The Information Commissioner’s Office has said it will be empathetic and flexible in its regulatory approach and will focus on the most serious threats to the public during the coronavirus crisis.
In a statement issued yesterday, the ICO said it would take into account the impact of the pandemic on an organisation when deciding whether to investigate or issue fines in relation to data protection concerns.
The ICO’s statement acknowledged that the coronavirus public health emergency meant organisations were facing staff and operating capacity shortages as well as financial pressures, and that charities were among those dealing with “severe front-line pressures”.
The statement said the reduction in organisations’ resources “could impact their ability to comply with aspects of the law” and the ICO was “committed to an empathetic and pragmatic approach”.
The statement said: “We will be flexible in our approach, taking into account the impact of the potential economic or resource burden our actions could place on organisations."
Organisations should continue to report personal data breaches to the ICO within 72 hours of becoming aware of the issue, the statement said, but it acknowledged that the crisis might hinder this.
The ICO’s response would take into account how the crisis had affected the organisation, the statement said, which in practice might mean less use of formal powers, organisations being given longer to respond to ICO requests and rectify data breaches, and lower fines being issued.
“We also expect to conduct fewer investigations, focusing our attention on those circumstances which suggest serious non-compliance,” the statement said.
But it warned that the ICO would take “firm action” against anyone who exploited the public health emergency through nuisance calls or misusing personal information.
Elizabeth Denham, the Information Commissioner, said: “Regulators apply their authority within the larger social and economic situation.
“We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures.
“Against this backdrop, it is right that we must adjust our regulatory approach.
“Our UK data-protection law is not an obstacle to such flexibility. It explicitly sets out the importance of my office taking regard of the general public interest, and allows for people’s health and safety to be prioritised without the need for legislative amendment.”
She said the regulator’s behaviour must reflect the “exceptional times” it was operating in.
“My office will continue to safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus,” she said.