The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?

No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.

We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic.

How can I show that our approach to processing during the pandemic is compliant with data protection law? 

To show that your processing of data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA).

If your organisation is going to process health information, then you should conduct a DPIA focussing on the new areas of risk.  

This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective.

DPIAs are designed to be flexible, as appropriate to the context. We have a template organisations can use to help them focus on the minimum requirements. One important point is that the initial DPIA should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge.

I’m worried we’re more open to a personal data breach because of adaptations we’ve made during the pandemic. What should I do?

Many organisations have had to adapt to the evolving pandemic at speed, for example, arranging working from home quickly and using new IT solutions, which in turn may have led to policies procedures not being strictly followed.

We have seen several breaches involving human error such as using CC instead of BCC on emails and sending personal data to incorrect recipients so it may be worth reminding your staff to check before sending emails.

Our Working from Home guidance can help your organisation remain compliant with data protection laws.