The ICO has issued some statements intended to reassure organisations that are under pressure as a result of Covid-19. The ICO’s stance is outlined in its 16 March 2020 GDPR advice for data controllers, in particular in its answer to the following question:
“During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
Similar reassurance is given in a 16 March 2020 ICO blog post for public authorities handling Freedom of Information matters. Whilst the blog does not expressly refer to similar regimes such as the Environmental Information Regulations, and regarding the re-use of public sector information, the ICO will presumably adopt the same approach under those regimes also.
Clearly the ICO does not intend its guidance to be treated as authority to ignore all compliance with information law requirements during the pandemic, but it does provide organisations with some comfort about the regulatory approach in these exceptional circumstances.
The ICO statement on data protection also provides some guidance around matters such as informing employees about another colleague’s health condition and the lawful grounds for healthcare organisations to contact individuals. The ICO has also issued a blog post for individuals covering similar points, which organisations might want to refer employees or other individuals to in appropriate cases.
Also on 16 March, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), the GDPR co-ordinating body for EU data protection regulators issued a statement confirming that in her view: “even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects”.
For organisations dealing with compliance across a number of jurisdictions, reference should be made to statements and guidance from the appropriate regulator(s) in each relevant jurisdiction.