The two major earthquake disasters centered in Kahramanmaraş on 06.02.2023, which deeply affected everyone, and wounded us conscientiously. The crisis is still ongoing, where even the needs that are literally equivalent to the word “vital” such as rescue efforts, shelter, and health and hygiene problems of the victims cannot be provided. We decided to write an article on personal data in disasters in order to explain the issues we know best in an understandable and comprehensive manner and to make a contribution to prevent similar problems in the future.
Although it may seem that there are more pressing issues when the subject is first heard, when we analyze a little, we see that there are issues that touch the very heart of the crisis such as search and rescue operations, information disinfection, social media posts, scams, protection of children, continuity of health services and protection of our health information. We hope that everyone who has been harmed will be brought to justice and their lives will return to normal as quickly as possible. The topics to be analyzed are as follows;
1. Importance of Personal Data in Disaster Situations
a. General Notes
b. Immediately After the Disaster: Personal Data During Search and Rescue Operations
c. Post Disaster Process: Health Services, Informing Families and Lists and Personal Data
2. Conditions for Processing Personal Data in Case of Disaster
a. Personal Data Processing Conditions
b. Sensitive Data Processing Conditions
3. After the Earthquake: The Effects of Personal Data Breaches on Disaster Victims
a. Personal Data of Large Groups without Houses
b. Social Media Sharing: The Impact of Outdated and Inaccurate Personal Data
c. Fake Accounts and Fraud
4. Examples from the World
5. Protection of Personal Data in Disasters: EDPB Guidelines and Principles
6. Measures to Ensure the Security of Personal Data
7. Vulnerable Groups in Disasters: Protection of Personal Data of Children
I. IMPORTANCE OF PERSONAL DATA IN DISASTER SITUATIONS
A. GENERAL NOTES
In Turkey, Law No. 6698 on the Protection of Personal Data (the Law), which entered into force in 2016, and the relevant regulations, communiqués, guidelines, and decisions published by the Personal Data Protection Authority (the Authority) are used as legislation on personal data.
Within the scope of the aforementioned legislation, personal data is defined as any information relating to an identified or identifiable natural person. Another definition is made for special categories of personal data. These are more sensitive personal data that are likely to cause serious damages to the personal data subject in case of violation, and are limited to ” “Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions, and security measures, and the biometric and genetic data” and more protection is provided.
There are various regulations such as laws, regulations, communiqués, etc. in our country regarding disasters. For example, in the regulation on the establishment and duties of the Disaster and Emergency Management Presidency (AFAD), there are provisions for the protection of personal data in disasters and emergencies. However, there is no specific legislation that examines critical issues such as how personal data should be collected, stored or transferred in disaster situations, and how health information, which is a special category of personal data, should be protected in disaster situations. In this context, the general principles in the Law are in question, and the principles of “proportionality, proportionality and limitation to the purpose” come into play as the legal basis of actual impossibility and the main point of examination.
B. IMMEDIATELY AFTER THE DISASTER: PERSONAL DATA DURING SEARCH AND RESCUE OPERATIONS
In disaster situations, search and rescue processes are carried out in order to remove the disaster victims from the debris in the first stage, to transport the injured to health services, and unfortunately, as we faced with the Kahramanmaraş earthquake, to access the deceased people, and personal data is of critical importance at this point.
Since there is no direct information about the vital status and bodily integrity of the persons exposed to the disaster at this stage, their personal data are generally communicated by their relatives, persons who are physically in the same area, teams that go to intervene in the incident, etc. and directly by themselves if they are conscious and have the opportunity to communicate.
After the disaster, the processes of processing, storing, and transferring the locations of the disaster victims, identity information such as name – surname, Turkish ID Number, address and contact information such as mobile phone numbers of their relatives, and of course health information such as blood group, chronic disease, etc. are started to be carried out.
In the first stage mentioned above, personal data of disaster victims are transferred by their relatives, government organizations, aid teams, etc., and stored for purposes such as search and rescue operations, planning and management of health services, emergency aid distribution, and in most cases, they are transferred by aid teams, relatives, and in some cases through platforms such as social media for announcements and requests for assistance.
