (GDPR) covers all personal data processed by an organisation. According to Article 4(1) of the GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Under the General Data Protection Regulation (GDPR), special category data is more sensitive, and therefore needs more protection. This type of data could create more significant risks to a person’s fundamental rights and freedoms. That is, for example, if it is used to unlawfully discriminate.

You should really try to steer clear of collecting and processing special category data for Emergency Communications – it adds to your responsibilities and those of any solution provider you use as data processor.

Special Category Data to handle with extra care

Racial or ethnic origin

This includes data which pertains to an individual’s race or ethnic heritage.

Political opinions

Information regarding an individual’s political beliefs or affiliations falls under this category.

Religious or philosophical beliefs

This includes information about an individual’s religious beliefs, including the absence of belief, or their philosophical beliefs.

Trade union membership

Data about whether an individual is a member of a trade union is included in this category.

Genetic data

This is defined by the GDPR as “personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question.”

Biometric data (for the purpose of uniquely identifying a natural person)

This includes physical or behavioral characteristics of a person, such as fingerprints, face or iris images, and voice data.

Data concerning health

Any information related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.

Data concerning a natural person’s sex life or sexual orientation

This includes any data about the individual’s sex life or sexual orientation.

Processing of these special category data items is prohibited, with certain exceptions outlined in Article 9(2) of the GDPR, like explicit consent of the data subject, processing is necessary for employment law, protection of vital interests where the data subject is physically or legally incapable of giving consent, among others.

How to avoid the need for special category data in Emergency Communications

As a solutions provider, we allow many freedoms to our users to collect additional information beyond the basic name, job title, department, mobile number and email address. 

We have recently opened up a number of fields for custom data.  Intended to allow for more granular filtering like Office Location, Recovery site, Can work from home, Travels by rail/car/bus, Night worker (so as not to disturb for daytime incidents).

We actively discourage collection of special category data and work with teams to think about more inclusive messaging to avoid the special category filters – message costs are much cheaper than a fine under GDPR.  If for example you want to alert specific individuals to the fact that the disabled access to the building is unavailable, tell everyone who works in the building – someone might have a guest visiting who would be impacted with restricted access for example.  Problems with gender specific facilities in a building might as well be notified to the whole workforce rather than collecting Identifies As information and trying to be selective.

There are always ways to get your message to the right people without risking falling foul of GDPR special category data categories and causing distress and upset through exclusion, segregation or discrimination.

Summary

In completing this short visit into the complex intersection of GDPR and emergency communication systems, it’s clear that maintaining regulatory compliance while ensuring effective communication during emergencies is a nuanced task.

Navigating legitimate interest, consent, data minimisation, and transparency are pivotal for GDPR compliance. Furthermore, the management of special category data requires additional attention due to the sensitive nature of such information.

Even in urgent situations, maintaining the balance between necessary communication and personal data protection is of utmost importance. However, with careful planning, transparent communication, and a thorough understanding of GDPR regulations, organisations can provide efficient emergency communications while respecting data privacy.

As always, consulting legal or data protection experts is highly recommended for comprehensive, situation-specific guidance.

 

For more information on how we can help you with your Emergency Communication and Business Continuity Information distribution contact us any time for a chat or to arrange a free trial.

Tell me more

 

Useful Links

GDPR Summary and Guidance

Special Category Data

Contact Us

 

 

 

 

 

 

Related Articles

The best way to prepare staff for Emergency SMS Broadcast tests

The best way to prepare staff for Emergency SMS Broadcast tests
Emergency voice communication systems essentials

Emergency voice communication systems essentials
12 Essential components of your business continuity plan

12 Essential components of your business continuity plan
Why having your Business Continuity Plans in our mobile app is a game changer

Why having your Business Continuity Plans in our mobile app is a game changer
7 Key benefits of SMS Broadcasts for Emergency Communications

7 Key benefits of SMS Broadcasts for Emergency Communications
Top 20 reasons why Business Continuity tabletop exercises are a great idea

Top 20 reasons why Business Continuity tabletop exercises are a great idea



Lets start a conversation
Interested? Contact us to discover the power of our solution and find out why so many organisations trust us to deliver the right information to their staff in a crisis.

Arrange a free, secure, no obligation trial of the full solution to feel the power of our app in your hands.


The Calling Tree Solution

Manage users, documents, broadcast messages, call trees and maps from your private admin console
Macbook

Business Continuity in hand

Our mobile app gives your staff the information they need in times of crisis, on their phone, to hand and up to date.
Copyright © All Rights Reserved by The Calling Tree Company Limited.
Registered in England 08075830 - 16 Fern Close, Camberley. GU16 9QU
    • -->