ICO outlines priorities and regulatory approach during the coronavirus public health emergency
How has the ICO reshaped its priorities for regulating UK data protection during COVID-19?
The key takeawayOn 5 May 2020 the ICO published its adjusted priorities during COVID-19 having concluded that its areas of focus should be limited to those where they can have the greatest impact to support innovation and economic growth, while protecting individuals’ interests.
The background
On 15 April 2020 the ICO set out its regulatory approach during the coronavirus public health emergency. The ICO explained that it will concentrate on the most significant challenges and greatest threats to the public and will act decisively against those attempting to exploit this unprecedented public health emergency through nuisance calls or by misusing information.
The ICO explained that the law gives them flexibility around how they carry out their regulatory role, which allows them to take “into account the impact of the potential economic or resource burden their actions could place on organisations”.
While data protection rules remain unchanged, allowances will be made for the individual challenges faced by organisations. For example, while the document notes that organisations should continue to report personal data breaches to the ICO and that this should still be within 72 hours of becoming aware of the breach, the ICO acknowledges that the current crises may impact this. It will therefore “assess these reports, taking appropriately empathic and proportionate approach”.
The guidance
On 5 May 2020 the ICO set out its adjusted priorities, these are as follows:
- Protecting vulnerable citizens: the ICO is taking action against those seeking to use or obtain personal data inappropriately during the coronavirus public health emergency, so that the public feel confident that they have protection at a time when they may be especially vulnerable to financial or other loss.
- Supporting economic growth and digitalisation, including for small businesses: the ICO continues to provide access to clear information, support and practical tools for businesses to enable them to grow and offer services safely when sharing personal data.
- Shaping proportionate surveillance: the ICO is maintaining a high level of awareness and insight of the medium-term privacy and information rights impact of COVID-19, which include contact tracing testing.
- Enabling good practice in AI: the ICO are shaping the ongoing development and use of AI in response to COVID-19, to ensure privacy considerations are engineered into the use of AI across the digital economy.
- Enabling transparency: the ICO is supporting organisations to be transparent about decisions that affect citizens, including how personal data is used, in order to improve public confidence.
- Maintaining business continuity: the ICO is managing its own response and recovery so that its resources and people are in place to deliver throughout the pandemic period and the future.
In these unprecedented times, the ICO has shown its willingness to supporting organisations through the coronavirus public health emergency and beyond. The ICO has acknowledged its role in supporting frontline organisations that provide vital services and explained that it will fast track advice, guidance or tools that public authorities and businesses say would help them deal with, or recover from, the crisis.
Any practical tips?
Do not take your eye off the importance of data protection compliance! The ICO has made it clear that you cannot use the public health emergency as any excuse for non-compliance.
The ICO recognises that the reduction in organisations’ resources could impact its ability to comply with certain aspects of UK data protection law, but it expects appropriate measures to be taken.
Organisations should ensure that they record all decision-making steps, so that this information is readily available if requested by the ICO.