C. POST-DISASTER PROCESS: HEALTH SERVICES, FAMILY INFORMATION AND LISTS
Following the search and rescue operations described above, personal data are obtained, stored, and transferred in the processes of transferring the rescued injured persons to health services, transferring the deceased persons to their families or authorities, and informing the relatives of these persons. In addition to this, various aid lists are created due to the serious needs experienced after the disaster, and personal data are included in these lists, and sometimes personal data are transmitted together with the transmission of these aid lists. For example, in the lists of earthquake victims who survived the rubble and need tents, name – surname, telephone numbers for communication, and addresses where they are at that moment are indicated.
Intensive processes related to personal data are carried out for reasons such as the emergency management process, the delivery of health services, the delivery of basic needs such as shelter and food, as well as during the initial search and rescue process.
Considering the fact that health data is sensitive data and the risk to the life and physical integrity of the data subjects exposed to a disaster, it is seen that the processes regarding personal data in disaster situations progress much faster than the usual process and equally risky for the disaster victims. For example, sensitive data such as the address, health status or family information of a victim who has become homeless can be disseminated very quickly. Such situations can also lead to malicious actors obtaining these data and causing greater harm to those concerned. Furthermore, a breach of personal data may also adversely affect the future rights of victims.
Situations such as theft of patient information as a result of data breaches arising from the security vulnerabilities of hospitals after the earthquake, announcement of false information, inadequate collection of personal data also cause harm to those concerned.
In particular, as the accuracy and reliability of the lists of the missing and injured were not fully checked, in some cases the wrong people were added to the lists or incorrect information was included. This situation is very worrying for the families of those who are missing and also causes search efforts not to be carried out properly.
II. CONDITIONS FOR PROCESSING PERSONAL DATA IN CASE OF DISASTER
The legislation seeks firstly compliance with the principles regarding the processing of personal data and then a processing condition in accordance with the law, the processing of personal data without meeting these criteria will normally constitute a reason for violation due to the lack of legal basis.
A. POSSIBLE PROCESSING CONDITIONS OF PERSONAL DATA IN CASE OF DISASTER
The relevant legislation has shown all processing conditions in the article of law. Except for explicit consent, the following conditions regarding personal data processing in disasters can be used.
Personal Data Protection Authority – Personal Data Protection Law and Practice
- Personal data may be processed in cases where it is explicitly required by law. An example is when a health worker processes details such as blood type, state of consciousness, health status while intervening to an injured person within the scope of the relevant regulations.
- The Board explained the actual impossibility of processing personal data as follows:
“…if it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or the person whose consent is not legally valid, the personal data of the person concerned may be processed without seeking his/her consent. Examples of this situation include obtaining information such as the person’s blood type, diseases and surgeries, medications used by the person at the time of medical intervention and processing personal data through the relevant health system in order to protect the life or physical integrity of the person in a situation where the consent of the person is not valid due to unconsciousness or mental illness. According to the Law, in case of actual impossibility, there must be a necessity for the protection of the life or physical integrity of the data subject or a third person in order to process personal data. For example, in order to rescue a person whose liberty is restricted, such data may be processed in order to determine the location of the person or the suspect through the telephone, computer, credit card, debit card or other technical means carried by the suspect.”
When the examples given above are analysed and especially when the criterion of “necessity for the protection of a person’s life or physical integrity” is taken into consideration, “actual impossibility” seems to be the most probable ground for processing personal data in disaster situations.
- Publicisation is the processing of personal data made public by the data subject himself/herself, in other words, personal data that have been disclosed to the public in any way. An example of this situation is when a person publicly announces his/her contact details in order to be contacted in certain situations.
- Regarding the requirement that data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, the Authority stated that “The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. The benefit to be obtained by the data controller; legitimate, effective enough to compete with the fundamental rights and freedoms of the person concerned, must be related to a specific and already existing interest. It must be a transaction that is related to the current activities carried out by the data controller and will benefit him in the near future.“
The legitimate interest processing requirement generally provides an interest to the data controller, but this interest does not harm the fundamental rights and freedoms of the data subject and is also based on a legitimate reason. The cases where data processing provides an interest to the data controller in disaster situations such as earthquakes are quite risky. Namely, even if the benefit provided to the data controller is legitimate, it will generally be insignificant against the protection of the rights and even the life and physical integrity of the data subject in the face of a vital event such as a disaster. This processing condition seems to be possible only in cases where the protection of the interest of the data subject and the protection of the interest of the data controller proceed in parallel. Considering that legitimate interest is the most abused processing condition in practice, except in cases of disaster, the processing based on this condition should be examined in detail.
