On 5 May 2020, the Information Commissioner’s Office (ICO) published a blog setting out the Information Commissioner’s new priorities for UK data protection during COVID-19 and beyond. This follows on from the document published on 15 April 2020, in which the ICO promised an “empathetic” approach to its enforcement of data protection laws during the coronavirus outbreak, prioritizing areas likely to cause the greatest public harm and directing its services towards providing guidance for organizations about how to comply with the law during the crisis.
Same policy, different focus
The document published on 15 April 2020 set out the ICO’s Regulatory approach during the coronavirus public health emergency. In this document, the UK data protection regulator notes that it will concentrate on the most significant challenges and greatest threats to the public and will act decisively against those attempting to exploit this unprecedented public health emergency through nuisance calls or by misusing personal information. It resolves otherwise to maintain a flexible approach, “taking into account the impact of the potential economic or resource burden our actions could place on organisations”. The ICO notes that it will accelerate advice and guidance to help public authorities and businesses cope with the crisis and will delay any specific guidance that will likely create burdens that distract staff from frontline duties, except where such guidance is needed to tackle high risks to the public.
The ICO acknowledges that many organizations are facing shortfalls in both operating capacity and staff, as well as acute financial pressures. Front-line services, especially in the health, local and central government, law enforcement, and charity sectors, are also operating under severe pressures. The ICO stresses that it will take, and the law allows it to take, these circumstances into account, including when exercising its enforcement powers and delivering technical advice and guidance. The flexibility afforded to the ICO in how it performs its regulatory role allows it to adapt to the highly unusual challenges that the UK is currently experiencing, for example; data protection legislation contains checks and balances to ensure that personal information can flow and be used effectively for health care. It also allows for a recognition of the public interest, such as in the use of apps, research projects and digital tools that rely on large personal data sets, within proportionate and appropriate safeguards for data subjects’ personal data.
In keeping with its Regulatory Action Policy, the ICO observes that it will “continue to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges being faced at this time”. What this means in real terms is that, while current data protection rules remain unchanged, allowances will be made for the individual challenges faced by organizations. For example, the document notes that organizations should continue to report personal data breaches to the ICO without undue delay. While this should still be within 72 hours of becoming aware of a breach, the ICO acknowledges that the current crisis may impact this. It will, therefore, “assess these reports, taking an appropriately empathetic and proportionate approach”. Also, when conducting investigations, the ICO will consider the particular impact of the pandemic on an organization, which will likely mean less use of its formal powers to ask organizations to provide it with evidence and allowing more time to respond.
There are likely to be fewer investigations, generally, with the ICO concentrating “on those circumstances which suggest serious non-compliance”. Recognizing the economic impact on organizations and the travel and contact restrictions now in force, the ICO has temporarily discontinued its audit work. It is also suspending all formal regulatory action in connection with outstanding information request backlogs. It also accepts that the diminution in organizations’ resources could affect their ability to respond to subject access requests, something it will take into account when deciding whether to take formal enforcement action.
Likewise, when deciding whether to take formal regulatory action, including issuing fines, the ICO says it will “take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis”. Organizations may therefore be given longer than usual to remedy breaches that preceded the pandemic, if the crisis affects the organization’s ability to take corrective action. Before issuing fines the ICO will consider the economic impact and affordability which, in current circumstances, it says is likely to mean the level of fine will be reduced.
The ICO may not enforce payment of the data protection fee against organizations who can show that failure to pay or renew is “specifically due to economic reasons linked to the present situation, and provided we are adequately assured as to the timescale within which payment will be made”.
Finally, the ICO says it will continue to accept new freedom of information (FOI) access complaints but, again, it accepts that reduced resources caused by the crisis could affect organizations’ ability to answer access requests or tackle backlogs. The ICO also accepts that there may be extreme circumstances where public authorities have no choice but to temporarily reduce or suspend parts of their information access function. It nevertheless still expects appropriate measures to be taken to record decision-making, so that information is available once the pandemic is over.
The ICO’s blog of 5 May 2020 sets out how the ICO has redrawn its priorities for the months ahead, having assessed how its areas of focus should be limited to those where the ICO can have the greatest impact to support innovation and economic growth while protecting individuals’ interests. Areas of focus include:
- protecting the public interest, with the ICO planning to concentrate on the information rights issues most likely to result in distress or harm to the greatest numbers of individuals and businesses;
- enabling responsible data sharing (including responding to the risks of failure to share); and
- monitoring intrusive and disruptive technology.
The ICO’s priorities include protection of vulnerable citizens, including taking action against anyone seeking to obtain or use personal data inappropriately or unlawfully during the pandemic, when organizations and individuals may be particularly at risk from financial and other losses. By providing access to clear information and practical guidance for small organizations, the ICO is also seeking to support digitalisation and economic growth.
Regarding artificial intelligence (AI), the ICO is focused on ensuring good practice in respect of its development and use in response to COVID-19 to make sure that privacy considerations are taken into account in the use of AI in all sectors of the digital economy (from consumer products to surveillance applications). The ICO is also making proportionate surveillance a priority, noting that “We are maintaining a high level of awareness and insight of the medium term privacy and information rights impact of COVID-19, which include contact tracing, testing and other emerging surveillance issues.”
Helping organizations to be transparent regarding how personal data is used in ways that can affect individuals is also a priority for the ICO, as is maintaining business continuity of the ICO itself through the development of different ways of working for use both during and after the crisis. This means that some ICO initiatives have been put on hold, but the ICO will maintain its statutory functions, including investigating data breach reports and addressing complaints.
These are unprecedented times for the ICO, and it must adjust its priorities. A concern for the regulator, however, must be that data protection compliance, having been a priority for organizations with the advent of the GDPR, will take a back seat as businesses’ more limited resources are directed to commercial survival. Organizations should, however, be wary of de-prioritizing data protection completely. The ICO makes clear that, while it will narrow its regulatory focus to some extent and also make allowances for the impact of the crisis on organizations’ ability to comply with data protection rules, such as timescales for compliance, such “impact” must be a genuine cause for any delay. It is likely to take a dim view of any organization using the crisis as an excuse for non-compliance that is not directly related to difficulties resulting from the crisis or where remedial measures have not been identified. While the ICO says it will take a “strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis”, it is also likely to take strong action, in due course, against organizations that use the crisis to take advantage of data protection laws.