What's the issue?
Like all of us, regulators are struggling to adapt to the current circumstances and that can involve a shift of focus and new priorities. Last month in Radar, we covered the responses of the ASA, CMA and Gambling Commission to the COVID-19 crisis. Now we look at the ICO's priorities.
What's the development?
The ICO has set out its regulatory approach during the current crisis. The ICO says its role is to act in the public interest and it has always had a pragmatic and proportionate approach. During the current health emergency, it needs to reassess its priorities and resourcing to focus on areas likely to cause the greatest public harm. Recognising that organisations face staff shortages, financial, and in the case of some public bodies, front-line pressures, the ICO says it will use the flexibility inherent in the law to take an empathetic and pragmatic approach while continuing to act where there are high risks to individuals.
The ICO will:
- Continue to recognise people's rights and protections.
- Focus on the most serious challenges and greatest threats to the public.
- Assist frontline organisations with advice and guidance.
- Take firm action against those looking to exploit the public health emergency through nuisance calls or misusing personal information.
- Be flexible in its approach, taking economic and resource factors into account.
- Provide maximum support for business and public authorities once the recovery from the crisis begins.
The ICO subsequently published a blog setting out the ways it has re-shaped its priorities as a result of the COVID-19. The ICO will be focusing on:
- Protecting the public interest – focusing on the information rights issues likely to cause most harm or distress to citizens and businesses.
- Enabling responsible data sharing – ensuring data can be shared responsibly and with confidence for the public good.
- Monitoring intrusive and disruptive technology – ensuring privacy is protected while innovation and supporting the economy is enabled.
The ICO identifies its priorities as:
- Protecting vulnerable citizens.
- Supporting economic growth and digitalisation including for small businesses.
- Shaping proportionate surveillance (to do with contact tracing, testing etc.).
- Enabling good practice in AI.
- Enabling transparency.
- Maintaining business continuity.
In addition to setting out its regulatory approach, the ICO has been giving guidance on data processing related to COVID-19 which is collated on its information hub, as well as on contact tracing apps.
What does this mean for you?
It's clear that the ICO is prepared to take a view on response times to SARs and data breaches, but only where there is justification for any delays. Communication, transparency and accountability will be key. At the same time, there will be no tolerance for organisations seeking to use the pandemic as an excuse for partial or non-compliance.
The ICO has also said economic factors will be taken into account when issuing sanctions. Again this should not be interpreted as a 'softer' approach. While keen to underline its pragmatism, the ICO is clearly focused on protecting the rights of individuals.
Engagement with public and organisations
The ICO will:
- Identify and fast track advice, guidance or tools that public authorities and businesses say they need during or after the crisis.
- Delay any specific guidance that could impose a burden which diverts staff from frontline duties, except where it is needed to address a high risk to the public.
- Take the crisis into account when handling public complaints, possibly by giving longer than usual to respond or to rectify any breaches.
- Look to develop regulatory measures to use at the end of the crisis to support economic growth, for example, sandboxes, codes of conduct and advice services.
The ICO will act in accordance with its Regulatory Action Policy which has built in flexibility. In particular:
- Organisations should continue to report personal data breaches without undue delay and within 72 hours of becoming aware but the ICO acknowledges response times may be impacted by the crisis and will take a proportionate approach.
- There may be less use of formal powers and investigations and attention will focus on serious non-compliance.
- The ICO will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
- The impact of the crisis in particular cases will be taken into account when deciding whether to take formal regulatory action. Economic factors will be taken into account when issuing fines which means the fines may be lower at this time.
- Audit work is being stood down and all formal regulatory action in connection with outstanding information request backlogs will be suspended.
- The ICO will recognise that lack of resources may impact an organisation's ability to respond to a subject access request where other work has to be prioritised due to the current crisis.
Freedom of Information Act and Environmental Information Regulations
Again the ICO recognises depleted resources could impact ability to comply with freedom of information law and responding to FOI requests but organisations are expected to record decision making for evidential purposes. The ICO:
- Will continue to accept new information access complaints but will take a pragmatic approach to resolving them.
- Understands there may be extreme circumstances when public authorities have no option but to temporarily reduce or suspend elements of their information access function.
- Encourages public authorities to proactively publish information they know will be of importance to their communities.
- Continues to emphasise the importance of proper record keeping during a period of time which will be subject to future public scrutiny.