Are we allowed more room to manoeuvre when handling personal data during an incident than during day-to-day operations? The legislation clearly states that no, you are not! We are not released from our obligations under data protection regulations, even when hit by something unexpected. Nevertheless, few businesses have the necessary processes in place to protect sensitive information in an emergency.
I choose to believe it’s because we fail to prepare, not because we intentionally neglect to take care of peoples’ personal information. In this blog post, I will show you how to prepare ahead of an incident so that you don't have to worry about it during or after the response.
What is data protection?
Data protection is about the right to a private life and the right to decide how our personal information is used. Every piece of data that can be linked to a specific individual is defined as personal data and must be treated accordingly. Any storing, using and sharing must be compliant with the law.
When sharing sensitive information, we must be precise and careful. Even sharing something with the police requires a legal basis. This is a universal regulation and applies regardless of whether the information is electronic or hard copy.
Structure is the heart of data protection
It's important to develop internal processes for collecting and handling personal information before an incident occurs. In practical terms, it could be a table which includes the nature of the data and the provisions for processing it. Here is an example:
Make sure the information you categorise is specific and useful. Precise and extensive data is essential. It can be challenging to document the intention behind your work in retrospect, so make sure you keep continuous notes.
The most important thing is not where you keep the information but that you store it safely.
The two commandments for handling private data
I have two commandments for work involving data protection.
- Privacy is a management responsibility
The organisation must comply with laws and regulations. That's a management responsibility.
- Implement data protection policies in existing management systems
Many organisations work in silos, especially when it comes to handling the law. But data protection is dependent on interaction and teamwork between roles.
- If you use a data processor, you need a data processing agreement
- Determine which information must be logged
- Everyone has the right to view all personal information you hold about them. Your organisation must be prepared to deliver this upon request.
What happens after the crisis?
Initially, you should inform people before collecting their personal information, but if you get into a situation where this isn’t possible, you must have processes in place to ensure that it’s done as soon as is practical.
Personal data should be deleted when there is no longer use for it. You should also create a process for reviewing information after it has been registered. It is very likely that you’ll make errors during a chaotic situation and these must be corrected.
In broad terms, there is nothing wrong with sharing information. In fact, it is the only way we can achieve situational awareness. However, we must always review our process for storing and sharing personal data during a response.