ARTICLE
5 January 2012

ICO Reveals New Procedure For Data Security Breach Notification

CC
CMS Cameron McKenna Nabarro Olswang

Contributor

CMS is a Future Facing firm with 79 offices in over 40 countries and more than 5,000 lawyers globally. Combining local market insight with a global perspective, CMS provides business-focused advice to help clients navigate change confidently. The firm's expertise and innovative approach anticipate challenges and develop solutions. CMS is committed to diversity, inclusivity, and corporate social responsibility, fostering a supportive culture. The firm addresses key client concerns like efficiency and regulatory challenges through services like Law-Now, offering real-time eAlerts, mobile access, an extensive legal archive, specialist zones, and global events.

The Information Commissioner's Office ('ICO') has added a section on how public electronic communications service providers should deal with security breaches to its Guide to the Privacy and Electronic Communications Regulations.
United Kingdom Privacy

The Information Commissioner's Office ('ICO') has added a section on how public electronic communications service providers should deal with security breaches to its Guide to the Privacy and Electronic Communications Regulations.

To view the article in full, please see below:




Full Article

The Information Commissioner's Office ('ICO') has added a section on how to deal with security breaches to its Guide to the Privacy and Electronic Communications Regulations. Public electronic communications service providers ('Providers') are obliged to notify the ICO without undue delay of any personal data breaches and to keep a log of personal data breaches, pursuant to regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 1208/2011)). In certain circumstances Providers are also required to notify subscribers of personal data breaches. The new section of the guide sets out what this involves.

What is a personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.

What do Providers have to do?

(1) Keep a log of all personal data breaches

This log must contain: any facts surrounding a breach; the effects of the breach; and any remedial action taken as a result.

(2) Notify the ICO of breaches

The notification must contain: a description of the nature of the breach; the consequences of the breach; and the measures taken/proposed to be taken to address the breach. The ICO suggests that Providers send their logs to the ICO every month thus avoiding a duplication of information and meeting the requirement of notifying the ICO without undue delay.

If a breach is of a serious nature however, Providers must notify the ICO as soon as possible by completing the security breach notification form available on the ICO website and submitting it by email to datasecuritybreach@ico.gsi.gov.uk. In assessing whether or not the breach is of a serious nature, the following should be considered: the type and sensitivity of data involved; the impact it could have on the individual; and the potential harm.

Failure to comply with this notification requirement can incur a £1,000 fine.

(3) Notify subscribers of breaches

If the breach is likely to adversely affect a subscriber's personal data or privacy, then the Provider must inform the subscriber without undue delay of: the nature of the breach; contact details of the Provider; and how they can mitigate any possible adverse impact of the breach. If the Provider can demonstrate that it has measures in place that would render the personal data unintelligible to any person not authorised to access it, and that such measures were applied to the relevant data, then they do not have to inform subscribers. The ICO can require Providers to notify subscribers.

It is anticipated that the new data protection regime which is due to be revealed at the end of January 2012 will extend this compulsory breach notification procedure to apply more widely.

If you require further information on notifying the ICO of security breaches, please contact us.

The full ICO Guide to the Privacy and Electronic Communications Regulations can be found here.

The new guidance on security breaches can be found here.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 22/12/2011.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More