UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
2016 (IPA) and the Regulation of Investigatory Powers Act 2000 (RIPA) regulate electronic sur - veillance and interception in the UK and contain associated safeguards. These laws are increasingly being enforced by UK governmental authorities – including the ICO and sector-specific regulators such as the FCA – and private individuals and organisations. Regulators are also increasingly collaborating on cybersecurity enforcement; examples include the ICO teaming up with the Competition and Markets Authority, the Office of Communications (Ofcom) and the FCA to form the Digital Regula - tion Co-operation Forum (DRCF). In addition to legislation, English “common law” contains rules that are relevant to cybersecurity. There is a legal and ethical duty of confidence where information is shared in confidence and must not be disclosed without legal authority. The duty applies to information not already in the public domain and is subject to a number of exceptions, including where disclosure: • has been consented to by the discloser; or • is required by law. The FCA rules, the PSRs, the OSA, the IPA, the RIPA and other sector-specific or specialised laws or the common-law duty of confidence are There are different UK regulators for each of the key UK cybersecurity legislations under consid - eration. UK GDPR and DPA In the UK, the ICO is responsible for monitoring the application of the UK GDPR and the DPA and taking enforcement action against organisa - not further considered in this guide. 1.3 Cybersecurity Regulators
tions for non-compliance with such legislation, including investigating personal data breaches and inadequate security measures. The ICO may initiate an investigation of its own accord or on the basis of a complaint submitted by, for exam - ple, a private individual or organisation. The ICO also has the power to conduct both off-site and on-site audits. Please note that prosecutions under the DPA can only be brought by the ICO or by (or with the consent of) the Director of Public Prosecutions (DPP). NIS Regulations With regard to the NIS Regulations, the “compe - tent authority” is determined on an industry-by- industry basis through the Department for Sci - ence Innovation and Technology (DSIT), which oversees the implementation of the NIS Regula - tions across the UK. For OESs in the oil sector, for example, the competent authority in England, Scotland and Wales is the Secretary of State for Business, Energy and Industrial Strategy – whereas in Northern Ireland it is the Department of Finance. The ICO is the competent authority for RDSPs. Competent authorities may be reactive or pro - active in terms of the incidents they choose to investigate and they are supported by the National Cybersecurity Security Centre (NCSC), which offers technical advice (except in health - care, where this support is offered by NHS Digi - tal). Certain organisations are also subject to regular compliance audits from their relevant competent authority – failing these audits can lead to fines of up to GBP17 million. PECR and CA 2003 As regards the PECR, the ICO may audit the compliance of service providers pursuant to Regulation 5A of the PECR. Notifiable personal data breaches under Regulation 5A of the PECR
323 CHAMBERS.COM
Powered by FlippingBook