The Information Commissioner’s Office (ICO) issued new guidance this month that announced a softer regulatory approach to enforcement of data breaches during the current crisis.

The guidance says that the ICO will refocus its approach to enforcement, taking into account the strain placed on organisations experiencing staff shortages and financial pressures. The ICO says it is particularly aware of the impact these may have on organisations providing vital frontline services, including healthcare.

The ICO has stated that it will be taking a “pragmatic and proportionate” approach while the crisis is ongoing, as data protection laws allow it to be flexible in its regulatory actions. It has said it will focus its response on the most serious infractions, and ones that will “cause the greatest public harm”.

The new guidance also refers to the use of UK citizens’ personal data in the response to the coronavirus crisis, saying that “there are appropriate and proportionate safeguards for individual’s personal information that also allow for a recognition of the public interest, for instance in the use of apps, research projects and digital tools that rely on large personal data sets”.

Some of the ICO’s newer responses include:

  • Relaxing the formal powers that require organisations to provide evidence and allowing longer periods to respond. It will also conduct fewer investigations in order to focus on the most serious infractions
  • Stopping all current audit work to refocus its resources
  • Allowing longer periods of time to rectify breaches
  • All formal regulatory action in connection with outstanding information request backlogs will be suspended, and
  • A potential reduction in fines.

While this new guidance may be a welcome adjustment for data controllers and processors, it is important to note that the guidance makes it clear that the ICO will not tolerate abuse of these new measures. When conducting investigations, the ICO will do so in the context of the current national emergency.

However, it will take a ”strong regulatory approach” against any organisations breaching data protection laws and taking advantage of the current crisis; for example, organisations that use Covid-19 as an excuse for non-compliance where it has had no impact. Organisations should remain proactive in reporting data breaches, aim to comply with the 72-hour deadline, and inform the ICO of any circumstances relating to the current crisis which may impact their compliance.

This article was written by our paralegal Palomi Kotecha



You can find further information regarding our expertise, experience and team on our Media Disputes page.

If you require assistance from our team, please contact us or alternatively request a call back from one of our lawyers by submitting this form.



Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.