Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

New Breach Notification Law

Wednesday, June 6, 2012 - 10:49

The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 have now been published, amending the previous Privacy and Electronic Communications (EC Directive) Regulations 2003 as required by the new EC Telecommunications Directives.

As well as new law on cookies that has been discussed previously (Regulation 6), the regulations introduce into UK law a requirement to notify the Information Commissioner, and in some cases the affected users, of breaches affecting the security of personal data. For now, this law only applies to providers of public electronic communications services, but the European Commission are keen that similar requirements be extended to all other organisations handling personal data. So it's probably worth planning for when (not if) these requirements come to cover all of us.

Regulation 5 (inserting regulation 5A into the original law) requires all security breaches affecting personal data to be notified to the Information Commissioner, giving information about the nature of the breach, the consequences, and the measures taken to remedy it. If the breach is likely to "adversely affect the personal data or privacy of a user or subscriber" then the service provider must also inform affected users and subscribers of what they can do to protect themselves against the breach: this requirement is waived if "appropriate technological protection measures" were applied to the personal data - encryption seems likely to be one such measure.

Given my concern that notification of breaches will be seen as failure, thus creating an incentive for organisations to hide their breaches, it's a bit disappointing to see that the punishment for failing to notify appears to be only a fixed penalty of £1000 (reduced to £800 for prompt payment). But at least the legislation concentrates on helping affected users recover from problems, rather than the naming-and-shaming approach that has been the focus in some other breach notification laws.