The Information Commissioner’s Office (ICO) issued a statement last week announcing changes to their approach in light of current events. Recognising the impact Covid-19 has had on organisations, the ICO said it will be pragmatic and empathetic, focusing instead on only the greatest threats.
Legislation allows the ICO flexibility to adjust its approach, acknowledging a responsibility to react to current circumstances. Information rights continues to be an important issue in which the ICO plays a vital role.
“Our UK data protection law is not an obstacle to such flexibility”, said Information Commissioner Elizabeth Denham. “A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind. Right now, that means the regulator reflecting these exceptional times, and showing the flexibility that the law allows.”
Their statement recognises that coronavirus means many organisations face staff shortages and reduced operating capacity. The ICO will continue to acknowledge the importance of protecting personal data, but will to do in a way that takes in account the effects of coronavirus.
In practice, this means the ICO is likely to exercise their formal powers less often, for example in relation to timescales for responding to requests and rectifying breaches. It may also mean lower fines are imposed where a breach has occurred.
“When we conduct investigations, we will act knowing there is a public health emergency and seek to understand the individual challenges faced by organisations. We also expect to conduct fewer investigations, focusing our attention on those circumstances which suggest serious non-compliance.”
Organisations should continue to report any data breaches. The statement makes clear that anyone taking advantage of the pandemic and breaching data protection laws will be met with a strong regulatory approach.
The statement concludes by saying that they will keep this guidance under review and issue appropriate updates.