ICO softens stance on GDPR enforcement due to coronavirus crisis

The UK’s data regulator says it will relax its regulatory approach to enforcement during the coronavirus crisis, in line with its commitment to being “pragmatic” and “proportionate”. 

The ICO will take into account the strain on frontline services including government and health services, and organisations facing staff shortages and financial pressures when applying data protection laws. It states in a newly published document that the law allows the body to be flexible in how it carries out its regulatory role. 

“We see the organisations facing staff and capacity shortages,” said Elizabeth Denham, information commissioner in a statement. “We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures.

“Against this backdrop, it is right that we must adjust our regulatory approach.”

This flexibility allows the regulator to “recognise and engage with the unique challenges the country is facing,” the document reads. “For example, data protection laws contain checks and balances to ensure that personal information can flow and be effectively utilised for healthcare.” 

This part of the document seems to echo health secretary Matt Hancock’s statement about GDPR on Twitter, where he wrote “GDPR does not inhibit use of data for coronavirus response. GDPR has a clause excepting work in the overwhelming public interest. No one should constrain work on responding to coronavirus due to data protection laws.”

He added: “We are all having to give up some of our liberties; rights under GDPR have always been balanced against other public interests.”

The document from the ICO also makes reference to the use of UK citizens’ personal data in the response to the coronavirus crisis, saying “there are appropriate and proportionate safeguards for individual’s personal information that also allow for a recognition of the public interest, for instance in the use of apps, research projects and digital tools that rely on large personal data sets”. 

It didn’t mention any particular instances where personal information might be used in this way, but Hancock has already gifted NHS bodies the ability to share confidential patient data with whichever organisations they wish to, as long as it’s in the fight against coronavirus. 

With regards to dealing with public complaints about data misuse, the ICO said that it will “continue to recognise the rights and protections granted to people by the law, both around their personal information and their right to freedom of information”, but that it will focus its efforts on the “most serious challenges and greatest threats to the public”. 

It said “we will be flexible in our approach, taking into account the impact of the potential economic or resource burden our actions could place on organisations”. This might mean that individuals with an issue be “advised to wait longer than usual and ‘bear with’ organisations”.

The body says it “expect[s] to conduct fewer investigations, focussing our attention on those circumstances which suggest serious non-compliance”. However, it will “take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis”.

“As set out in the Regulatory Action Policy, before issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.”

With regards the Freedom of Information Act and Environmental Information Regulation, the regulator said, “We will take an empathetic and pragmatic approach to our role regulating access to information regulation, recognising the importance of transparency, especially where people have seen their civil liberties impacted.

“We recognise that the reduction in organisations’ resources could impact their ability to comply with aspects of freedom of information law, such as how quickly FOI requests are handled, but we expect appropriate measures to still be taken to record decision making, so that information is available at the conclusion of the emergency.”

“We must reflect these exceptional times,” said Denham. “We will continue to recognise the continuing importance of privacy protections, and the value of transparency provided by freedom of information. These rights are a part of modern life we must not lose. But my office will continue to safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus.”

Source link

Leave a comment