Privacy & Information Security Law Blog

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

The UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) implement the revised e-Privacy Directive 2009/136/EC, and contain wide-ranging rules on marketing and advertising by telephone, fax, email and text message, as well as rules relating to cookies and security breaches. The breach notification requirements contained in the PECR apply to ECS providers (e.g., telecom providers and ISPs). In the event of a data breach, these entities must notify the ICO within 24 hours of becoming aware of the basic facts of the breach.

The Guidance sets out the breach requirements that must be provided to the ICO. A secure online form for all notifications is now available; previously service providers were expected to complete a breach notification form and email it to the ICO. The form is high-level and anticipates that notifying organizations may be awaiting further details from an internal investigation. Organizations submitting an initial breach notification form are expected to submit a second notification form containing further details of the breach within three days. If a data breach is likely to adversely affect individuals, the organization must notify those individuals “without undue delay” in addition to notifying the ICO. Data breach logs also must be maintained and submitted to the ICO on a monthly basis. The ICO provides a template log to help service providers understand what information needs to be submitted to the ICO.

The Guidance follows new technical implementing measures for data breach notification issued by the European Commission in June, which took effect in August 2013.