RichardTaylor
commented
5 years ago I think we actually agreed on the call that we wanted to add such a line, following previous discussion by email.
We should consider the law, which we consider allows us to make such disclosures. In this case it's
Section 6(1)(d) of the General Data Protection Regulation which provides a lawful basis for processing where:
“processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
Recital 46 to the GDPR expands on this
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis
Our current published policy position is that we will require a court order before releasing our users' personal information. We should perhaps reconsider the statements:
We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received).
and
We will not disclose your email address to anyone else unless we are obliged to by law, or you ask us to.
We are aware police can obtain court orders very rapidly and we do insist on court orders when others' request our users' private personal data from us, however in light of experience running our service we have come to realise there may be cases when an administrator considers the right thing to do is to release information to, for example, the police, health or emergency services without such a court order with a view to saving life. We want to support administrators who take such decisions.
Options:
- Add a new section to https://www.whatdotheyknow.com/help/privacy titled something like: "Protection of Life" and say:
Individual administrators may decide to breach our policies and release information to, for example the emergency services, in the interests of the preservation of life. Such disclosures would be legal on the basis of Section 6(1)(d) of the General Data Protection Regulation which covers processing essential for the life of the data subject or that of another natural person.
- Amend the existing policies. (This raises the question of if we can or should take such a step without notifying users.)
Currently we state:
We will not disclose your email address to anyone else unless we are obliged to by law, or you ask us to.
That could be come:
We will not disclose your email address to anyone else unless we are obliged to by law, you ask us to, or we think disclosure is essential to protect your, or others', life.
Similarly:
We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received).
could become
We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received), or if we consider disclosure is essential to protect your, or others', life.
The Legal Basis for Processing section is already broadly written in that it refers to "in most cases.." but we could add a sentence at the end:
Circumstances may arise where we decide to disclose information in the interests of preserving life. The lawful basis for such disclosures would be section 6(1)(d) of the General Data Protection Regulation "vital interests".
This suggestion came from Richard on the September WDTK volunteers call.
Propose adding a line to the public privacy policy regarding ‘emergency’ releases in a life or death situation https://www.whatdotheyknow.com/help/privacy