The ICO has issued new guidance to public electronic communication service providers (13-page / 292KB PDF) that explains when those companies are obliged to report personal data breaches to it after new EU data breach rules affecting such providers came into force late last month.
Under the guidance, telecoms companies would be required to submit a monthly report to the ICO detailing all the security breaches they have experienced.
The Privacy and Electronic Communications Regulations (PECR) already required telecoms companies to keep a log of personal data breaches, complete with details on "the facts surrounding the breach, the effects of the breach, and remedial action taken", and it is this log that the ICO is seeking be reported every month.
However, in its guidance the ICO said that the monthly reports telecoms companies provide it with could possibly be disclosed by the watchdog in line with FOI Act requirements.
"Strictly speaking, PECR does not require this monthly return," the ICO said. "However, we believe that this remains a useful exercise as it will demonstrate that service providers are monitoring their security properly and taking their responsibilities seriously. If we do not receive a monthly return from a service provider, this may trigger further investigation."
"We will also inspect logs of personal data breaches during PECR audits. We will use the logs and any other relevant information that comes to our attention to check that service providers are complying with their obligations under PECR, including the duty to maintain a log and notify us of any personal data breaches. As the ICO is subject to the Freedom of Information Act, we may receive requests for a service provider’s logs and associated information. We will take the service provider’s views into account when considering any request," it added.
The new EU Regulation on the notification of personal data breaches sets rules on notifying both regulators and customers about personal data breaches experienced by public electronic communication service providers. The Regulation provides an update to previous data breach notification rules in the UK under the PECR framework.
Generally, the service providers are obliged to inform a national regulator – the ICO in the UK – within 24 hours of detecting that they have experienced a personal data breach. The companies have to supply the ICO with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.
The telecoms companies also generally have to notify individuals affected by a personal data breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals. This is unless they can show regulators to their satisfaction that the use of "technological protection measures" has rendered the breached data "unintelligible to any person who is not authorised to access it".
Out-Law.com asked the ICO if there could be cases where breaches referenced in the companies' monthly reports would be disclosed by the ICO under FOI but which did not have to be disclosed to the public by the companies in line with the new EU Regulation.
In response a spokesman for the ICO said that the watchdog would consider all FOI requests for details of data breaches reported to it under the PECR regime on their merits, but said that certain exemptions to disclosure that apply under the FOI Act could be engaged. In particular, they said exemptions under section 31 and section 41 of the FOI Act may be engaged by such requests.
Section 31 of the FOI Act explains that information held by public authorities is exempt from disclosure if it would, or be likely to, prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the administration of justice, among other listed reasons.
Section 41 places an exemption on disclosure where information was provided to the public authority from a third party and where disclosure of that information would amount to an actionable breach of confidence.
Both the section 31 and section 41 exemptions are qualified, meaning that the ICO would need to conduct a public interest test to determine whether information sought that is subject to either or both exemptions should nevertheless still be disclosed under the FOI Act.