The Information Commissioner’s Office (ICO) has made a number of temporary tweaks to its regulatory approach during the ongoing Covid-19 coronavirus pandemic, putting the emphasis on pragmatism and empathy, but said it will not shy away from protecting the information rights of UK citizens.
In a newly published document, the ICO acknowledged its responsibility to account for the exceptional circumstances thrown up by the crisis and said the law empowered it to take a flexible approach to how it approaches data protection.
“Regulators apply their authority within the larger social and economic situation,” said information commissioner Elizabeth Denham. “We see the organisations facing staff and capacity shortages, we see the public bodies facing severe front-line pressures, and we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.
“Our UK data protection law is not an obstacle to such flexibility. It explicitly sets out the importance of my office taking regard of the general public interest and allows for people’s health and safety to be prioritised without the need for legislative amendment.
“A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind. Right now, that means the regulator reflecting these exceptional times and showing the flexibility that the law allows.
“We must reflect these exceptional times. We will continue to recognise the continuing importance of privacy protections, and the value of transparency provided by freedom of information. These rights are a part of modern life we must not lose. But my office will continue to safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus,” she said.
In practice, this means that while the victims of personal data breaches should still report to the ICO within the 72 hours stipulated in law, the ICO acknowledges that the current crisis may impact this timescale and will assess reports more pragmatically.
Going forward, its investigations will be conducted on the understanding that the emergency presents organisations with new challenges, which may mean it uses its formal powers to order organisations to provide evidence and respond in a timely fashion less, and gives them longer to respond.
It expects to conduct fewer investigations for the foreseeable future, with its attention focused on “serious non-compliance”. It will nevertheless try to take a stronger regulatory approach against anybody breaching data protection laws to take advantage of the crisis.
It has also stood down its audit work, recognising the coronavirus’s economic impact on organisations, as well as travel and contact restrictions, and may not take action against organisations that fail to pay or renew their data protection fee if they can prove this is down to reasons linked to the coronavirus.
In terms of formal action, any actions in connection with outstanding information request backlogs have been suspended for now. In deciding whether or not to take formal action in future, the ICO will account for whether the problem arises directly from the crisis and whether the organisation has plans in place to put things right when some semblance of normal life resumes. Organisations may get longer to rectify breaches that predate the emergency, and if the ICO issues any fines, it will try to account for economic impact and affordability considering the crisis.
The ICO said it would also now look to develop further regulatory measures that can be put in place at the end of the crisis to try to support economic growth and recovery. This could include new data protection advice services, sandboxes, codes and international transfer mechanisms to test flexibility in safe data use.
Elizabeth Denham, Information Commissioner’s Office
“It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation,” said Denham.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, who also holds qualifications in legal studies, criminal justice and cyber crime investigation, said that transitioning to a flexible approach made sense by enabling organisations to focus on the practical implementation of data protection.
“On the other hand, the message is crystal-clear, no negligence or willful misconduct will be tolerated even amid the spiralling pandemic,” he said.
“Many security and data protection technologies successfully deployed in corporate offices are simply immovable to home devices for a variety of technical reasons. Moreover, usage of some of them may be unlawful on private mobile phones, for example, given that they may unduly intrude into personal privacy and private lives far beyond the extent reasonably requisite to ensure the protection of corporate data and intellectual property.
“Therefore, it would be disproportionately harsh and counterproductive to expect organisations to blindly follow the very same security processes for WFH [work from home] teams as they did in the office environment.
“Such requirements as data breach notifications are reportedly not, and shall not be, altered by this unprecedented crisis. Though, most of the requirements related to the notification period since the breach is detected, and under the circumstances, some breaches may take longer to get spotted.
“What I grasp in the ICO message is, however, a well-balanced approach that will fairly consider the integrity of circumstances for any formal or material violations of applicable law and regulations,” said Kolochenko.
The ICO’s full revised policy can be downloaded from its website.