Last updated: 24/04/2026
1. About RiskBase Engage
RiskBase Engage is a software platform provided by RiskBase Limited. It helps building owners, managers, residents’ management companies, responsible persons and similar organisations collect and maintain information that may be relevant to fire safety, evacuation planning and emergency response.
The platform may be used to ask residents whether they may need assistance in the event of a fire or other building emergency and, where appropriate, to help the building’s responsible person share relevant information with authorised staff, contractors and the fire and rescue service.
2. Important: controller and processor roles
Data protection law distinguishes between a controller and a processor.
A controller decides why and how personal information is used. A processor handles personal information on behalf of a controller and acts on the controller’s instructions.
For resident information collected through RiskBase Engage, the controller will usually be the organisation responsible for managing fire-safety or building-safety arrangements at your building. This may be, for example:
the building owner;
the freeholder;
the managing agent;
the residents’ management company;
the right-to-manage company;
the responsible person;
the accountable person; or
another organisation responsible for the relevant building-safety arrangements.
RiskBase Limited is usually a processor in relation to resident information. This means RiskBase provides and supports the platform, stores and processes information, and assists the controller, but does not usually decide the underlying purpose for collecting resident evacuation or assistance information.
RiskBase may act as an independent controller for limited purposes relating to its own business and platform operations. These may include:
responding to direct support enquiries sent to RiskBase;
maintaining platform security;
investigating misuse, fraud, security incidents or technical issues;
keeping internal audit logs;
managing its own legal, regulatory, accounting or insurance obligations; and
managing communications with customer representatives and platform administrators.
Where RiskBase acts as controller for these limited purposes, RiskBase is responsible for that processing. Where RiskBase acts as processor, the building’s controller is responsible for that processing.
3. Who should residents contact?
Residents should normally contact their building’s controller in the first instance about how their resident information is used.
The controller’s contact details should be provided in the building notice, invitation email, RiskBase Engage form, resident portal, or other communication sent to residents.
Residents may also contact RiskBase at:
Email: support@RiskBase.uk
Company: RiskBase Limited
Registered office: 101 New Cavendish Street, 1st Floor South, London, United Kingdom, W1W 6XH
If RiskBase receives a request or complaint which should be handled by the building’s controller, RiskBase will help identify the relevant controller and may forward the request to that controller, ask the resident to contact the controller directly, or assist the controller in responding, depending on the arrangements in place.
4. Categories of personal information
The information collected through RiskBase Engage will depend on the configuration chosen by the building’s controller and the answers provided by the resident.
It may include:
name;
address, flat number or unit number;
contact details;
household size or number of occupants;
whether a resident may need help to evacuate;
information about mobility, vision, hearing, cognitive impairment, disability or other circumstances affecting evacuation;
a short note about the type of assistance that may be needed;
consent preferences;
confirmation or attestation that information remains accurate;
dates of updates or withdrawals;
communications or support enquiries; and
technical and audit information, such as user IDs, timestamps, access logs, device/browser information and security logs.
Residents should not provide detailed medical records, medication lists, NHS numbers, blood type or other highly detailed medical information unless specifically requested by the controller and genuinely necessary.
5. Special category information
Information about health, disability, impairment or assistance needs may be special category data under UK data protection law.
Where special category information is collected through RiskBase Engage, the controller must identify both:
a lawful basis under Article 6 UK GDPR; and
a special category condition under Article 9 UK GDPR and, where required, the Data Protection Act 2018.
In many cases, the controller may rely on explicit consent for health or disability information provided voluntarily by a resident. In other cases, different legal bases or conditions may apply depending on the controller’s duties and the circumstances.
RiskBase, when acting as processor, handles this information on the controller’s instructions.
6. Purposes of processing
Resident information may be processed for purposes including:
identifying residents who may need assistance in an emergency;
preparing, reviewing or maintaining evacuation plans or other emergency arrangements;
helping the controller comply with fire-safety, building-safety or related legal duties;
communicating with residents about their information and choices;
recording consent, withdrawal of consent and updates;
sharing relevant information with authorised staff, contractors and fire and rescue services where appropriate;
maintaining security and audit records;
operating, maintaining and improving the RiskBase Engage platform; and
handling support requests, technical issues, complaints and legal compliance matters.
RiskBase does not sell resident information. Resident information collected for RiskBase Engage is not used by RiskBase for marketing to residents.
7. Lawful bases
The lawful basis for processing resident information will usually be determined by the building’s controller.
Depending on the circumstances, the controller may rely on one or more of the following lawful bases:
compliance with a legal obligation;
legitimate interests, such as keeping residents safe and managing building-safety risks;
recognised legitimate interests, where a specific condition under UK law applies;
explicit consent, particularly for health or disability information or particular sharing arrangements; and
vital interests, where processing is necessary to protect someone’s life in an emergency.
Where RiskBase processes resident information as processor, RiskBase relies on the controller’s lawful basis and documented instructions.
Where RiskBase acts as controller for limited platform operations, RiskBase will usually rely on legitimate interests, legal obligation, contract, or another lawful basis depending on the purpose.
8. Fire and rescue service sharing
Resident information may be shared with the local fire and rescue service where appropriate for emergency response or planning.
