Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Seventh Principle of the Data Protection Act 1998 provides that appropriate technical and organisational measures should be taken in relation to personal data processing. Data controllers should consider the state of technological development and the cost of implementing any measure, ensuring that the level of security is appropriate to:

  • the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage; and
  • the nature of the data.

A key element in achieving compliance with this obligation is ensuring that a written contract is in place with all data processors engaged by a data controller which confirms the processor's commitment to meet Seventh Principle standards. Data controllers must also adopt measures to ensure that they select data processors which comply with the Seventh Principle and take reasonable steps to ensure compliance – for instance, via audits and contractual commitments. 

The Information Commissioner's Office often takes enforcement action against data controllers that fail to satisfy the Seventh Principle.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is currently no legal obligation under the Data Protection Act 1998 to report breaches of security to the individual. However, the Information Commissioner's Office (ICO) recommends that a data controller make a breach public where it is “clearly in the interests of the individuals concerned”. It suggests that controllers consider:

  • whether notification can assist in their meeting security obligations;
  • whether notification can assist the individuals because of actions they could take; and
  • the dangers of ‘over-notifying’, as not every incident will warrant notification.

There is no guidance on what form such notification should take.

Regulation 5A(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 provides that if a data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall, without undue delay, notify that breach to the subscriber or user concerned. Whether the breach is likely to adversely affect individuals is primarily a decision for the service provider, based on the circumstances of the case, including:

  • the nature and content of the personal data;
  • whether it includes sensitive personal data as defined in the Data Protection Act;
  • what harm could be caused to the individual; and
  • who now has access to the data, to the extent that is known.

A service provider need not, however, notify customers if the ICO confirms that it is satisfied that the information was properly encrypted when the breach occurred.

Are data owners/processors required to notify the regulator in the event of a breach?

There is currently no legal obligation under the Data Protection Act 1998 to report breaches of security to the Information Commissioner's Office (ICO). However, the ICO has issued guidance advising that serious breaches should be reported. While ‘serious breach’ is not defined, data controllers should consider the following factors when assessing the severity of the breach:

  • potential detriment to data subjects;
  • volume of personal data lost/released/corrupted; and
  • sensitivity of the data lost/released/corrupted.

Certain companies do have notification obligations. For example, under the Privacy and Electronic Communications (EC Directive) Regulations 2003, electronic communication service providers must notify certain data breaches to the ICO. Financial service sector specific regulations also include breach notification obligations.

Click here to view the full article.