B. SENSITIVE PERSONAL DATA PROCESSING CONDITIONS IN CASE OF DISASTER
As mentioned above, sensitive datas are explicitly listed in the law and it is stated that they can be processed in very limited cases with the explicit consent of the person, and it proceeds differently from the above process.
According to the Law, the processing of sensitive personal data is also possible in the following cases, except for the explicit consent of the data subject:
- In cases stipulated by law,
- Personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons under the obligation of confidentiality or by authorised institutions and organisations.
Transfer of health information in disasters constitutes one of the most critical issues. As explained, since health information such as blood group is sensitive personal data, it can only be processed in special cases specified in the Laws and with explicit consent. The cases specified in Article 2 are specific to events concerning public health such as disaster situations, and it is very important to share only personal data that fall within this scope and overlap with this purpose.
III. AFTER THE EARTHQUAKE: THE IMPACT OF PERSONAL DATA BREACHES ON DISASTER VICTIMS
A. PERSONAL DATA OF CROWDS WITHOUT HOMES
Disaster situations pose a serious threat to the security of personal data. After an earthquake, thousands of people whose houses are destroyed or damaged often face the problem of shelter. In this case, collective accommodation areas create a particularly sensitive situation in terms of personal data of disaster victims. Difficult physical conditions after a disaster also reduce the care taken in the processing, storage and transfer of personal data. After the disaster, very serious personal data such as shelter or need lists, lists of those waiting to be rescued can be passed from hand to hand without any precautions, sometimes with a piece of paper, sometimes with a tweet.
Although the security of personal data may seem like a secondary priority, it is actually very important for the safety of disaster victims. The risk of identity theft, fraud or other malicious use of the circulation of such personal data puts the disaster victims, who are already in a very difficult situation, into further difficulties.
In order to protect the personal data of disaster victims, managers of shelter areas and related institutions should be careful in collecting, processing and sharing the data. Recording systems where data are collected should be stored in a secure and encrypted environment. Data should be shared only by authorised persons and only after obtaining the necessary permissions.
Enforcement of legal regulations may become more difficult in the context of disasters, where aid organisations and government agencies in particular are obliged to take special measures to protect the personal data of victims. These measures may include storing data securely, collecting and processing only as much data as necessary, taking appropriate technical and organisational measures to ensure data security and confidentiality, and responding quickly to data breaches.
B. SOCIAL MEDIA POSTS: THE IMPACT OF OUTDATED AND INACCURATE PERSONAL DATA
Following natural disasters such as earthquakes, social media becomes a platform that is used as a means of news gathering and communication, especially in countries like Turkey that are subject to restrictions on freedom of communication. The posts made from here provide very serious support to vital issues such as search and rescue operations in disasters and collection of needs, and in parallel with this, it carries similar risks with it.
Since social media platforms are networks that store personal data of users and share them among users, they may contain special data such as shelter status, contact information, health status of disaster victims. Since the posts made on social media platforms during disaster periods contain outdated and untrue personal data, are open to the access of malicious users, and are highly susceptible to information disinformation, they may cause damage to the disaster victims and the society in general.
The following posts made by the institution after the earthquake in our country also emphasised the seriousness of this issue.
One of the other important points mentioned in the announcement of the Agency is that the posts made on social media should be acted by considering the possibility of causing discrimination and victimization for the person concerned. The situations that may lead to this at the time of disaster and in society in general can be predicted by an average person, and the obligation to act in a way not to harm the disaster victims who are already under serious life threats applies to everyone.
Photographs and videos taken by the press or the people present at the scene of the disaster regarding the moments of rescue from the rubble after the disaster are personal data, and the effects of this sharing on the person concerned should be considered when sharing them on social media. Although there are legitimate reasons such as freedom of information and planning of emergency management, there is a conflict between these reasons and the right to privacy of the relevant disaster victim. In this conflict, proportionality, proportionality, being limited to the purpose and general ethical rules should always be observed in terms of personal data. In summary, one should be very careful about the reliability and accuracy of the posts made on social media in case of a disaster.
C. FAKE ACCOUNTS AND FRAUD
In order to meet the urgent needs of people who suffer during disasters, aid announcements can be made or campaigns can be carried out through social media or various platforms.