Where applicable law or guidance requires explicit informed consent before resident information is shared with the fire and rescue service in advance, the controller should obtain and record that consent before sharing the information for that purpose.
A resident may withdraw consent where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.
In a life-threatening emergency, relevant information may be shared where necessary to protect life, even if consent has not been given or cannot be obtained at that time.
Information may be shared digitally through RiskBase Engage or by another secure method chosen by the controller or required by the relevant fire and rescue service, such as a secure information box.
9. Who information may be shared with
Resident information may be shared with:
the building’s controller;
authorised building management personnel;
trained staff who support evacuation planning or emergency arrangements;
trusted contractors who need the information for building-safety or emergency-planning purposes;
the local fire and rescue service;
RiskBase staff and technical providers, where needed to provide and support the platform;
professional advisers, insurers, auditors or legal advisers where necessary;
regulators, public authorities, law enforcement bodies or courts where required or permitted by law; and
another organisation if there is a change in building management, ownership or responsibility and the information remains necessary for the same safety-related purposes.
Access should be limited to those who need the information for authorised purposes.
10. Subprocessors and technical providers
RiskBase may use carefully selected technical providers and subprocessors to host, maintain, secure and support RiskBase Engage.
Where RiskBase acts as processor, its use of subprocessors is governed by its contract with the relevant controller. RiskBase requires subprocessors to protect personal information and to process it only for authorised purposes.
11. Security
RiskBase and the controller should use appropriate technical and organisational measures to protect resident information.
These may include:
role-based access controls;
authentication controls;
encryption where appropriate;
logging and monitoring;
staff confidentiality obligations;
supplier controls;
incident-response procedures; and
regular review of access permissions.
Where information is accessed through the RiskBase Engage platform, access may be logged. If information is made available by another method, such as a secure information box, access control and logging will depend on the physical arrangements used by the controller and the relevant fire and rescue service.
12. International transfers
RiskBase and the controller aim to store and process resident information within the UK or EEA where reasonably possible.
If resident information is transferred outside the UK or EEA, the party responsible for the transfer must ensure that appropriate safeguards are in place where required by data protection law. These may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
RiskBase should not make restricted international transfers of resident information as processor except as permitted by its agreement with the relevant controller.
13. Retention
Resident information should be kept only for as long as necessary for the purposes for which it was collected.
The controller should determine the retention period for resident information, taking account of:
the purpose of the processing;
whether the resident still lives at the building;
whether the resident still requires assistance planning;
legal and regulatory requirements;
safety and accountability considerations; and
limitation periods and potential disputes.
As a general approach, the active resident record should be deleted or anonymised when it is no longer needed, usually within 12 months of the resident moving out or the information no longer being required, and in any event within 3 years of the resident’s last update or confirmation that the information remains accurate, unless a longer period is legally required or reasonably necessary.
A limited audit record may be retained for longer where necessary to evidence consent, withdrawal, updates, deletion, security, compliance or dispute handling.
14. Residents’ rights
Depending on the circumstances and the lawful basis relied on, residents may have the right to:
access their personal information;
correct inaccurate information;
request deletion;
restrict processing;
object to processing;
withdraw consent;
request data portability, where applicable; and
complain to the controller or to the Information Commissioner’s Office.
Because the building’s controller is usually responsible for resident information, rights requests should normally be directed to that controller.
If RiskBase receives a rights request relating to information for which it acts as processor, RiskBase will not usually decide the request itself. RiskBase will help identify the relevant controller and will either forward the request to the controller, help the resident contact the controller, or assist the controller in responding, in accordance with the contract between RiskBase and the controller.
Where RiskBase acts as controller for limited platform-operation purposes, RiskBase will respond to rights requests relating to that processing.
15. Consent and withdrawal
Where processing is based on consent, the resident may withdraw consent at any time.
Withdrawal of consent may mean that the controller cannot maintain a resident-specific evacuation or assistance plan, or cannot share information in advance with the fire and rescue service where consent is required for that sharing.
The consequences of withdrawing consent should be explained clearly to the resident at the time consent is obtained and when withdrawal is requested.
The controller and RiskBase should maintain a record of consent and withdrawal where appropriate.
16. Accuracy and updates
Residents may be asked to review, update or confirm their information periodically, usually at least once a year.
Residents should update their information sooner if their circumstances change in a way that affects the assistance they may need in an emergency.
The controller is responsible for ensuring that appropriate processes are in place to keep resident information accurate and up to date. RiskBase may provide tools to support that process.
17. Complaints
Residents should raise complaints about the use of their resident information with their building’s controller in the first instance.
Residents may also contact RiskBase at support@RiskBase.uk. If the complaint relates to processing for which RiskBase acts as processor, RiskBase may need to refer the complaint to the controller or assist the controller in responding.
Residents can also complain to the Information Commissioner’s Office at www.ico.org.uk.
18. Accessibility
The controller and RiskBase should take reasonable steps to make privacy information available in accessible formats where needed.
Residents who need this information in another format or language should contact their building’s controller or RiskBase.
19. Changes to these terms
These terms may be updated from time to time to reflect changes in the RiskBase Engage platform, legal requirements, guidance, or the way resident information is handled.
Where material changes are made, residents should be notified in an appropriate way, such as through the RiskBase Engage platform, email, building notice or another communication from the controller.
