ICO outlines regulatory approach during COVID-19 pandemic

The ICO has published guidance on its regulatory approach during the COVID-19 pandemic.

Principles

The ICO acknowledges its responsibility to consider the exceptional circumstances organisations currently face. It will therefore adjust its approach. The ICO says it will:

• Continue to recognise the rights and protections granted to people by the law around their personal information and their right to freedom of information
• Focus its efforts on the most serious challenges and greatest threats to the public
• Assist frontline organisations (those providing healthcare or other vital services) in providing advice and guidance on data protection laws
• Take firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information
• Be flexible in its approach, and take into account the impact of the potential economic or resource burden its actions could place on organisations
• Provide maximum support for business and public authorities as they recover, including developing further regulatory measures ready for use at the end of the crisis

Compliance with deadlines

The ICO also acknowledges that the current pressures on organisations’ resources may have an impact on their ability to comply with deadlines. For example, reporting a data breach within 72 hours of discovery might be more difficult, as could responding to data subject access requests within a month. The ICO says it will take a proportionate approach to these issues.

The ICO has also stood down all audit work.

Fines 

Before issuing fines, the ICO considers the economic impact and affordability. These could be affected by COVID-19. The guidance states; “In current circumstances, this is likely to mean the level of fines reduces.”

Implications

Organisations will welcome this guidance. It confirms the ICO’s intention to be pragmatic and flexible during this pandemic. The ICO has focussed to date on working with organisations to help them better comply with and understand their data protection obligations. 

This publication follows on from its previous announcement that it will continue to address data privacy pragmatically and take account of the compelling public interest in the current public health emergency (discussed here).  

The ICO’s statement that the level of fines might reduce is very interesting. We await confirmation whether British Airways and the Marriott Group are to be fined for data breaches following huge notices of intent to fine issued last year (£183.39 million and £99.2 million respectively). 

Whether fines will go down in practice remains to be seen. 

The guidance will be kept under review as the situation progresses.