On 7 September 2011, the UK privacy watchdog, the Information Commissioner’s Office (“ICO”), published a comprehensive guide (the “Guide”) to new European laws relating to, amongst other things, the measures a public electronic communications provider (“Service Provider”) should take to protect the security of its services, including the notification to the ICO of a personal data breach, and the ICO’s new audit powers.
The Guide includes useful commentary on the Privacy and Electronic Communications Regulations (SI 2426/2003) and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (SI 2011/1208) (the “2011 Regulations”), which came into effect on 26 May 2011, made a number of amendments to earlier regulations and implement in the UK the amended European E-Privacy Directive (2002/58/EC).
The Guide on Security Of Services
The Guide makes clear that compliance with the 2011 Regulations requires that Service Providers must (1) take appropriate measures to protect personal data, and (2) if there remains a significant risk to security, inform impacted individuals of the nature of the risk and any appropriate measures the individual may take to safeguard against the risk.
Further, if a personal data breach occurs, a Service Provider must, without undue delay, notify that breach to the Information Commissioner (and any individuals affected, unless the Service Provider has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorized to access it). (Unfortunately, the Guide does not explain what exactly is meant by “undue delay”).
The Guide also points out that notification to the Information Commissioner must include:
- a description of the nature of breach,
- a description of the consequences of the breach, and
- a description of the measures taken or proposed to be taken by the Service Provider to address the breach.
When notifying an affected individual, this must include:
- a description of the nature of the breach,
- information about contact points within the Service Provider’s organization from which more information may be obtained, and
- recommended measures to allow the individual to mitigate the possible adverse impacts of the breach.
The Guide goes on to say that a Service Provider should also maintain an inventory or log of personal data breaches, which includes the facts surrounding the breach, the effects of that breach, and the remedial action taken.
Under the 2011 Regulations, the Information Commissioner has the power to audit the measures taken by Service Providers to safeguard security of personal data and their compliance with notification requirements. The Information Commissioner also has new powers to issue fixed penalty notices of £1,000 per occurrence for failure to notify a personal data breach to the ICO (along with a power to issue an on the spot fine of £500,000, if a serious breach is uncovered).
Use of the Guide
Although the Guide is exactly what it says on the tin – guidance – Service Providers should pay close attention to its content in order to avoid falling foul of the 2011 Regulations. It would be foolhardy to ignore the Guide given its detail and the fact that it will most likely be taken into consideration by the ICO when considering enforcement action.
It is also worth noting that, whilst adherence to the Guide will go a long way towards ensuring compliance throughout Europe, it is, strictly speaking, the UK regulator’s interpretation of amendments to the European E-Privacy Directive (2002/58/EC). As a result, compliance with the UK guidance by, say, a Service Provider in Germany may not necessarily ensure compliance from the German regulator’s perspective.
The ICO has said that it intends to issue further guidance in the near future on the use of the Information Commissioner’s powers in the context of breach notifications, which will hopefully give further insight into the ICO’s enforcement priorities. Although it remains to be seen whether the fixed penalty of £1,000 per occurrence will be sufficient to encourage Service Provider compliance, Service Providers in Europe who wish to perhaps avoid being made an example should be reviewing their internal policies and controls against the Guide to avoid potential compliance issues.