Skip to content

New ICO guidance on data sharing in a mental health emergency

Blog

orange blue abstract

The Information Commissioner’s Office (ICO) has released new guidance on information sharing in a mental health emergency or crisis at work. This is especially important when studies suggest that approximately one in four people in the UK will experience a mental health problem each year.

If an individual is having a mental health crisis while at work, it is of utmost important that they receive appropriate support. With this in mind, the ICO guidance confirms that “Data protection law allows organisations to share personal information in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm”. It appears that the ICO’s objective in releasing the guidance is to provide employers with greater certainty about how an individual’s information can and should be shared during a mental health emergency. In addition, it assists employers with planning ahead so that they have processes in place if an employee is having a mental health crisis.

The guidance contains three distinct types of obligation:

  • “Must”: is a legislative requirement,
  • “Should”: not a legislative requirement but the ICO expect employers to do it to comply with the law. An employer needs a good reason not to implement a measure where the ICO says it should be introduced.
  • “Could”: refers to an option or example that an employer could consider to help it comply effectively with its legal obligations. However, there are likely to be various other ways that an employer could comply with the obligation.

This blog reviews the key takeaways from the new guidance:

What is a mental health emergency?

The guidance recognises that symptoms will vary from person to person and it can be difficult to determine when a situation becomes an emergency or crisis. However, the guidance defines a mental health emergency or crisis as “a situation in which you believe that someone is at risk of serious harm to themselves, or others, because of their mental health. This can include the potential loss of life.”

The above definition clearly envisages a scenario where there is a risk of serious harm, either to the individual having the crisis or anyone else. What serious harm amounts to will be different on a case by case basis and employers will have to use their judgment at the time. However, where there is no risk of harm it seems clear that this would not amount to a mental health emergency.

As a general point, it is also good practice to signpost your employees to resources that assist with mental health including the NHS, an Employee Assistance Plan (if there is one) and charities such as Mind.

Protecting health is the priority but judgement is required in each case:

Where there is a mental health emergency, an employer should share necessary and proportionate information without delay with the relevant and appropriate emergency services or health professionals. The guidance is therefore unequivocal that information should be shared in an emergency.

Employers still need to consider who they are sharing information with and what information they are sharing. The guidance does not give an employer carte blanche to share any information that it wants. The guidance states employers will not get in trouble for sharing necessary and proportionate information with “the right people to protect the person involved”, such as relevant and appropriate emergency services or health professionals. By way of example, this could include 999 in certain cases or calling the individual’s GP surgery or psychiatrist (if known).

In addition to sharing with emergency services and health professionals, employers can also share necessary and proportionate information with a worker’s next of kin or emergency contact. It is important to note that the guidance uses the phrase “could” in respect of informing next of kin. It makes the point that it may not always be appropriate to share information, particularly where the exact nature of the relationship is unknown. Therefore, in respect of next of kin it may be best to err on the side of caution when sharing information, particularly in circumstances where the relationship between the individuals is uncertain.

Plan ahead:

It will be much easier to handle a mental health emergency where there are appropriate plans and policies in place. However, the guidance is clear that the priority must be sharing the information as necessary and so there will be cases where the employer needs to act without consulting a policy.

That said, we recommend that employers have internal policies and processes for information sharing in an emergency. The ICO state that employer must:

  • Identify a lawful basis to share information (such as vital interests, legitimate interest and/or legal obligation),
  • Identify a special category condition (such as vital interests and employment, social security and social protection law),
  • Let its workers know that it may share their information in a health emergency, including a mental health emergency,
  • Ensure that your workers are aware of any policy you have for sharing personal information in a health emergency, and that it is available to them, and 
  • Provide this information to your existing workers as soon as possible, and to new workers within one month of obtaining their information.

In addition, there are additional steps that employers should also take. A basic but crucial point is to ensure that employees’ next of kin/emergency contacts are up to date and reviewed regularly. An employer could even go one step further and have different emergency contacts in different scenarios (although note this is not required and may be overly burdensome for businesses with a high number of employees).

An important first step is to develop a policy on sharing personal information in a mental health emergency. Specifically, the policy should cover the type of information you may need to share, who you may need to share it with and how you will share it securely. The policy should be easily accessible and well-publicised either on the intranet or staff handbook.

Once a policy is in place, the next step is to train staff on how to handle personal information in a mental health crisis. It may be best for an employer to select certain individuals who will respond in an emergency. If an employer has mental health first aiders, it makes sense for them to be trained in sharing information as well in light of the fact they are most likely to be the ones assisting in a mental health emergency.

Conclusion:

The headline point from the guidance is that data protection law should not be a barrier to sharing information in a mental health emergency. While employers will need to use their judgement and discretion in each case, it is completely acceptable to share information where necessary to prevent serious harm.

An employer will also be far more prepared for a mental health emergency where they have appropriate policies and procedures in place. This includes training individuals in mental health first aid and on what information they are able to share with the emergency services and/or next of kin.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, April 2024

Want to know more?

Contact us

About the authors

rgb

Tom Cleeve

Associate

Tom is a specialist employment lawyer, advising senior individuals and organisations on contentious and non-contentious matters, with particular experience of acting for clients within the professional services, financial services and sport sectors.

Tom is a specialist employment lawyer, advising senior individuals and organisations on contentious and non-contentious matters, with particular experience of acting for clients within the professional services, financial services and sport sectors.

Email Tom +44 (0)20 3375 7833

Further reading

Related sectors & services

Continue to next section
Back to top