ICO Issues Guidance on Notification of Security Breaches

September 22, 2013

The Information Commissioner’s Office (ICO) has published new guidance on notification of security breaches required under the Privacy and Electronic Communications Regulations 2003 (PECR). The guidance explains to organisations who provide electronic communications services to the public ((eg telecoms providers and internet service providers)) when and how to notify the ICO about a security breach.

Under regulation 5A of PECR, “service providers” have a specific obligation to notify the ICO, and in some cases their customers, about a “personal data breach”. They are also required to keep a log of any breaches (the guidance includes a template log). From 25 August 2013, European Commission Regulation 611/2013 has provided for further rules about exactly how and when to notify, and what the notification must contain, although the ICO guidance goes beyond this in some cases.

Service providers must notify the ICO of any personal data breach within 24 hours of detection but the guidance says that they must also provide the ICO with a return each month (even if there have been no breaches).  In addition, service providers must notify affected customers without undue delay, that is, as soon as they have sufficient information about the breach.
Although certain concepts are defined in the PECR, the guidance explains them in more user-friendly language:

A service provider is someone who provides any service allowing members of the public to send electronic messages, including internet service providers and telecoms providers. Any organisation meeting the following criteria is likely to be a service provider:

  • it provides a service which transmits electronic signals (and is not purely providing content);
  • the service is available to members of the public;
  • the service is provided as a primary activity, rather than as a supplementary service eg wi-fi provided in a café or on a train; and
  • if there are multiple organisations involved in providing the service, this organisation directs and controls the provision of service to the end-user.

This is not intended to be an exhaustive list, and organisations will need to give full consideration to their own specific circumstances.

A personal data breach is whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation. There is no threshold for how serious the breach must be; all breaches must be notified. If the personal data was encrypted to an appropriate standard, and the decryption key remains secure, service providers should strictly speaking still notify the ICO of the breach. However, the ICO is unlikely to take formal enforcement action against an organisation that fails to notify it of a breach if the information was properly encrypted and remains secure.

Organisations should note that the purpose of these provisions is to protect individuals’ data and privacy in the context of their electronic communications. Consequently, it is important for organisations to consider the type of personal data they hold and whether any security breach could adversely affect an individual, eg, by causing financial loss, reputational damage or identity fraud. If an organisation does not hold this type of data, it is unlikely to be caught by these provisions.

Organisations should also note that as the ICO is subject to the Freedom of Information Act, it may receive requests for a service provider’s logs and associated information, although certain exceptions may apply under the FOIA.