There is currently no legal obligation under the Data Protection Act 1998 for data controllers to report to the Information Commissioner’s Office (“ICO”) any breaches of data security that have led to losses of personal data – although the ICO strongly encourages controllers to bring “serious breaches” to their attention.
However under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), ‘service providers’ - mainly the telecoms and internet service providers – are under an obligation to notify the ICO of personal data breaches; and, under the new General Data Protection Regulation (due to come into force in May, subject to any alteration as a result of Brexit negotiations) all data controllers will have a similar obligation to notify the ICO of such breaches.
A recent decision of the First-tier Tribunal in a PECR case gives some indication of the possible approach of the ICO to the new duty – and in particular to the question of how quickly notifications have to be given.
In TalkTalk Telecom Group PLC v Information Commissioner EA/2016/0110, the First-tier Tribunal considered an appeal by TalkTalk against the imposition by the ICO of a penalty notice for “undue delay” in notifying the ICO of a personal data breach. As the fixed penalty for this breach of the PECR is £1000, it can be guessed that TalkTalk were running the appeal to get clarification of the law.
The facts that gave rise to the penalty notice were that, due to a problem with one of TalkTalk’s password mechanisms, one of its customers was able to see the name, address, telephone number, email address and date of birth of a second customer. The second customer (after being contacted by the first) called TalkTalk to tell them about this on 16 November 2016 and followed this up with a detailed letter on 18 November, when she also informed the ICO, who in turn wrote to TalkTalk two days later. On 27 November TalkTalk emailed the ICO to say that the incident was being investigated and on 1 December formally notified the ICO that there had been a personal data breach.
TalkTalk’s principal argument in the appeal was that it was not until it had conducted its own investigation following the customer’s complaint that it had sufficient certainty that there had been breach so as to trigger the requirement to notify the ICO. In support of that argument it relied on the fact that in the Directive underpinning the PECR there is express recognition that “simple suspicion” is not a notification trigger and that the Directive referred to a need for “sufficient awareness” that a security incident had occurred.
TalkTalk suggested that what it had done reflected standard industry practice and also that to require service providers to notify before completing their own investigations would create an impractical burden given the volume of complaints about suspected personal data breaches (in TalkTalk’s case, apparently about 50 complaints a month).
In response the ICO said that on the particular facts of the case – most importantly the detail and supporting evidence provided in the customer’s letter of 18 November – TalkTalk had “sufficient awareness” well before it had completed its investigation. In addition the ICO submitted that the trigger for notification was not that the service provider had “conclusive confirmation” that there had been a personal data breach and pointed to the fact that the scheme of the PECR contemplated an initial notification followed by a later one including any additional information not available when the first notification was made.
The First-tier Tribunal agreed with the ICO: it thought that given the level detail contained in the customer’s letter, the inevitable conclusion was that there had been a personal data breach (and noted that TalkTalk had not suggested any other credible explanation). The appeal was therefore dismissed.
What the case can be seen to illustrate is that the ICO takes – and will be likely to take under the GDPR – a strict approach to compliance with the requirement to notify personal data breaches “without undue delay”. One small crumb of comfort for ‘ordinary’ data controllers, as compared to service providers under the PECR, is that not all personal data breaches will have to be notified – if the data controller can demonstrate that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons” then there will be no need to notify. But that is likely to be a high hurdle to meet and, other than in the most clear-cut circumstances, a data controller will need a very strong appetite for risk before relying on this as a reason not to notify.