The first question that should be addressed while designing a CIS-related database is whether or not personal information will be exchanged between the different agencies. If so, the CIS, its host, and its users will need to comply with the regulatory framework that protects the usage of personal data. Within the EU, the processing of personal data will be governed from the 25th of May 2018 by the pan-European General Data Protection Regulation (GDPR). In order to implement the requirements of this piece of legislation, all of the actors involved in the CIS-architecture should map out the different data flows and define the roles and responsibilities of the different actors that send, receive and act on this data.
What personal data is used for identifying the user needs -- velocity, GPS tracks, history of application? What are the implications of such gathering and sharing?
When do I process personal data? What if we use pseudonyms?
Who can access the data?
How long can they be stored?
The GDPR applies to all EU states when one is "processing" any kind of personal information.
The legal concept of "processing "is very broad: it refers to any kind of operation that is performed on personal data. This includes: collection, storage, alteration, consultation, transmission, or erasure of data. From the moment one comes across a single instance of personal data, then this means that they are processing it.
Personal data refers to any kind of information related to an identifiable natural person that would allow this individual to be singled out. Pseudonymised data still qualifies as personal data, even though it does not reveal directly the civil identity of the person concerned. Examples of personal data are: an identification number, location data, IP addresses, a name or any factor specific to the physical, mental, economic or social identity of a person. Only anonymised information escapes the scope of the GDPR. But, there still remain questions, legally, as to whether anonymisation is technically feasible, particularly in relation to data aggregation, making individual acts of anonymity not enough to secure personal data in a CIS.
A first general principle that applies to the processing of personal data is lawfulness. This means that you need to invoke a specific legal basis to legitimise the processing of personal data. Consent is the most well-known example of a legal processing ground. This principle will be further elaborated in the guidance on Exceptions and lawful processing.
A second general principle that should be taken into account is purpose limitation. This principle means that the data can only be processed for the specific purpose they were collected for. If data is collected for one purpose, it cannot be used for another. Consequently, only the persons who need access to the data for these specified purposes should be able to do so. A concrete consequence of the purpose limitation principle is the need for role-based access controls.
A third important principle is the one of data minimisation, which means that the use of personal data should always be limited to what is strictly necessary for the purposes pursued. This principle excludes any excessive gathering of information and that data will only be stored for as long as necessary to complete the set tasks. The data minimisation principle also implies that data will only be stored for as long as necessary to complete the set tasks.
The specific rules concerning the treatment of sensitive data are specified at the national level while a number of so-called ‘special categories’ of personal data are subject to a stricter regime since they are of a very sensitive nature. Within the context ofit is important to note that, for example, information relating to health, biometric data or information that reveals racial or ethnic origin qualify as sensitive data. When first responder agencies are, for example, exchanging health information concerning a victim through a CIS, they should be aware that the sensitive nature of this information might require additional precautionary measures.
Data minimisation & Retention policies: When the CIS-architecture has a centralized set-up, which means that information is exchanged through a central server when it is transmitted to another agent, all of the information that is stored on this server should be deleted once the disaster situation is over.
Purpose limitation: Implementing role-based access controls is indispensable to comply with the purpose limitation principle. In this way actors can only access personal data for achieving the specific purpose that is in close relationship with their role.
Purpose limitation: An example of this approach could be seen in the following scenario: a user of the CIS runs a search to find details of how emergency services dealt with the aftermath of a chemical leak. The aim of the search is to determine the extent of respiratory problems caused by the leak. The search shows information about all injuries sustained in the event. Only those relating to respiratory responses should be kept; all other information not relevant to the search should be discounted.
Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation.
Article 29 Data Protection Working Party, Opinion 04/2007 on the concept of personal data.
CJEU, C-582/14, Patrick Breyer v Bundesrepublik Deutschland.
CJEU, C‑293/12, Digital Rights Ireland Ltd.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [Link]
Petersen, K. Easton, C. and Buscher, M. (In Press) On anonymity in disasters: socio-technical practices in emergency management. Ephemera: Theory and Politics in Organization.
GDPR Overview of the General Data Protection Regulation (2017). Information Commissioner's Office [Link]
Related Key Terms