The ICO's approach to the public health emergency

Background

The ICO has published a document setting out its regulatory approach during the Coronavirus pandemic. In a statement which is consistent with the ICO’s general approach (a regulator that seeks to encourage compliance rather than seek to punish failure) the ICO specifically acknowledges a need to take into account these exceptional circumstances and indicates its intention to work flexibly and to be a ‘pragmatic and empathetic’ regulator.

This approach will see the ICO’s efforts focused on the greatest threats, whilst continuing to emphasise the importance of people’s information rights.

In more detail

In light of the exceptional circumstances in which we find ourselves, the ICO has indicated an adjustment to its regulatory approach. The ICO will:

• continue to recognise the rights and protections granted to people by the law around their personal information and their right to freedom of information;
• focus its efforts on the most serious challenges and greatest threats to the public;
• assist frontline organisations by providing advice and guidance on data protection laws;
• take firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information;
• be flexible in approach, taking into account the impact of the potential economic or resource burden its actions could place on organisations; and
• provide maximum support for business and public authorities as they recover, including developing further regulatory measures ready for use at the end of the crisis.

The ICO will continue to act proportionately, recognising that the current reduction in organisations' resources is likely to impact their ability to comply with aspects of data protection law. For example, although organisations should report personal data breaches within 72 hours, the ICO will take a proportionate approach if this crisis impacts their ability to do so. The ICO has stood down all audit work.

Before issuing fines, it will take into account the economic impact and affordability, which in these circumstances may mean the level of fines reduces. The reduction in organisations' resources could impact their ability to respond to subject access requests and the ICO will take this into account when considering formal enforcement action.

The reduction in resources could impact organisations' ability to comply with aspects of freedom of information (FOI) law, such as how quickly organisations can answer FOI requests. Appropriate measures should, however, still be taken to record decision-making.

Our advice

It is important to keep a record of the difficulties you face, as an organisation, in responding to subject access requests or freedom of information requests. It will also generally be helpful to maintain communication with requesters so that, where you will struggle to comply with the time limits, you can let them know. If you make a genuine effort to comply and keep a note of the difficulties you have faced in the context of your organisation’s current staffing (or whatever hurdles you are facing) it is very likely that you will see the pragmatic and empathetic face of the ICO.

Take note, however, that the ICO will take a ‘strong regulatory approach’ against any organisation breaching data protection laws to take advantage of the current crisis.

The ICO’s announcement about its regulatory approach during the Coronavirus public health emergency is available here.