The UK Information Commissioner’s Office (ICO) published new guidance following the issuance of EC Regulation (No.611/2013) (The Notification Regulation) (see our blog), which aims to harmonise EU data breach notification procedure for ISPs and telecom providers.
The ICO’s guidance seeks to interpret the Notification Regulation in line with Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR). PECR requires communications service providers to notify security breaches involving personal data without undue delay.
The ICO has provided a checklist to help organisations assess whether they are communications service providers. Such providers must notify the ICO within 24 hours of the breach and in any event no later than three days after the breach. Notifications must address the details set out at Annex I of the Notification Regulation, and the ICO suggests that if the breach involved the loss of sensitive personal data, individuals should be notified of full details as per Annex II of the Notification Regulation. The ICO also encourages service providers to submit an online monthly log or emails to ensure the ICO is well informed.
While the obligation to notify the ICO currently only applies to service providers within the definition of PECR, the ICO has hinted that in the future, the obligation may extend to all data controllers.