The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?

We understand that resources, whether they are finances or people, might have been diverted away from usual compliance or information governance work. We will be flexible in our approach, taking into account where organisations need to prioritise other areas such as those engaged in tackling the pandemic or supporting vulnerable people.

We can’t extend statutory timescales. Where organisations have a backlog of complaints, we expect them to have robust recovery plans in place to ensure they reduce these backlogs within a reasonable timeframe.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic.

How can I show that our approach to processing during the pandemic is compliant with data protection law? 

To show that your processing of data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA).

If your organisation is going to process health information, then you should conduct a DPIA focussing on the new areas of risk.  

This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective.

DPIAs are designed to be flexible, as appropriate to the context. We have a template organisations can use to help them focus on the minimum requirements. One important point is that the initial DPIA should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge.

I’m worried we’re more open to a personal data breach because of adaptations we’ve made during the pandemic. What should I do?

Many organisations have had to adapt the way that they work, for example, working from home and using new IT solutions.

We have seen several breaches involving human error such as using CC instead of BCC on emails and sending personal data to incorrect recipients so it may be worth reminding your staff to check before sending emails.

Our Working from Home guidance can help your organisation remain compliant with data protection laws.

Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach.