On April 15, 2020, the Information Commissioner's Office (ICO), the U.K.'s data protection authority, issued further guidance on its regulatory approach during the global COVID-19 pandemic. Following its March note that we reported on, the ICO has confirmed that its approach "has always been to be a pragmatic and proportionate regulator," adding that in the current public health emergency it will continue to safeguard information rights in an "empathetic" way.
The ICO's efforts during the pandemic will be focused on the most serious challenges and greatest threats to the public. The updated guidance states that the regulator will take firm action against those seeking to exploit the pandemic through misusing personal information or nuisance calls. In addition, the ICO will assist frontline organizations in providing advice and guidance on data protection laws. In recognition of the potential economic and resource burdens that any regulatory actions may impose, the ICO has reaffirmed that it will be flexible in its approach and that such flexibility may continue to be necessary in certain areas "for many months to come". We highlight below the three key aspects of the ICO's guidance.
Engagement with the Public and Organizations
The ICO acknowledged its role in supporting organizations in these "exceptional times", in particular those on the frontline providing health care and other vital services. The ICO will take into account the impact of the crisis when handling any complaints about organizations. This may entail resolving complaints without contacting the relevant company in order to enable it, where applicable, to focus its resources on the response to COVID-19. The ICO may also give a business more time than usual to respond or rectify any breaches if it is gradually restoring its services and improving the timescales.
Unless needed to address a high risk to the public, the publication of any specific guidance, whose implementation might divert staff from the frontline, will be delayed. The ICO will fast-track advice that may assist in dealing with or recovering from the pandemic. In the interim, the ICO will continue to develop further regulatory measures for use at the end of the crisis to support economic recovery, including advice services, sandboxes, codes and international data transfer mechanisms.
In these particular and unprecedented circumstances, the ICO has confirmed that it will act proportionately, balancing the benefit to the public of taking regulatory actions against the potential detrimental consequences of doing so. The ICO's expectations for organizations during the pandemic are as follows:<
- Appropriately empathetic approach to reporting data breaches: To the extent possible, organizations should continue to report personal data breaches without undue delay and, in any event, within 72 hours of becoming aware of the breach. The ICO does, however, acknowledge that the crisis may have an impact on an organization's reporting ability and will adopt a proportionate and empathetic approach in this regard.
- Fewer investigations expected: The ICO expects to conduct fewer investigations and focus attention on cases concerning serious noncompliance. For example, organizations found to be breaching data protection laws to exploit the crisis will face stringent regulatory action.
- Suspending ICO's audit and other work: The ICO's audit work as well as all formal regulatory action pertaining to outstanding information request backlogs have been suspended during the pandemic.
- Extending timeframes for compliance: The ICO may give organizations longer than ordinary to rectify breaches, including those pre-dating the crisis, where the pandemic is inhibiting the ability to resolve any issues. Further, it may not enforce against organizations that fail to pay or renew their data protection fee if they can evidence that this is due to economic difficulties associated with COVID-19 and can sufficiently reassure the ICO as to an expected timeframe by which payments may be made.
- Pragmatic approach to fines: Prior to issuing fines, the ICO will take into consideration the economic impact which COVID-19 is having upon the organization. Significantly, the ICO has noted that the level of fines will likely reduce.
- Subject Access Requests: In considering whether to impose any formal enforcement action in relation to failure or delay to respond to Subject Access Requests, the ICO recognizes that organizations may have reduced resources and hence may have to prioritize other work due to COVID-19.
Freedom of Information Act and Environmental Information Regulations
The final part of the ICO's guidance relates to public authorities in the context of the public's right to request information from them. The ICO has acknowledged that the crisis has required quick decision making and innovative uses of data, including geolocation and geospatial information. Public interest in understanding how and why decisions were taken and how information was used in that respect has been on the rise. In a similar vein as the statements concerning its overall regulatory approach during the pandemic, the ICO has explained that it will recognize the impact of COVID-19 on the ability of public bodies to comply with "freedom of information" requests and related obligations.
The ICO, as well as other European data protection regulators, may issue further updates concerning their approach and expectations during the global pandemic. We will continue to monitor these developments. Please consider Akin Gump's online COVID-19 Resource Center in relation to issues relevant to data protection. Please get in touch with a member of the Akin Gump team if you would like more information on how your organization can ensure that it meets its data compliance obligations during the pandemic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.