« 個人情報保護委員会 「テレワーク等により自宅においてマイナンバーを取り扱っても問題ないか」 | Main | ENISA eIDと信託サービスにおけるENISAの役割 »

2020.04.15

UK Information commissioner's officeがパンデミック時の規制に関する文書を公表しましたね。。。

こんにちは、丸山満彦です。

UK Information commissioner's officeがパンデミック時の規制に関する文書を公表しましたね。。。

UK -ICO

・2020.04.15 How we will regulate during coronavirus

・[PDF] The ICO’s regulatory approach during the coronavirus public health emergency

平時ではないので、本来の目的を意識して柔軟に対応をすることにしているということだと思います。

 

The ICO’s regulatory approach during the coronavirus public health emergency

Our role as an independent regulator is to act in the public interest, and our approach has always been to be a pragmatic and proportionate regulator.

The coronavirus public health emergency means that we must reassess our priorities and our own resourcing, so that we retain the right balance in these challenging times, focusing on those areas likely to cause the greatest public harm.

This paper sets out how we will regulate during the current public health emergency, focusing in particular on data protection and freedom of information laws.

Background:

These are exceptional times in the nation’s history. Parliament and government have enacted emergency legislation and there have been significant impacts on services across government, public bodies and businesses.

In particular, the current coronavirus public health emergency means that:

  • organisations are facing staff and operating capacity shortages;
  • health, local and central government, charities and law enforcement public authorities are facing severe front-line pressures and are redeploying resources to meet those demands; and,
  • organisations are facing acute financial pressures impacting their finances and cashflows.

As a public authority, we must act in a manner which takes into account these circumstances. This includes deciding how we exercise our enforcement powers, how we deliver technical advice and guidance to public and private sector organisations, how we continue to support transparency in public decision making and how we support the public in dealing with their complaints and queries. We acknowledge the important role that people’s information rights will continue to have, both around privacy protections and transparency around decision making by public bodies.

The law gives us flexibility around how we carry out our regulatory role, which allows us to recognise and engage with the unique challenges the country is facing. For example, data protection laws contain checks and balances to ensure that personal information can flow and be effectively utilised for healthcare. Similarly, there are appropriate and proportionate safeguards for individual’s personal information that also allow for a recognition of the public interest, for instance in the use of apps, research projects and digital tools that rely on large personal data sets.

There are specific legal requirements which apply to particular work we do and decisions we make. For example, we are required by law to deal with complaints by the public appropriately, and when we take enforcement action there are specific criteria we must take into account. We recognise, however, that the current reduction in organisations’ resources could impact their ability to comply with aspects of the law.

We are committed to an empathetic and pragmatic approach, and will demonstrate this through our actions:

  • We will continue to recognise the rights and protections granted to people by the law, both around their personal information and their right to freedom of information.
  • We will focus our efforts on the most serious challenges and greatest threats to the public.
  • We will assist frontline organisations in providing advice and guidance on data protection laws.
  • We will take firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information.
  • We will be flexible in our approach, taking into account the impact of the potential economic or resource burden our actions could place on organisations.
  • We will be ready to provide maximum support for business and public authorities as they recover from the public health emergency.

 

Engagement with the public and organisations:

We are committed to supporting organisations through this period, reflecting the challenges they face. In particular, we acknowledge our role in supporting frontline organisations that provide healthcare or other vital services.

  1. We will identify and fast track advice, guidance or tools that public authorities and businesses tell us would help them deal with, or recover from, the crisis.
  2. We will review the economic and resource impact of any new guidance. We will delay any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public.
  3. We will provide practical support to the public as to how to understand and exercise their information rights during this crisis.
  4. This could mean that individuals are advised to wait longer than usual and ‘bear with’ organisations.
  5. When handling the public’s complaints about organisations, our approach will take into account the impact of the crisis. This may mean we resolve the complaint without contacting an organisation, for example if it is focussing its resources on the coronavirus frontline, or that we give it longer than usual to respond or to rectify any breaches associated with delay if it is recovering its service and gradually improving timescales.
  6. We will look to develop further regulatory measures that are ready to use at the end of the crisis. These would support economic growth and recovery including advice services, sandboxes, codes and international transfer mechanisms to test flexibility in safe data use.

