The ICO has released new guidance setting out its intended approach during the coronavirus pandemic.
In the document, the ICO acknowledges that the current circumstances are exceptional and that it must take them into consideration when carrying out its regulatory functions. In particular, the document focuses on the ICO’s ability to regulate pragmatically and with empathy, having regard to the fact that some organisations will be facing staff shortages, financial difficulties and in the case of public authorities, significant pressures on frontline services.
Redressing the balance
The ICO refers to reassessing its priorities and resourcing so that it retains the right balance, focusing on areas which are most likely to cause the ‘greatest public harm.’ However, the ICO states that it will of course continue to recognise individuals’ rights around both their own personal data and freedom of information.
Key highlights in relation to data protection are:
- organisations should continue to report data breaches without undue delay and within 72 hours of becoming aware of the breach;
- the ICO will take account of the impact of the crisis on organisations subject to investigations, allowing longer periods to respond where necessary;
- decisions regarding fines/regulatory action against organisations will take account of difficulties arising from the crisis, which the ICO says is likely to reduce the level of fines temporarily;
- the ICO recognises that organisations may have a reduced ability to respond to subject access requests where they need to prioritise other work to deal with the current crisis, and will take this into account when considering whether to take enforcement action.
With regard to Freedom of Information, the ICO will:
- continue to accept new information access complaints;
- recognise that the ability to deal with requests may be impacted by the current crisis;
- in extreme circumstances for some authorities, appreciate that there may be little or no option but to temporarily reduce elements of information access functions;
- encourage organisations to proactively publish information; and
- emphasise the importance of proper record keeping during a period of time that will no doubt be subject to significant scrutiny in the future.
Advice and guidance
The ICO promises to assist frontline organisations with guidance on data protection and provide support for them to recover from the public health emergency. The ICO also confirms that it will help individuals attempting to assert their rights in the midst of the crisis.
It will be interesting to see how the ICO addresses the tricky balance between organisations and individuals over the coming months. Whilst it is clear that the ICO will take a pragmatic approach, data controllers and public bodies must still comply with the law as best they can during this difficult time.
The ICO’s statement on its regulatory approach can be found at:https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf
The ICO has confirmed it may make further statements as the situation changes. We will keep you updated.
In the meantime, for further advice please get in touch with one of our information law experts.