This complex post-disaster environment enables the emergence of fraudsters or those conducting fake aid campaigns. In order to increase the credibility of the aforementioned actions, malicious persons may also use the personal data of the victims of the disaster.
It is important that people pay attention to the information they share on social media and verify before participating in such campaigns. To raise awareness of these scams, official aid organizations should disclose their policies on fundraising on their websites and social media accounts.
IV.EXAMPLES FROM THE WORLD: PERSONAL DATA IN DISASTER SITUATIONS
Above, we have given detailed explanations about the earthquake in our country and the problems experienced. In order to address the issue from a broader perspective, we will address the problems in the protection of personal data after disasters around the world.
- Japan earthquake (2011): During the earthquake in Japan in 2011, problems such as theft and misuse of personal data were experienced. In particular, it was found that the personal data of people who were left homeless after the earthquake in shelter centres were stolen by hackers.
- Hurricane Katrina (2005): In the aftermath of Hurricane Katrina, which occurred in the state of Louisiana in the USA in 2005, there were negative incidents regarding the protection of personal data, especially the theft and misuse of patient information in hospitals in the region.
- Nepal earthquake (2015): In the aid campaigns that emerged after the earthquake in Nepal in 2015, personal data was misused by using fake accounts.
4. Hurricane Maria (2017): In the aftermath of Hurricane Maria in Puerto Rico in 2017, there have been frequent incidents of patient information being lost or stolen from hospitals in the region.
Following all the examples given above, the problems experienced in the protection of personal data have encouraged governments to enact new laws and take more measures to protect personal data.
In 2016, during the earthquake in Italy, thousands of patient records were leaked to the internet as a result of a data breach at a local hospital. This incident attracted the attention of the Italian Data Protection Authority (Garante per la protezione dei dati personali), and as a result, the European Data Protection Board (EDPB) has also looked into this issue and issued guidelines on how to apply the rules on the protection of health data.
Another precedent on the protection of personal data in disaster situations was set by the EDPB in 2020 during the COVID-19 pandemic. The EDPB provided guidance on how personal data can be used to combat the pandemic. In this guidance, it provided detailed information on how to apply data protection principles, especially in the case of health data.
V. PROTECTION OF PERSONAL DATA IN DISASTERS: EDPB GUIDELINES AND PRINCIPLES
The EDPB guidelines do not have a specific chapter on disasters, but they provide a general approach to the data protection risks that disasters may pose and establish overarching basic principles for the protection of personal data in disasters. In particular, the guidelines emphasise the importance of the necessity and proportionality of processing personal data in disasters and propose measures to limit and protect the use of personal data in disaster situations.
For example, the “Guidelines on the Necessary Principles for Processing Personal Data” discusses the legitimacy conditions for processing personal data in disaster situations and the application of data protection principles. Similarly, the “Guidelines for Employers’ Processing of Personal Data of Employees” discusses how employers may process personal data of employees in disaster situations. The EDPB also provides information on the limits and scope of processing personal data in disaster situations in the “Guidelines for Short-Term and Unforeseen Operations“.
EDPB – Guidelines for Short-Term and Unforeseen Transactions
This guide by the European Data Protection Board (EDPB) provides information on the protection of personal data during short-term and unpredictable processing. The Guidelines provide a framework for the processing of personal data in disaster situations, emergencies, rescue operations, healthcare, security measures, business continuity and similar situations. The Guidelines explain the considerations and steps that data controllers, data processors and other interested parties should take for the processing and protection of personal data in such situations.
The issues to be considered for the protection of personal data in disaster situations are as follows:
- Predetermined procedures should be prepared for short-term and unpredictable operations.
- Personnel with sufficient knowledge on the collection, processing and sharing of personal data should be assigned.
- A clear legislation on the legal basis of data sharing in case of emergency should be established.
- Appropriate technical and organisational measures must be taken for the security and integrity of personal data.
- The collection, processing and sharing of personal data should be limited and only the information necessary for disaster response should be collected.
- Data subjects should be informed about the purposes for which their personal data are used and with whom they are shared.
- Personal data should also be protected during the normalisation process after a disaster.
- In the case of automated processing of personal data, the rights of individuals must be respected.
