UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
PECR and CA 2003 Regulation 5(1A) of the PECR requires service providers to: • restrict access to personal data to only authorised personnel; • protect personal data against “accidental or unlawful destruction, accidental loss or altera - tion, and unauthorised or unlawful storage, processing, access or disclosure”; and • implement a security policy with regard to the processing of personal data. Service providers are also required to retain a log of the personal data breaches pursuant to Regulation 5A(8) of the PECR. Guidance on Security Requirements published by Ofcom in relation to the CA 2003 states that it is necessary to establish “clear lines of account - ability, up to and including board or company director level, and sufficient technical capability to ensure that potential risks are identified and appropriately managed”. The guidance further states that “a level of internal security expertise, capacity, and appropriate accountability mecha - nisms, sufficient to provide proper management of (security risks)” must be maintained. The guid - ance also references the following: • the importance of internal risk assessments; • the need for sufficient oversight of networks and services to enable fast identification of significant security incidents; • a requirement to put in place security meas - ures that exceed those in the Cyber Essen - tials scheme; and • the importance of intelligence-led vulnerability testing to manage cyber-risks. Regulation 2(1) of the PECR defines a “personal data breach” as a breach of security leading
to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of – or access to – personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service. The security and breach notification requirements under Regulation 5 of the PECR apply to personal data. Under Regulation 5A of the PECR, service pro - viders are required to notify the ICO in the event of a personal data breach (as defined under Reg - ulation 3 of the PECR). Pursuant to Article 2(2) of the Notification Regulation, such notification must be made where feasible, no later than 24 hours after the detection of the personal data breach. A notification to the ICO is not required where an organisation is responsible for deliver - ing part of the service but does not have a direct contractual relationship with end users. In such cases, the organisation must notify the organi - sation that does have the contractual relation - ship with end users and that organisation must then notify the ICO. The service provider is also required to notify (without undue delay) the con - cerned subscriber or user where the breach is likely to adversely affect their personal data or privacy, unless the service provider can demon - strate to the ICO that the data was made unintel - ligible (eg, encrypted). The security breach notification requirements under Section 105K(1)(a) of the CA 2003 apply to public electronic communications networks and systems: network and service providers must notify Ofcom of security breaches that have a significant impact on the operation of a public electronic communications network. Section 105(A) of the CA 2003 broadly defines a “security compromise” as including “anything that compromises the availability, performance or functionality of the network or service”. In
331 CHAMBERS.COM
Powered by FlippingBook