 

Regulatory action:

The ICO has a Regulatory Action Policy which provides guidance as to our approach to regulatory investigations and enforcement action.

As set out in the policy, the ICO will continue to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges being faced at this time.

  1. Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.
  2. When we conduct investigations, we will act knowing there is a public health emergency and seek to understand the individual challenges faced by organisations. We will take into account the particular impact of the crisis on that organisation. This may mean less use of formal powers that require organisations to provide us with evidence, and allowing longer periods to respond. We also expect to conduct fewer investigations, focussing our attention on those circumstances which suggest serious non-compliance.
  3. We will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
  4. We have stood down our audit work, recognising the economic impact on organisations and the travel and contact restrictions now in force.
  5. In deciding whether to take formal regulatory action, including issuing fines, we will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
  6. All formal regulatory action in connection with outstanding information request backlogs will be suspended.
  7. As set out in the Regulatory Action Policy, before issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.
  8. We may not enforce against organisations who fail to pay or renew their data protection fee, if they can evidence that this is specifically due to economic reasons linked to the present situation, and provided we are adequately assured as to the timescale within which payment will be made.
  9. We will recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests, where they need to prioritise other work due to the current crisis. We can take this into account when considering whether to impose any formal enforcement action.

 

Freedom of Information Act and Environmental Information Regulations:

This unique crisis has required quick decision making and innovative uses of data, including geolocation and geospatial information. There has been, and will continue to be, intense public interest in understanding how and why decisions were taken and how information was used.

We will take an empathetic and pragmatic approach to our role regulating access to information regulation, recognising the importance of transparency, especially where people have seen their civil liberties impacted.

We recognise that the reduction in organisations’ resources could impact their ability to comply with aspects of freedom of information law, such as how quickly FOI requests are handled, but we expect appropriate measures to still be taken to record decision making, so that information is available at the conclusion of the emergency. We do not expect this will impact on the ability to take and progress actions that are necessary.

  1. We will continue to accept new information access complaints. We will take a pragmatic approach to resolving these complaints, keeping engagement with the public authority to a minimum and being guided by them as to whether they are able to respond to our requests or require more time to do so.
  2. We will recognise that the reduction in organisations’ resources could impact their ability to respond to access requests or address backlogs, where they need to prioritise other work due to the current crisis. Organisations should recognise the public interest in transparency and seek as far as possible to continue to comply with their obligations for particularly high-risk or high profile matters.
  3. We understand that there may be extreme circumstances where public authorities have no option but to temporarily reduce or suspend elements of their information access function.
  4. We encourage public authorities to proactively publish information they know will be of importance to their communities.
  5. We will continue to emphasise and support the importance of proper record keeping during a period of time that will be subject to future public scrutiny.

 

Conclusion:

With the correct application of flexibility in regulatory response, we do not consider that any of the legislation we oversee should prevent organisations taking the steps they need to in order to keep the public safe and supported during the present public health emergency. There is plenty of flexibility built in to the legislation for organisations to use in such times, including some specific public health related exemptions.

We have prioritised our services to provide additional guidance for organisations about how to comply with the law during the crisis.

We will continue to apply this flexible and pragmatic approach to our regulatory response during the crisis and will also be aware that some effects will be felt for a significant time at the conclusion of the emergency. This means that some flexibility will continue to be necessary in some areas for many months to come.

We will keep this guidance under review as the situation progresses and may issue further updates as and when appropriate.

|

« 個人情報保護委員会 「テレワーク等により自宅においてマイナンバーを取り扱っても問題ないか」 | Main | ENISA eIDと信託サービスにおけるENISAの役割 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« 個人情報保護委員会 「テレワーク等により自宅においてマイナンバーを取り扱っても問題ないか」 | Main | ENISA eIDと信託サービスにおけるENISAの役割 »