The ICO has formally stated that whilst, as a regulator, it is unable to formally extend time limits under the GDPR and Freedom of Information Act, it is taking a more relaxed approach to time limits. It expects that it might take public authorities longer than the statutory timescales to respond to requests and it will not necessarily take regulatory action where this is unavoidable.
This means that the ICO is still expecting HEIs to deal with requests - including those made under the GDPR and Freedom of Information Act. However, if the impact of the current situation means that you are unable to respond within a month if it is a GDPR request, or 20 working days if it is a non-personal data information request, then the ICO will not penalise you for this. Your legal obligation to respond remains - all the ICO has said is that it will not penalise you if you are outside of the usual time limits.
If you are struggling to keep up with requests, it is important to keep the requestor updated. Explain that you are unlikely to be able to deal with their request within the usual timescale, and try and give a realistic estimate as to when you might be able to respond. It will assist you to have collated some evidence to support your estimate and ensured that it is both reasonable and realistic.
If you are relying on the need to answer outside of the time limits, the ICO is likely to expect to see the following:
It is likely that you will be receiving requests about your response to the crisis and how you have acted and dealt with particular situations. Whilst responding to these questions inevitably takes time and resource, you should consider the public interest in the information that you are being asked to provide and whether that public interest means that you should prioritise a response. We recommend that you have a system of triage, so that you can identify the more routine requests, and requests that are not time sensitive, and prioritise requests on that basis.
There is no scope within the legislation for you to refuse to deal with a request because of resource issues, or unprecedented demand on services. This means that you have a legal obligation to deal with any requests that you receive. Technically, you are still required to deal with them within the timescales given - the ICO does not have the power to extend or amend these. All it can do is relax its regulatory approach where it is convinced that an HEI was genuinely unable to deal with a request within the time limit specified.