The UK ICO has released guidance for data controllers on complying with their data protection obligations during the COVID-19 pandemic. In doing so, the ICO has recognised that data controllers' resources may be stretched at the moment and diverted away from compliance or information governance matters.
Data subject requests
The ICO has confirmed that it won't penalise data controllers that take longer to respond to data subject requests, or need to adapt their usual approach due to the impact of COVID-19.
While the ICO cannot extend statutory timescales, it has informed data subjects through its website and other communication channels (see here) that they may experience understandable delays when making requests during this time.
This applies to any type of data subject request under GDPR, including subject access requests. Under the statutory timescales, data controllers have one month from the date of receipt (which can be extended by a further two months in certain circumstances) to respond to these requests.
Although the ICO does not provide any further guidance on dealing with data subject requests during this time, it would be best practice for data controllers to consider the following:
- If a data controller remains in a position to respond to a request within the statutory timeframes, it should continue to do so
- Where a data controller is unable to respond to a request within the statutory timeframes due to the impact of COVID-19, it should consider whether it is in a position to respond in part or in stages, or in a different format than usual
- A data controller which is unable to comply with the statutory timescales for handling a request should ensure that the reasons and any decision-making regarding this are clearly documented - including the specific circumstances of any particular request
- It would also be best practice to communicate to the individual who has made the request that there will be a delay in responding to their request and the reasons for this delay
Freedom of information requests
The ICO has indicated that the same approach will apply to requests made under the Freedom of Information Act 2000. Public authorities will therefore not be penalised for taking longer than the statutory timescale of twenty working days to respond to requests for information.
As above, it would be best practice for public authorities to document the reasons why it cannot comply with the statutory timeframe, and communicate this to the person who made the request.