The statement from the ICO addresses pressure on front-line staff and financial pressures felt by businesses due to the coronavirus pandemic.
Its Regulatory Action Policy, according to the announcement, will be used as a basis for regulation throughout the crisis.
This includes addressing data breach reports, dropping data protection fee debts if offenders can prove that failure to pay the debt is due to economic reasons, and showing consideration for depleted resources when sending Subject Access Requests.
Data is your best defence against a coronavirus downturn
Additionally, the ICO will be dropping audit work until further notice due to current travel and contract restrictions among organisations.
Announcing an “empathetic and pragmatic approach”, the regulatory body has declared intentions to:
- Observe legal rights and protections for the public
- Prioritise major threats to the public
- Assist frontline organisations in providing data protection advice and guidelines
- Take action against nuisance calls and misuse of personal information
- Demonstrate flexibility when it comes to fines by considering potential economic or resource situations
- Be prepared to support businesses and public authorities throughout the crisis
“Regulators apply their authority within the larger social and economic situation,” said Elizabeth Denham, Information Commissioner. “We see the organisations facing staff and capacity shortages, we see the public bodies facing severe front-line pressures, and we see the many businesses facing acute financial pressures.
“Against this backdrop, it is right that we must adjust our regulatory approach. Our UK data protection law is not an obstacle to such flexibility; it explicitly sets out the importance of my office taking regard of the general public interest, and allows for people’s health and safety to be prioritised without the need for legislative amendment.”
Engaging with organisations and the public
When it comes to supporting companies throughout this period, the ICO has particularly addressed those that support the frontline in fighting COVID-19, and has identified the following focuses:
- Identifying and fast tracking advice and guidance based on case-by-case situations.
- Addressing economic and resource impacts of advice and guidance on companies, and delaying any guidance that could divert staff from frontline duties, with the exception of high-risk scenarios.
- Advising members of the public regarding their information rights.
- Considering the crisis when addressing complaints about organisations, meaning that offending organisations may not be contacted directly, or the time limit for a response could be extended.
- Developing additional regulatory measures in preparation for supporting economic growth in the crisis’s aftermath.
Will privacy regulation be good or bad for business?
Freedom of Information Requests
Due to the pandemic, the ICO has also stated that their approach to freedom of information (FOI) requests needs to be reconsidered.
The regulatory body provided the following points:
- Engagement with public authorities will be kept to a minimum when addressing FOI requests.
- While organisations should put the most effort possible into being transparent, reduction in resources will be considered when it comes to FOI requests.
- The possibility of temporary reduction or suspension of information access elements will be considered.
- Public authorities will be encouraged to be proactive about publishing information.
- The importance of proper conduct when it comes to recording information will continue to be emphasised.
Ilia Kolochenko, founder and CEO of ImmuniWeb, commented: “The ICO’s reasonably flexible approach makes a lot of sense and enables organisations to focus on the practical implementation of effective data protection. On the other hand, the message is crystal-clear; no negligence or willful misconduct will be tolerated even amid the spiralling pandemic.
“Many security and data protection technologies, successfully deployed in corporate offices, are simply immovable to home devices for a variety of technical reasons. Moreover, usage of some of them may be unlawful on private mobile phones, for example, given that they may unduly intrude into personal privacy and private lives far beyond the extent reasonably requisite to ensure the protection of corporate data and intellectual property.
“Therefore, it would be disproportionally harsh and counterproductive to expect organisations to blindly follow the very same security processes for WFH teams as they did in the office environment.”
The ICO’s full announcement regarding its approach to data protection in the midst of the coronavirus pandemic can be found here.