The Information Commissioner's Office ('ICO') has added a section on how public electronic communications service providers should deal with security breaches to its Guide to the Privacy and Electronic Communications Regulations.
To view the article in full, please see below:
Full Article
The Information Commissioner's Office ('ICO') has added a section on how to deal with security breaches to its Guide to the Privacy and Electronic Communications Regulations. Public electronic communications service providers ('Providers') are obliged to notify the ICO without undue delay of any personal data breaches and to keep a log of personal data breaches, pursuant to regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 1208/2011)). In certain circumstances Providers are also required to notify subscribers of personal data breaches. The new section of the guide sets out what this involves.
What is a personal data breach?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.
What do Providers have to do?
(1) Keep a log of all personal data breaches
This log must contain: any facts surrounding a breach; the effects of the breach; and any remedial action taken as a result.
(2) Notify the ICO of breaches
The notification must contain: a description of the nature of the breach; the consequences of the breach; and the measures taken/proposed to be taken to address the breach. The ICO suggests that Providers send their logs to the ICO every month thus avoiding a duplication of information and meeting the requirement of notifying the ICO without undue delay.
If a breach is of a serious nature however, Providers must notify the ICO as soon as possible by completing the security breach notification form available on the ICO website and submitting it by email to datasecuritybreach@ico.gsi.gov.uk. In assessing whether or not the breach is of a serious nature, the following should be considered: the type and sensitivity of data involved; the impact it could have on the individual; and the potential harm.
Failure to comply with this notification requirement can incur a £1,000 fine.
(3) Notify subscribers of breaches
If the breach is likely to adversely affect a subscriber's personal data or privacy, then the Provider must inform the subscriber without undue delay of: the nature of the breach; contact details of the Provider; and how they can mitigate any possible adverse impact of the breach. If the Provider can demonstrate that it has measures in place that would render the personal data unintelligible to any person not authorised to access it, and that such measures were applied to the relevant data, then they do not have to inform subscribers. The ICO can require Providers to notify subscribers.
It is anticipated that the new data protection regime which is due to be revealed at the end of January 2012 will extend this compulsory breach notification procedure to apply more widely.
If you require further information on notifying the ICO of security breaches, please contact us.
The full ICO Guide to the Privacy and Electronic Communications Regulations can be found here.
The new guidance on security breaches can be found here.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 22/12/2011.
