The ICO’s Regulatory Approach during the Coronavirus pandemic

Elizabeth Denham, the Information Commissioner, set this new guidance in context: “Regulators apply their authority within the larger social and economic situation. We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”

The ICO’s guiding principle is that it will act as a pragmatic and proportionate regulator, taking into account the various pressures and demands that the coronavirus has placed on organisations, whilst also acknowledging the important role that people’s information rights can have in both privacy protection and supporting transparency in public decision making.

The ICO also notes that some of the effects will be felt for a significant time after the conclusion of the current emergency, and that this means that some of the flexibility that it is to demonstrate will continue to be necessary in some areas for “many months to come”.

The ICO will demonstrate its empathetic and pragmatic approach by:

• Continuing to recognise the rights and protections granted to people by the law, both around their personal information and their right to freedom of information.
• Focusing its efforts on the most serious challenges and greatest threats to the public.
• Assisting frontline organisations in providing advice and guidance on data protection laws.
• Taking firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information.
• Being flexible in its approach, taking into account the impact of the potential economic or resource burden its actions could place on organisations.
• Being ready to provide maximum support for business and public authorities as they recover from the public health emergency.

In terms of engagement with and supporting organisations, particularly those frontline organisations that provide healthcare or other vital services, the ICO will:

1. Identify and fast track advice, guidance or tools that public authorities and businesses say would help them deal with, or recover from, the crisis.
2. Review the economic and resource impact of any new guidance, and delay any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public.
3. Provide practical support to the public as to how to understand and exercise their information rights during this crisis. This could mean that individuals are advised to wait longer than usual and ‘bear with’ organisations.
4. When handling the public’s complaints about organisations, take into account the impact of the crisis. This may mean that the ICO resolve the complaint without contacting an organisation, for example if it is focussing its resources on the coronavirus frontline, or that the ICO gives it longer than usual to respond or to rectify any breaches associated with delay if it is recovering its service and gradually improving timescales.
5. Look to develop further regulatory measures that are ready to use at the end of the crisis. These would support economic growth and recovery including advice services, sandboxes, codes and international transfer mechanisms to test flexibility in safe data use.

In terms of what many organisations will see as the key area of regulatory action, in addition to applying the above general principles, the ICO has provided the following specific guidance:

1. Organisations should continue to report personal data breaches to the ICO without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though the ICO acknowledges that the current crisis may impact this. It will assess these reports, taking an appropriately empathetic and proportionate approach.
2. When the ICO conducts investigations, it will act knowing there is a public health emergency and seek to understand the individual challenges faced by organisations. We will take into account the particular impact of the crisis on that organisation. This may mean less use of formal powers that require organisations to provide it with evidence, and allowing longer periods to respond. It also expect to conduct fewer investigations, focussing its attention on those circumstances which suggest serious non-compliance.
3. The ICO will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
4. The ICO has stood down its audit work, recognising the economic impact on organisations and the travel and contact restrictions now in force.
5. In deciding whether to take formal regulatory action, including issuing fines, the ICO will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. It may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
6. All formal regulatory action in connection with outstanding information request backlogs will be suspended.
7. Before issuing fines the ICO will take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.
8. The ICO may not enforce against organisations who fail to pay or renew their data protection fee, if they can evidence that this is specifically due to economic reasons linked to the present situation, and provided that it is adequately assured as to the timescale within which payment will be made.
9. The ICO will recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests where they need to prioritise other work due to the current crisis, and it can take this into account when considering whether to impose any formal enforcement action.

It is noteworthy that there are no suspensions or relaxations of any data protection laws. The ICO concludes that “With the correct application of flexibility in regulatory response, we do not consider that any of the legislation we oversee should prevent organisations taking the steps they need to in order to keep the public safe and supported during the present public health emergency. There is plenty of flexibility built in to the legislation for organisations to use in such times, including some specific public health related exemptions.”