Earlier this month - as students from all over the country and beyond prepared to head off to universities and colleges around the UK - the UK Information Commissioner (ICO) published a blog entitled “Sharing personal data in an emergency – a guide for universities and colleges”.

The blog notes that universities and colleges work hard to support students who are finding university life difficult and that this often involves processing certain sensitive personal information about them.  Further education institutions have at times proved reluctant to share the personal data of students in emergency situations, on the basis of concerns around data protection law. However, the blog confirms that data protection concerns should not prevent the sharing of students’ personal data in these circumstances.

The blog stresses that employees of further education institutions should take whatever steps are necessary and proportionate to protect someone’s life, observing that data protection law allows controllers to share personal data in emergencies or other urgent situations, including to help them prevent loss of life or serious physical, emotional or mental harm. 

The ICO’s data sharing code of practice defines emergencies as including:

  1. Preventing serious physical harm to a person
  2. Preventing loss of human life
  3. Protection of public health
  4. Safeguarding vulnerable adults or children
  5. Responding to an emergency
  6. An immediate need to protect national security

The blog stresses that the ICO will not look to punish controllers for acting in good faith and in the public interest in urgent or emergency situations.

The blog sets out some practical measures that colleges and universities can implement in order to feel more comfortable about sharing students’ personal data lawfully.  A first suggested step includes putting in place an emergency plan that takes into account that data sharing can help avoid delays in a crisis, with the blog recommending that relevant institutions carry out data protection impact assessments in this regard.

The blog also suggests that universities and colleges enter into appropriate data sharing agreements with third parties with whom students’ personal data is shared more regularly, such as health and wellbeing organisations. 

Staff training around use of personal data in emergency situations is also recommended, as is accessing and using the ICO’s data sharing code of practice and the tools included in the ICO’s data sharing information hub.

Notwithstanding the fact that student confidentiality is clearly an important issue, the blog and the guidance included within it hopefully will provide welcome clarification for both higher education institutions and students and their families and friends alike and help to enhance, in particular, safeguarding measures around students’ physical and mental wellbeing.