Out-Law News 2 min. read

Communications providers should log personal data security breaches monthly, Information Commissioner says


Electronic communication providers should inform the Information Commissioner's Office (ICO) about breaches to service users' personal data on a monthly basis, the ICO has said.

The ICO recommends the monthly report in a new section in its guidance on security breach notifications. Public electronic communications service providers must alert it in the event of any security breaches relating to users' personal data.

The guidance also states that if the breach is of a particularly serious nature, providers need to notify the ICO as soon as possible using a new standard notification form.

Under the Privacy and Electronic Communications Regulations (PECR), providers must maintain a log of any personal data breaches which occur. They must then notify the ICO "without any unnecessary delay".

A breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data" stored, transmitted or processed by the provider. The log must contain a record of the facts surrounding the security breach, the effects of that breach and what remedial action was taken or proposed to be taken by the provider.

Changes to PECR which came into force in May introduced a requirement for organisations to inform the ICO about all data protection breaches. The changes also gave the ICO greater investigatory and auditory powers, as well as allowing it to fine businesses and other organisations for serious breaches of the regulations. Previously the ICO could only fine for breaches of the Data Protection Act.

Technology law expert Claire McCracken of Pinsent Masons, the law firm behind Out-Law.com, said that the ICO's new guidance went further than the amendments made to the regulations in May. However, the actual steps that must be taken in relation to notifying the ICO of a data security breach and the contents of that notification largely mirrored those amendments, she said.

"Whilst the regulations provide for an inventory of personal data breaches to be maintained by service providers, the guidance goes further than this and recommends that the log is sent to the ICO on a monthly basis. This will avoid duplication of work for the organisation concerned and ensure compliance with the obligations under the amended regulations," she said.

"This is not provided for in the amendments to the PECR, which simply provide for the ability of the ICO to audit compliance."

The new guidance also includes a standard form which providers should use to notify the ICO as soon as possible in the event of a "serious" breach.

The ICO does not define a serious breach, but suggests that providers consider the type and sensitivity of the data, the impact the breach could have on the individual and the potential harm caused, such as financial loss or fraud.

Although PECR provides for immediate notification in the event of a serious breach, the actual form that notification should take is not given, McCracken said.

Providers will also have to notify service users about the breach where it is "likely to adversely affect the personal data or privacy of a user or subscriber" unless they can demonstrate that they have measures in place which would render that data unintelligible. The ICO can force providers to disclose a security breach if it considers that the breach is likely to have an adverse effect on users of the service.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.