COVID-19: ICO publishes details of its regulatory approach during COVID-19 (UK)

The ICO has published details of its regulatory approach during the ongoing COVID-19 emergency; this is an approach which should reassure entities who are adapting to the economic and practical realities of operating in the current climate, as well as balancing their data protection obligations.  The UK regulator has continued to be reasonable and pragmatic, as outlined in our previous post in relation to response times to DSARs, and has stated that they are “committed to an empathetic…approach”.  Overall, the key takeaways from this guidance are that:

• the ICO may give organisations longer to respond to requests or remediate any breaches;
• data breaches should still be notified to the ICO within 72 hours of becoming aware of the breach, but that the ICO acknowledges that the current situation may have an impact on organisations being able to meet this timeframe;
• the ICO will focus its formal investigations on those circumstances which suggest “serious non-compliance”; and
• all formal regulatory action in connection with information request backlogs will be suspended.

The approach with respect to data protection outlined by the ICO falls into two categories:

Engagement with the public and organisations

The ICO has reaffirmed its position as a regulator who wants to support organisations during this time and will engage with the public and organisations in a number of ways, including:

1. Fast tracking guidance or advice that public authorities and business tell the ICO would help them react to or recover from the effects of COVID-19;
2. Considering the economic and resource impact of any new guidance – and importantly, delaying the publication of any guidance that could “impose a burden that diverts staff from frontline duties”;
3. Continuing to engage with the pubic and managing their expectations around exercising their information rights at this time; and
4. Considering the impact of COVID-19 when handling complaints. Interestingly, the ICO has expressly stated that it may resolve complaints without contacting the organisation in question if the organisation is focusing its resources on reacting to COVID-19, or by giving the relevant organisation longer to respond to the ICO or rectify any breaches.

Regulatory Action

In addition to the Regulatory Action Policy, which the ICO has previously published, the ICO has supplemented its guidance on how it will use its enforcement powers during this time.  Overall, the regulator has stated that it will act proportionately and will consider the “particular challenges being faced at this time”.

1. Importantly, the ICO has reiterated that personal data breaches should still be notified to the ICO without undue delay and in any event with 72 hours of becoming aware of the breach. However, the ICO does acknowledge that the current situation may “impact” this, and that the ICO will “take an appropriately empathetic and proportionate approach” in response to delays.
2. In relation to investigations, the ICO has noted that during this time they may use their “formal” investigatory powers less frequently, and will focus on those circumstances which suggest “serious non-compliance”.
3. In addition, the ICO notes that when deciding whether to take formal action, including any fines, it will take into account whether an organisation intends to remediate any breaches after the crisis, and when requiring any remediation, the ICO is likely to give organisations longer to take appropriate action. This new guidance also re-iterates the position in the Regulatory Action Policy which states that “before issuing fines we take into account the economic impact and affordability”, and so organisations whose economic position has been affected by the crisis are likely to take comfort from this position. As a side note, it will be interesting to see how and if this new approach affects the already delayed final enforcement notice with respect to the BA data breach. As noted in our previous post on the BA ICO fine, the ICO previously announced its intention to fine BA £183.39 million in connection with its 2018 data breach. The final enforcement notice and confirmation of the final fine has been delayed until 18 May 2020 and, given the current and unprecedented challenges faced by the aviation industry as a whole, including BA, we wonder whether the economic impact of any fines fine levied will be taken into consideration by the ICO.
4. Finally, and perhaps the most helpful step for organisations in the short term, the ICO has advised that all formal regulatory action in connection with “outstanding information request backlogs will be suspended”. Given the re-allocation of resources within many organisations, we expect that this suspension will be well received by organisations who are currently trying to comply with information requests.