The UK Information Commissioner’s Office (ICO) has published a document called: The ICO’s regulatory approach during the coronavirus public health emergency, in order to provide renewed guidance on data security and reassure the public that the exceptional circumstances generated by the Coronavirus are being taken into account. But what do these changes really mean?
Describing itself as a ‘pragmatic and proportionate regulator’ the paper explains how the independent body is reassessing its priorities to retain balance during the pandemic and prioritize areas likely to cause the greatest public harm; focusing on data protection and freedom of information laws.Emphasizing the exceptional nature of current times, the ICO relaxed its practices stating that it will employ increased flexibility whilst continuing to recognize the importance of privacy protections and the value of transparency provided by freedom of information. The Information Commissioner’s Office pledged its commitment to safeguarding the information rights of citizens with a renewed emphasis on empathy and pragmatism in line with the unprecedented circumstances generated by the COVID-19 pandemic.
This revised guidance acknowledges that the current crisis will impact individuals and organisations considerably so the ICO is pledging to take a more flexible approach. But what does this mean in practice?
Whilst dealing with reports of personal data breaches for example, the body will be more sympathetic to reports submitted after the 72-hour window previously stipulated by law. Investigations will be conducted on the understanding that the COVID-19 emergency presents organisations with new challenges, which may mean that the ICO uses its formal powers which allow it to order organisations to provide evidence and respond in a timely fashion, less often; instead giving enterprises longer to respond.
Throughout this emergency regulatory relaxation, the ICO expects to conduct fewer investigations, instead focusing its attention on “serious non-compliance” whilst nevertheless taking a stronger regulatory approach against those taking advantage of the crisis and seriously breaching data protection laws.
Just as the government is revising legal guidelines in order to protect citizens during the pandemic, the ICO is re-evaluating its enforcement powers, advice and role, recognizing that personnel and financial resources may be diverted away from usual compliance or governance, it will not penalize organisations which fail to totally comply due to the unforeseen circumstances generated the COVID-19 pandemic.
The ICO stated that it will keep this guidance under review and issue further updates as appropriate.