UK ICO Sets Out Approach To Data Protection Enforcement During Covid-19 Coronavirus Emergency

David Smith

The ICO’s recently published regulatory approach during the Covid-19 coronavirus public health emergency may not contain any great surprises but should nevertheless bring some welcome relief to businesses. In this time of so much uncertainty anything that limits that uncertainty, even if only in relation to the risks of data protection enforcement, must be a help. The ICO has always prided itself on taking a proportionate and measured approach to enforcing the law so when Elizabeth Denham says that, “…my office will continue to safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus” it may be no more than we would expect from her. Nevertheless, the fact that the UK’s Information Commissioner has taken a leading position amongst the world’s data protection authorities in acknowledging, so clearly and publicly, that, at least as far as data privacy is concerned, it cannot simply be business as usual during the coronavirus crisis is a comforting recognition of the reality that both businesses and data protection regulators are facing.

Although much of the ICO’s published approach simply develops Elizabeth Denham’s high level commitment and confirms that it will continue to operate as a risk based regulator focusing its efforts, “on the most serious challenges and greatest threats to the public”, there are some specific points relating to enforcement that are worthy of note.

  • The ICO expects to conduct fewer investigations during the emergency, focussing its attention on those circumstances which suggest serious non-compliance. Where it does conduct investigations the ICO will take account of the particular impact of the crisis on the organisation concerned and may adjust its approach to evidence gathering accordingly.
  •  In deciding whether to take  enforcement action the ICO will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis.
  •  Organisations may be given longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
  •  Before issuing fines the ICO will take into account the economic impact and affordability. In current circumstances this is likely to mean the level of fines reduces.
  •  A strong regulatory approach will be taken against any organisation breaching data protection laws to take advantage of the crisis, particularly through nuisance calls or by misusing personal information.
  •  When considering whether to impose any enforcement action in relation to subject access requests the ICO recognises that the reduction in an organisation’s resources could impact its ability to respond to such requests where it needs to prioritise other work due to the crisis.

Perhaps the ICO could have gone further in providing reassurance to businesses but there are limits. The ICO has no scope to change or even suspend the law which, in these days of the GDPR, can be quite prescriptive about the obligations that it places on businesses and regulators in a whole range of areas. All that the ICO can do is to exercise discretion over how far it enforces the requirements of the law. Even then the ICO will be wary about making commitments that tie its hands in how it deals with individual cases. The ICO has to leave itself free to take into account all the circumstances of a case before taking any decision on enforcement. If it goes too far in setting out in advance just when it will or will not take action it risks “fettering its discretion” in relation to individual cases and, as a public body, could leave itself open to legal challenge.

This is illustrated by the reference in the published approach to breach reporting requirements.  Perhaps an obvious reaction to the Covid-19 coronavirus emergency would have been to relax the 72 hour time limit on reporting any personal data breaches to the ICO. After all, it must be more important that organisations with limited resources concentrate those resources  on ensuring that any security breaches are effectively contained rather than on ensuring that they are reported promptly. The ICO will, in any case, be facing constraints of its own as a result of the crisis meaning that even if breaches are reported to it straight away it is likely to be slower than usual to react. However, the 72 hour time limit for breach reporting is enshrined in the GDPR hence the ICO’s inability to go much further than saying, “Organisations should continue to report personal data breaches, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact on this. We will assess these reports, taking an appropriately empathetic and proportionate approach.” Some reading between the lines is needed to conclude that, put simply, the ICO is saying that those organisations that can reasonably justify failing to meet the 72 hour reporting deadline as a result of the current emergency are most unlikely to face any sanctions as a consequence.

What Does This Mean for Businesses?

Essentially the ICO is saying that businesses should continue to take a risk based approach to data protection compliance and that, for its own part, it will continue to take a risk based approach to enforcement. Some of those risks though may change as a result of the coronavirus emergency as will the ability of businesses to address them. Therefore, the expectations that the ICO has of businesses are changing also. This means that businesses would be well advised to reassess their data protection risks in the light of threats posed by the crisis. They should also reassess their ability to address those risks and their priorities for doing so in the light of staff and operating capacity shortages, pressures to redeploy their resources to meet other more pressing demands and the financial constraints they will almost certainly be facing.

Even more so than usual, the ICO is stressing that those risks that should have the highest priority, and therefore the biggest claim on scarce resources, are those that pose the greatest threats to the privacy of the public. As suggested above, this means that, for example in the context of a data breach, containing that breach and preventing any reoccurrence should have a higher priority than notifying the breach to the regulator or even to affected individuals. However, even though the ICO may well be sympathetic to some compliance shortcomings, particularly those that are more procedural in nature, it is much likely to be less sympathetic to any businesses that ignore the basics of data protection and thereby put the privacy of individuals significantly at risk. As the ICO’s record on imposing monetary penalties indicates, even during the coronavirus emergency, it is, for example, unlikely to give much leeway to any businesses that, without some very strong justification, fail to put basic security measures in place to properly protect personal data or fail to keep those security measures up to date.

As always, accountability will be a key consideration. Not only do businesses need to ensure that they don’t lose sight of basic data protection requirements, they also need to ensure that their decision making around risks and priorities remains considered and rational and does not become driven by frustration or panic. Whilst the factors that feed into such decision making may change, the basic approach need not. Businesses still need to be in a position to explain, whether to the ICO, to customers or to other concerned data subjects, the decisions that they have taken and why they have taken them. Record keeping clearly has a role to play here not least so that any loose pieces can be picked up afterwards. The addressing  of compliance risks may be deferred as a result of the Covid-19 coronavirus emergency but such risks should not be lost sight of and will need to be picked up eventually. The ICO cannot be expected to continue its empathetic approach indefinitely. Sometimes, as a safeguard when taking compliance decisions in the face of the crisis, it might just be worth pausing to ask, “How will all this look in 6 or 12 months’ time when the dust has settled?” Will it still look as though you took the right decisions at the right time or might you be found wanting whether by the ICO, by your customers or by the wider court of public opinion?