Best Practice Update

Emergency contact information sheet with a yellow pencil above it, Data protection education logo on the sheet

Emergency contacts and consent

Do I need consent for emergency contacts?

Actually no, and here's why.

We know that we must have a lawful basis for processing any data, and consent is one of the six lawful bases that can be used.

Another is necessary for a task in the public interest - and as schools, you are required in statute to look after the welfare of children in your care.

But lawful basis is only part of the story when information isn't collected from the data subject - and in most cases emergency contacts are provided by parents and carers. 

The GDPR tells you what your obligations are when data is not collected from the data subject in Article 14 - it tells you what you must tell them and when. This is the usual requirements of the transparency principle - who is the data controller, what information you have, why you have it, how you keep, how long for, who it is shared with, their rights...and the contact details for the data protection officer.

In this circumstance, we are using the information for communications. And Article 14, Paragraph 3c states:

"...if the personal data are to be used for communication with the data subject, [the controller shall provide the data subject with the information] at the latest at the time of the first communication to that data subject".

However (paragraph 5b) also says that paragraphs 1-4 (the rules on what should be provided) shall not apply:

"...in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing".

So in an emergency, you can avoid the communication of all the information about the processing because it's an emergency and spending five minutes going through your privacy notice would impair the achievement of communicating the emergency.

It doesn't remove the obligation entirely - the description of emergency contacts and processing should be covered in your privacy notice as well as an emergency contact procedure.

And needless to say - if you hold emergency contacts, the data should be kept securely and only be used for that purpose.

So why don't we use consent? Because as always, consent can be withdrawn. You have an emergency contact and call them and they say "I no longer want you to call me, please remove my details" and hang up. That is a withdrawal of consent and a request to delete their data and you shouldn't process their data (i.e. call them) any more. I know that's an unlikely occurrence, and what's more, I would argue that in a life and death emergency their rights would be outweighed by the immediate need and rights of the data subject at the heart of the emergency, but it's an unnecessary administrative step to collect permission.

 

Search