Dear data protection and freedom of information colleagues,
As organisations continue to adapt to respond to the challenges of COVID-19, I wanted to write to you setting out what continued support you can expect from my Office in the coming months, as we continue to adjust our approach to reflect these unprecedented times.
Throughout COVID-19, we have been offering practical support on new data protection questions that the pandemic has asked of your organisations. Whether you are a local business or a government department, we have been answering your questions on issues like working from home, collecting customer details for contact tracing and testing staff for coronavirus.
We know how hard you have been working to keep your organisation operating effectively. We know reassuring customers, staff and partners that their information is being looked after has been part of that work. We have been pleased that our timely and pragmatic advice has played a part in that.
We will continue prioritising practical advice that supports you through both the pandemic and recovery period.
We have also continued to provide our advice and support to organisations looking to innovate or do things differently. Good data protection enables innovation, because people’s trust in how you use their personal data plays a role in their overall confidence and support for your services.
In the past few months we have published guidance on how Artificial Intelligence can comply with the law, set out how we will support businesses to better protect children’s data online, and have confirmed our continuing support to innovators through partnership with other regulators. Our Sandbox continues to help organisations using personal data to develop innovative services, from the use of data to support student mental health wellbeing at universities to an airport looking to use facial recognition to replace boarding cards.
Our advice and support focuses firmly on enabling innovation to happen: the days when data protection regulation was seen as a blocker to innovative business have long passed.
We will continue offering this support, with guidance scheduled on data sharing and accountability, and an information hub dedicated to helping SMEs.
That work includes supporting public authorities around their freedom of information responsibilities, where we have recently published our self-assessment FOI toolkit.
As a regulator, our primary responsibility is to ensure compliance with the law. That might bring to mind images of ICO investigators chasing data protection rogues, but the reality is that modern regulation uses a wide range of tools.
Our fines and penalties may grab the headlines, but we know that our work alongside organisations, helping you to make changes and improvements to comply with the law, is the most effective way of reducing mistakes and misuse of people’s data. Working alongside organisations is also central to maintaining the availability of ‘everyday FOI’ that is such an important part of democracy,.
Examples of this approach include working with public authorities and supermarkets, so they could share information to support people shielding during Covid-19. Our report into the extraction of data from the mobile phones of victims and witnesses set out expectations of the police that have since been accepted as a sensible and empathetic way forward. And on the access to information side, we have launched our Freedom of Information toolkit for public authorities.
Working with an organisation does not remove our ability to take formal action if needed, and we will always have a role in bringing to task those organisations that wilfully ignore the rules, or fail to take responsibility for their actions. That has not changed, nor has the legal requirement that we consider the operational and financial pressures an organisation is facing before we intervene. Measuring the success of regulation by how many organisations are penalised ignores the commitment and dedication I see every day from organisations that work hard to use personal information responsibly to achieve their goals.
I know many of you are focused on economic recovery plans now, and as your organisations recover, my regulatory approach will adjust to take account of increasing operational resilience.
We have updated our regulatory approach document today, informed by what you are telling us about your own capacity. It is another step towards returning to our approach before COVID-19, but with the caveats and exceptions that reflect today’s reality.
What does not change is our pragmatic approach and commitment to supporting your organisation to protect people’s information rights. That has been our approach throughout my time as Information Commissioner, and will continue when my five year term comes to an end in July 2021.
I hope that gives you a clear picture of how the Information Commissioner’s Office will continue to support you in the coming months. If you need more information, if you have any questions, or if you simply want help finding the right data protection advice, then get in touch. There are full details on our website, at ico.org.uk/contact-us.