The Information Commissioner's Office (ICO), responsible for regulating data protection, freedom of information and eprivacy law in the UK, has issued a policy statement on its regulatory approach during the COVID-19 public health emergency. Its contents (and, indeed, its general thrust) are well worth noting.
The ICO notes that "these are exceptional times in the nation’s history", and that the ICO itself "must act in a manner which takes into account these circumstances". Some of the ways in which this will manifest itself are:
- taking firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information
- being flexible in their approach, taking into account the impact of the potential economic or resource burden their actions could place on organisations
- delaying any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public
- providing practical support to the public as to how to understand and exercise their information rights during this crisis (which could mean that individuals are advised to wait longer than usual for resolution of requests and to ‘bear with’ organisations)
- not taking immediate action against organisations who fail to pay or renew their data protection fee, if they can evidence that this is specifically due to economic reasons linked to the present situation.
All of this indicates that those organisations who are doing their best to comply with the law, against the backdrop of the pandemic, are unlikely to be subject to harsh enforcement from the ICO, but those who wilfully fail to comply are running a high risk.
The ICO also suggests that before issuing fines they will take into account the economic impact and affordability, and that in the current circumstances this is likely to mean the level of fines reduces. As we observed recently, this may be highly relevant to how the long-running issue regarding proposed fines against British Airways and Marriott Inc plays out.
Of particular note also is the suggestion of what the ICO's "exit strategy" approach might be:
"We will look to develop further regulatory measures that are ready to use at the end of the crisis. These would support economic growth and recovery including advice services, sandboxes, codes and international transfer mechanisms to test flexibility in safe data use."
It is very interesting to consider how this might relate to the need for economic recovery under a nationwide exit strategy, but also to the likely post-Brexit landscape (given that, in particular, international transfers of personal data may require a different focus once the UK is fully outside the EU).
Practical guidance for COVID-19
Read the latest COVID-19 related updates on our hub.