Data Protection Compliance: The ICO’s regulatory approach during Covid-19

The UK Information Commissioner’s Office (ICO) has released further guidance regarding how it will regulate during the Covid-19 crisis.  For details about the previous guidance released by the ICO, please see our previous blog here.

In its most recent guidance, the ICO emphasises that it will continue to act in a manner which takes into account the difficulties faced by businesses during this crisis and, in particular, has said it is committed to implementing an empathetic and pragmatic approach when carrying out its duties, which includes being flexible in its approach to regulatory action.

The difficulty the ICO faces as a regulator, is striking the right balance between acting in the interests of the public by taking regulatory action against businesses who fail to comply with data protection laws, versus the potential detrimental effect of doing so considering the particular challenges many businesses face during this time. In its guidance, available here, the ICO has said it will continue to act proportionately and will provide support to businesses and public authorities as they recover from the public health emergency. The ICO has confirmed that it will focus on the most serious challenges and greatest threats to the public and will prioritise its services to provide additional guidance for businesses about how to comply with the law during the crisis. In the current circumstances, this is likely to mean that fewer investigations will be conducted and less regulatory action taken by the ICO as it focuses its attention and resources on those cases which suggest serious non-compliance.

Although the ICO’s guidance may suggest that it is taking a more relaxed approach to compliance, the central message from the ICO is quite the opposite – businesses must still comply with their obligations under data protection law and the ICO will take a strong regulatory approach against any business breaching data protection laws to take advantage of the current crisis.

We’ve set out below some of the key take home points from the ICO’s guidance in respect of (a) its approach to regulatory action; and (b) engaging with the public and other organisations.

ICO’s approach to regulatory action

The ICO has issued a Regulatory Action Policy (the Policy) which provides guidance as to its chosen approach to regulatory investigations and action. As set out in the Policy, the ICO will continue to act fairly and proportionally; balancing the benefit of the public in taking regulatory action against the potential detrimental effect of doing so.

The ICO has adapted and taken into account the particular challenges being faced by businesses during this challenging time and has specifically set out the following key points with regard to the enforcement of regulatory action.

1. Businesses should continue to report personal data breaches to the ICO without undue delay and this should be within 72 hours of the business becoming aware of the breach. The ICO does however recognise that the current crisis may affect this reporting time period and will assess on a case by case basis taking a proportionate approach;
2. When conducting investigations, the ICO will recognise that there is an ongoing public health emergency and will seek to understand the individual challenges faced by each business, which may mean businesses are granted a longer period of time to respond to requests.
3. The ICO has reaffirmed its commitment to take strong regulatory action against any business breaching data protection laws to take advantage of the current crisis;
4. All regulatory action in connection with information request backlogs will be suspended;
5. The ICO will take into account the economic impact of affordability before issuing any fines and will take into account whether a business’s difficulties result from the crisis, and if it plans to put things right at the end of the crisis. This is likely to mean we will see a drop in the level of fines issued by the ICO;
6. The ICO may not enforce against businesses who failed to pay or renew their data protection fee if the evidence of this is linked to economic reasons arising from the Coronavirus crisis; and
7. The ICO recognises that the reduction in businesses’ resources could impact their ability to respond to Subject Access Requests, where they need to prioritise other work due to the current crisis.

Engagement with the public and organisations

The ICO acknowledges how organisations which provide healthcare and other vital services are facing severe front-line pressures and are redeploying resources to meet those demands and has reaffirmed its commitment to supporting them through this period.  In light of this, the ICO has stated that:

1. It will identify and provide fast record advice, guidance or tools that public authorities and businesses might require to help them recover from the crisis;
2. It will continue to review the economic and resource impacts of any new guidance and will delay any specific guidance which might divert resources away from front line duties except where there is a need to address a higher level of risk to the public;
3. Any public complaint about a business may be resolved without contacting the business complained about. Furthermore, if an organisation is focusing its resources on the Coronavirus front line, then the ICO might grant a longer time period for the organisation to respond to the request or rectify any breaches associated with delay;
4. It will look to develop regulatory measures that are ready to be used at the end of the crisis, which will support economic growth and recovery.

We will be monitoring guidance from the ICO and how businesses should operate in relation to the Covid-19 pandemic. Please check back here for further updates.

If you have any questions about this subject, please contact Nick Phillips or Selina Clifford from the Intellectual Property team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now