- In disaster situations, personal data of children and other special groups should be carefully protected.
- Urgent measures should be taken against personal data breaches and necessary reporting processes should be implemented.
VI. MEASURES TO BE TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA
As explained in detail above and as we have unfortunately seen directly in our country recently, it is of vital importance to take measures for the security of personal data in disaster situations. These measures can help prevent fraud and other criminal activities while ensuring that the personal data of individuals are secure. Below are examples of legal measures that can be taken for the security of personal data in disaster situations:
- Responsible persons for the security of personal data should be identified: In disaster situations, a number of responsible persons for the security of personal data should be identified. These may include various persons, such as government authorities, rescue teams, health workers and non-governmental organisations. Responsible persons can ensure the security of personal data by taking appropriate measures for the security of personal data.
- Data security protocols should be prepared: During disaster situations, protocols for the security of personal data should be prepared. These protocols govern the collection, storage and sharing of personal data. Protocols should be designed to ensure the security and confidentiality of data.
- Technological measures should be taken for the security of personal data: Technological measures can enhance the security of personal data. These measures may include encryption, backup and protection of data. Physical measures, such as data centres, can also be taken. o Legal measures should be taken to prevent fraud and dishonesty: In disaster situations, fraud and dishonesty tendencies may increase. Therefore, legal measures should be taken to prevent such activities. This includes preventing fake accounts, fraud and other
- Information Campaigns: Before, during and after the disaster, information campaigns should be organised to inform data subjects about how their personal data will be used, with whom they will be shared, what rights they have and how they can exercise these rights. These campaigns can be organised through printed, visual and audio-visual media.
- Monitoring Data Breaches: Data breaches should be detected and prevented quickly. For this purpose, teams specialised in data security can be formed in case of disaster.
- Secure Data Storage: For the safety of personal data in the event of a disaster, data must be stored securely. This can be done by using backup, encryption, firewalls and other security measures.
- Control of Data Access: In case of disaster, only authorised persons should have access to personal data. For this purpose, authentication and authorisation mechanisms can be used.
- Legal Arrangements: In case of a disaster, legal regulations regarding the protection of personal data should be made. These regulations should contain clear rules regarding the processing of personal data and protect the rights of data subjects.
VII. VULNERABLE GROUPS IN DISASTERS: PROTECTION OF PERSONAL DATA OF CHILDREN
Although disaster is a very challenging period for everyone, vulnerable groups such as children become even more vulnerable in this process. Protection of personal data of children in disasters is of critical importance for their safety.
Protection of personal data of children in disasters is a legal and ethical responsibility. This responsibility is determined especially by international human rights conventions
and countries’ own laws. Below are examples of legal measures that can be taken for the security of children’s personal data in disaster situations:
- In disasters, children’s personal data are likely to be lost or damaged. Therefore, in the pre-disaster period, collection and storage of children’s personal data by legitimate institutions and authorities with legal basis can be considered.
- In the post-disaster period, the issues of safe storage of personal data of children, searching for missing children, reuniting them with their families and harbouring them in a safe environment come to the agenda. At this point, the highest level of sensitivity should be shown by considering the best interest of the child.
- In disaster situations, special measures need to be taken for the privacy and security of children’s personal data. Therefore, sharing of children’s personal data, especially on social media platforms, should be allowed only in necessary cases and in accordance with legal regulations.
- In disaster situations, it is important to take legal measures to protect children. These measures are necessary to ensure the protection and security of children’s personal data.
This disaster process in our country should be evaluated in much more detail and comprehensively, and the utmost effort should be made to solve all the factors that caused this earthquake to turn into such a disaster.
In order to contribute to this review, we have focused on the vital importance of personal data for the persons concerned during and after the disaster. Some of the topics we examined in our article were: the importance of personal data in disaster situations, processing conditions, acquisition, storage and transfer processes, breach situations and the damages that may arise from this, current problems such as social media posts, fake accounts and fraud, examples from around the world, measures recommended in the guidelines published by EDPB, protection of children’s personal data in disaster situations. Based on all these, we have tried to prepare a list of suggestions regarding the measures that can be taken within the scope of the protection of personal data. We hope it will be useful.
We share the pain of those who lost their lives, those who were injured, their relatives, those who lost the city of their birth, and many others, and we are trying to take every precaution we can in order not to see such destruction again.