Data Protection Considerations in Residential Personal Emergency Evacuation Plans (PEEPs)

The introduction of the Fire Safety (Residential Evacuation Plans) (England) Regulations 2025 (the 'Regulations), due to come into force on 6 April 2026, marks a pivotal step in protecting vulnerable residents in high-rise buildings. As Responsible Persons (RPs) prepare for implementation, a critical but often overlooked consideration is data protection. Ensuring compliance with the UK GDPR and the Data Protection Act 2018 is essential when handling sensitive resident data under these Regulations. 

Why RPs should consider data protection in Residential PEEPs 

Residential PEEPs require person-centred fire risk assessments for tenants whose ability to evacuate during a fire is compromised due to cognitive or physical impairments. These assessments may contain details of the following: 

• Health conditions and disabilities; 
• Medical treatment or equipment used by the tenant, such as a wheelchairs and supplemental oxygen; 
• Representatives and caregivers who can assist with evacuation. 

This kind of data will likely fall within special category data, which attracts additional protections under data protection law. 

Lawful basis and consent 

Regulation 12 of the Regulations confirms that the duties and powers imposed and conferred by the Regulations must be exercised in accordance with data protection legislation. Under regulation 10(2), explicit resident consent is required before any personal information is shared with the local fire and rescue authority. 

This introduces two key principles: 

• Consent must be informed, specific and freely given. Residents must understand what data is being collected, how it will be used, who it will be shared with, and for what purpose. 
• Consent can be withdrawn at any time. RPs must be prepared to halt data sharing if consent is withdrawn and demonstrate compliance through robust record-keeping. 

Data minimisation

The Regulations require only the following essential information to be shared with the local fire and rescue service (with the tenant's explicit consent): 

• the tenant's flat number; 
• the tenant's floor number; 
• basic information regarding the degree of assistance that the tenant may require to evacuate the building; 
• whether the tenant has an emergency evacuation statement. 

This aligns with the data protection principle of data minimisation, whereby only the minimum necessary data should be processed. RPs should ensure that they do not share more data than is absolutely necessary when dealing with the local fire and rescue service. 

Security 

The above-mentioned information can be shared with the local fire and rescue authority either by: 

• electronic means; or 
• placing a hard copy in a secure information box. 

These delivery methods must ensure data security and controlled access. Key responsibilities for RPs include: 

• Ensuring secure storage and sharing of tenant data; 
• apply access controls to special category data; 
• implementing regular reviews of data accuracy and relevance as required under Regulation 9 of the Regulations; and 
• Creating or maintaining policies and training on UK GDPR compliance in emergency planning. 

Accountability and record keeping 

To demonstrate compliance with the accountability principle under Article 5(2) of the UK GDPR, RPs must maintain thorough records, including: 

• Evidence of how explicit consent to data sharing was obtained; 
• Copies of emergency evacuation statements; 
• Logs of information shared with fire and rescue services; 
• Justifications for any data processing under applicable lawful bases (i.e., consent).  

These records may also serve to protect RPs in the event of regulatory scrutiny or disputes regarding the adequacy of fire safety planning. 

Identifying Vulnerable Residents - a cautionary zone 

The Regulations require RPs to use reasonable endeavours to identify relevant residents. This duty raises privacy questions. Since RPs cannot compel disclosure of medical or disability information, they must tread carefully when collecting or inferring sensitive details. Overreaching could lead to breaches of privacy rights or misclassification. 

Preparing for compliance: practical steps 

• Review your data protection policies, specifically those dealing with the handling of special category data; 
• Audit current data protection and storage practices against UK GDPR requirements; 
• Train staff on how to engage with residents sensitively and lawfully with respect to collecting special category data in evacuation planning; 
• Develop template consent forms that meet UK GDPR standards; 
• Coordinate with local fire authorities to establish secure, lawful data-sharing protocols. 

Conclusion 

Residential PEEPs are a necessary response to the lessons of Grenfell and imperative to safeguard disabled and vulnerable residents. However, this protection must not come at the cost of residents' privacy rights. The Regulations, together with existing data protection law, require a balanced approach that upholds both physical and data safety. Compliance will demand careful planning, staff training and a commitment to the protection of resident data. 

For advice on complying with data protection legislation in the context of residential PEEPs, please contact Hetal Ruparelia or Georgia Maskell.