ICO statement on their regulatory approach during coronavirus pandemic

April 15, 2020

The ICO has published the regulatory approach that it will follow during the coronavirus public health emergency. It sets out how the ICO will regulate during the current public health emergency, focusing in particular on data protection and freedom of information laws. 

The ICO states: “the coronavirus public health emergency means that we must reassess our priorities and our own resourcing, so that we retain the right balance in these challenging times, focusing on those areas likely to cause the greatest public harm”.

The ICO’s statement points out that the current coronavirus public health emergency means that:

organisations are facing staff and operating capacity shortages;

health, local and central government, charities, law enforcement and public authorities are facing severe front-line pressures and are redeploying resources to meet those demands; and,

organisations are facing acute financial pressures affecting their finances.

The ICO says that it must act in a manner which takes into account these circumstances. This includes deciding how it exercises its enforcement powers, how it delivers technical advice and guidance to public and private sector organisations, how it continues to support transparency in public decision making and how it supports the public in dealing with their complaints and queries. It acknowledge the important role that people’s information rights will continue to have, both around privacy protections and transparency around decision making by public bodies.

There are specific legal requirements which apply to particular work the ICO does and decisions it makes. For example, it is required by law to deal with complaints by the public appropriately, and when it takes enforcement action there are specific criteria it must take into account. The ICO recognise, however, that the current reduction in organisations’ resources could affect their ability to comply with aspects of the law and says that it will take an empathetic approach. To that end the document sets out nine practical points that will be borne in mind:

  1. Organisations should continue to report personal data breaches, without undue delay (72 hours). However the ICO acknowledges that currently it may not always be possible to meet that timescale so will take an empathetic and proportionate approach.
  2. Investigations are likely to focus on suggest serious non-compliance but where they are undertaken they will seek to understand the individual challenges faced by organisations and use less formal powers with less stringent deadlines.
  3. They will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
  4. Audit work has been stood down
  5. They will take account of whether problems result from the crisis and may give organisations longer to rectify breaches that predate the crisis, where the organisation’s ability to rectify the problem is hampered by the current situation.
  6. All formal regulatory action in connection with outstanding information request backlogs will be suspended.
  7. In light of the economic impact of the pandemic on affordability, the likely level any fines may be reduced.
  8. There will be a light touch enforcement of failure to pay / renew data protection fees if the cost is currently unaffordable because of the crisis.
  9. They will understand that responding to Subject Access Requests, may take longer where there is a need to prioritise other work.

With the correct application of flexibility in regulatory response, the ICO does not consider that any of the legislation it oversees should prevent organisations taking the steps they need to in order to keep the public safe and supported during the present public health emergency. There is flexibility built in to the legislation for organisations to use in such times, including some specific public health related exemptions.

The ICO has prioritised its services to provide additional guidance for organisations about how to comply with the law during the crisis and it will keep the guidance under review and issue updates as necessary.