The UK Information Commissioner’s regulatory approach and priorities during COVID-19

Since the outbreak of the COVID-19 crisis, the UK Information Commissioner’s Office (ICO) has issued a range of guidance, both to assist organisations in relation to how they can use individuals’ personal data during the pandemic and also to assist individuals in respect of how their personal data can be used.

In recent weeks the ICO has clarified both its regulatory approach during the coronavirus public health emergency and its new priorities for UK data protection, both during and after COVID-19. 

Generally, the ICO plans to maintain a flexible approach, taking into account the unique challenges currently being faced by organisations processing personal data and the possible burdens that its actions could place on organisations.  The ICO has confirmed that it will concentrate on the most serious threats to the public and will prioritise advice to assist organisations in dealing with COVID-19, while guidance that will likely distract employees from their frontline duties will be put on hold.  Robust action will, however, be taken against anyone trying to exploit the coronavirus crisis and misusing personal data.

Although data protection rules remain the same, essentially, the ICO has indicated that it will act proportionately and take into account the issues faced by individual organisations as a result of COVID-19 when exercising its enforcement powers and deciding whether to take regulatory action.  This may result in organisations being allowed a certain amount of leeway if they experience difficulties in complying with data protection requirements due to the impact of coronavirus.

In terms of its priorities, the ICO will focus on protecting the public interest, ensuring responsible data sharing and monitoring intrusive and disruptive technology. Protecting vulnerable citizens will be a key area, as will supporting digitalisation and economic growth.  Good practice in the development and use of artificial intelligence in combating COVID-19 will be an important consideration, as will proportionate surveillance.

Assisting organisations to be transparent about use of personal data in ways that can impact individuals will also take precedence and maintaining the ICO’s own business continuity will be a priority.

The ICO makes it clear that, notwithstanding the fact that it will take the current unprecedented circumstances into account to some extent when carrying out its regulatory duties, organisations should not de-prioritise data protection and it will continue to take a “strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis”.   It will be interesting to see, however, what the impact of COVID-19 will be on organisations’ data protection compliance in the longer term.