On 15 April 2020 the ICO published a statement on its regulatory approach during the coronavirus pandemic.
Recognising that operational and financial pressures caused by the coronavirus may impact organisations’ ability to fully comply with aspects of data protection laws, the ICO has stated it intends to apply an empathetic, “flexible and pragmatic” approach in its enforcement of data protection laws during the crisis, as well as any enforcement under the Freedom of Information Act and Environmental Information Regulations.
What did the ICO say?
The ICO has indicated that it will continue to follow its existing Regulatory Action Policy, which provides guidance on the ICO’s approach to regulatory investigations and enforcement action. As such, the statement doesn’t provide all organisations with a free pass in relation to compliance. However, the ICO has also stated that it intends to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges faced at this time.
In particular, the ICO has stated it will take firm action against anyone that exploits the public health emergency or breaches data protection laws to take advantage of the current crisis.
Although the ICO has indicated it intends to take a pragmatic approach, the ICO has not expressly committed to applying many of the measures specified in the statement in any given case. We can therefore expect the ICO to continue assessing any complaints and non-compliance on a case-by-case basis, in light of the current challenges organisations are facing.
What are the key points from a data protection perspective?
The key points from the ICO’s statement are:
- The ICO will identify and fast track advice, guidance or tools to help public authorities and businesses deal with, or recover from, the crisis.
- The ICO will review the economic and resource impact of any new guidance. In particular, save where new guidance is necessary to address a high risk to the public, the ICO may delay any specific guidance where it could have the effect of diverting staff from frontline duties.
- The ICO may advise individuals to allow organisations more time to respond to data subject requests (e.g., data subject access requests).
- Where organisations are experiencing resourcing difficulties due to the coronavirus crisis, the ICO may elect to resolve complaints without contacting the organisation (e.g. if the organisation is focusing resources on the frontline) or to extend deadlines for responding to or rectifying breaches associated with delay if it is recovering its services and gradually improving timescales.
- Deadlines for reporting to data breaches remain unchanged and organisations should continue to report data breaches within 72 hours of becoming aware. However, the ICO has acknowledged that the pandemic may impact organisations’ ability to meet the usual deadlines and has stated that it will take an “empathetic and proportionate” approach in assessing breach reports.
- When conducting an investigation, the ICO will take into account the impact of the pandemic on the organisation, which may result in fewer formal disclosure requests and the extension of response deadlines. The ICO also expects to conduct fewer investigations, focussing its attention on circumstances which suggest serious non-compliance.
- The ICO will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
- When deciding whether to take enforcement action, including fines, the ICO will also take into account whether compliance difficulties have resulted from the pandemic, as well as the organisation’s plans to rectify any compliance issues following the pandemic. In particular, the ICO recognises that resourcing challenges during the crisis could impact organisations’ ability to respond to data subject access requests where other work needs to be prioritised, and the ICO may take this into account when considering whether to take enforcement action.
- The ICO has temporarily suspended its audit work, recognising the economic impact on organisations and the travel and contact restrictions currently in force.
- The ICO has temporarily suspended all enforcement action relating to outstanding information request backlogs.
- Before issuing fines, the ICO will take into account the economic impact and affordability of the proposed fine. The ICO has also stated that in the current circumstances, this is likely to mean the level of fines reduces.
- The ICO may not enforce against organisations for non-payment of the data protection fee where organisations can evidence that this is due to economic reasons linked to the present situation, and provided that the ICO is adequately assured as to the timescale within which payment will be made.
What has the ICO said in relation to freedom of information and environmental information requests?
The ICO recognises that the reduction in organisations’ resources could impact their ability to comply with aspects of freedom of information law, such as how quickly freedom of information requests (FOI requests) are handled. However, the ICO will still expect appropriate measures to be taken to record decision making, so that information is available at the conclusion of the emergency.
In particular, the ICO has indicated that:
- The ICO will continue to accept new information access complaints, although the ICO recognises that the crisis may impact the ability of public authorities to respond to FOI access requests or address backlogs, and that organisations may require more time than usual to respond. However, the ICO has also stressed that organisations should recognise the public interest in transparency and as far as possible should continue to comply with their obligations for particularly high-risk or high-profile matters.
- The ICO also recognises that in extreme cases, public authorities may have no option but to temporarily reduce or suspend elements of their information access functions.
What should organisations do now?
Organisations should continue to comply with their data protection and freedom of information obligations.
However, organisations should also be reassured that the ICO intends to take a flexible and proportionate approach during the crisis.
The ICO also recognises that the effects of the pandemic will be felt for some time after the conclusion of the emergency and that some flexibility will continue to be necessary for months to come.
The ICO is also looking to develop other regulatory measures that are ready to use at the end of the crisis, to support economic growth and recovery (e.g. advice services, sandboxes, codes and international transfer mechanisms).
The ICO will keep its regulatory approach under review as the situation progresses, so organisations should also regularly review the ICO’s current guidance for any further updates.