Sharing information is at the heart of emergency planning, underpinning all forms of cooperation. It may involve simple liaison between public and/or private bodies - keeping each other up to date on their current arrangements and future plans. It may also involve direct contacts, formal and informal, between responders seeking knowledge of hazards, risk assessments or other planning arrangements. It can and does have a direct impact on members of the community, ensuring that they are put in touch with and contacted by the organisations and public bodies that can help them through traumatic events.
Events over recent years have raised awareness of information and data sharing amongst a variety of stakeholders, and have prompted further thought and queries on wider issues outside the immediate emergency planning, response and recovery phases. The issues touch on a variety of types of sharing: personal data; emergency plans; commercial or sensitive data, and all for a variety of planning, response and recovery purposes.
"Information sharing" here generally refers to any information that is non-personal. This includes plans, schematics, commercial or business data amongst others.
"Data sharing" here generally refers to information that can be used to identify a living individual, and usually comes under the remit of the Data Protection Act 1998.
Category 1 and 2 responders, along with other public, private sector and voluntary organisations, have a range of emergency and business continuity plans. They also have information that, while not specifically part of their standing plans, may be of use to other partner organisations in their own emergency preparedness work. Within government there is a presumption in favour of disclosure of information. There are statutory requirements, such as those within the Freedom of Information Act (FOIA) and the Environmental Impact Regulations (EIR), which give any person the right to ask for and be given any information which is held by a public authority. There are also good commercial reasons why organisations may wish to release information about their business. The Civil Contingencies Act (CCA) 2004 also places a statutory duty on Category 1 and 2 responders to share information with other categorised responders. The statutory guidance on the CCA 2004, Emergency Preparedness, also encourages information sharing between the wider emergency planning and response community.
While the initial presumption is that all information should be shared, there are certain controls on doing so. Some information should clearly be controlled if its release would be counter-productive or damaging in some other way. There are various types of information which may be suitable for some audiences, but not others. The information spectrum runs from limited-access information (even within organisations) through to information intended to be absorbed and understood by the public. Access can be and is limited in a range of ways including physical access, restrictive markings, circulation lists, the 'need to know' principle and targeting particular audiences. Any information that is shared can be restricted in it’s use by the giving organisation.
Under the CC Act, Category 1 and 2 responders have a duty to share information with other Category 1 and 2 responders. This is fundamental to their ability to fulfil the range of other civil protection duties under the act, including emergency planning, risk assessment and business continuity management. The statutory guidance on the CC Act also encourages information sharing between responders. In most instances, information will pass freely between Category 1 and 2 responders, as part of a more general process of dialogue and co-operation. But there are still some instances in which the supply of information will be more controlled, and hence a formal request for information may be appropriate. It should be noted that the Civil Contingencies Act 2004 does not contradict the Data Protection Act 1998.
Not all information can be shared, and the Civil Contingencies Act allows exceptions from the supply of some types of information if it is sensitive. There are broadly four kinds of sensitive information: information prejudicial to national security; information prejudicial to public safety; commercially sensitive information; and personal information (under the Data Protection Act. Of course, there are different degrees of sensitive information. The guidance to accompany the Act, Emergency Preparedness, clearly states that some sensitive information may be suitable for some audiences but not others. The Act also offers safeguards that make clear that sensitive information can still be shared between Category 1 and 2 responders for emergency planning purposes – the organisation providing the information can specify that the information may only be used for the purpose for which it was requested.
There are other pieces of legislation which affect the use of information that responders should also be aware of, such as the Data Protection Act), the Freedom of Information Act (FoI) 2000, and the Environmental Information Regulations (EIR) 2004. No-one has an unqualified right to obtain information under either the FoI Act or EIR. There are limitations on releasing information under FoI legislation known as 'exemptions'. These are detailed at the Ministry of Justice website. Likewise, there are similar limitations on the release of information under the EIR. Exemptions under EIR can be found at the Defra website. Further details on both of these can be found via the links under the next heading.
As explained above, information sharing primarily relates to information that is not personal. The focus of the Data Protection Act 1998 is on personal data. The Act offers definitions of two types of data; personal data and sensitive personal data.
Personal data is defined as data relating to a living individual who can be identified from the data or from those data and other information which is in the possession of (or is likely to come into the possession of) the data controller. Sensitive personal data is defined as data relating to a person’s ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and criminal history. Full definitions of both can be found in the Data Protection Act 1998 [External website]. The Cabinet Office published " Data Protection and Sharing – Guidance for Emergency Planners and Responders" which explains clearly and in an understandable way how the DP Act impacts on emergency preparedness and response. Again, it should be noted that the Data Protection Act 1998 does not contradict the Civil Contingencies Act 2004.
A number of enabling conditions must be met by organisations who wish to share data about any living individual, if the information could be used to identify that individual. Explanations of the conditions that are required can be found in both the Data Protection Act 1998 legislation and the Cabinet Office guidance noted above.
Briefly, the conditions that must be met include the following;
The Data Protection Act 1998 provides the framework within which personal data sharing should always take place, whether in emergency situations or "peacetime" normal business. The important precursors to sharing data rest with the "Data Protection Principles". Chapter 2 of the Cabinet Office guidance describes these principles, and, once understood, this framework is transparent and relatively straightforward to apply. Chapter 3 of the Cabinet Office guidance explains that legal power for Category 1 and 2 responders to share data is found under the Civil Contingencies Act. The chapter then goes on to explain how the Civil Contingencies Act interacts with the Data Protection Act.
There are other pieces of legislation and law that affect the ability to share data. These include the Human Rights Act 1998 and the common law duty of confidentiality. Further information on both is signposted below.
If you have any queries on the application or interpretation of either the Civil Contingencies Act or the Data Protection Act in an emergency planning, response and recovery context that are not answered by the guidance signposted here, please let us know.
You may also wish to refer to: