Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Thoughts on Data Breach Notification

Wednesday, June 6, 2012 - 10:16

Regulators and governments are moving towards creating a requirement that anyone who suffers a security breach affecting personal data would have to report it. A number of American states already have such laws, the recent revision of the European Telecoms Framework Directive introduced a breach notification requirement for telecoms providers and the Commissioner has stated that this will be extended to all organisations in the forthcoming revision of the Data Protection Directive.

A number of benefits are claimed for mandatory reporting:

  • Allowing lessons to be learned from security breaches, so others can improve their processes;
  • Allowing those whose personal data is involved in a breach to protect themselves from the consequences;
  • Naming and shaming organisations that fail to take proper care of personal data.

Taking each of those separately they look like admirable objectives. However I'm concerned by implications that making notification mandatory will deliver all of them. It seems to me that the incentives and reporting requirements are very different for each of the three purposes, making it unlikely that you can achieve all of them at once. Indeed I suspect it may be impossible to achieve more than one and that attempts to do so will inevitably fail. My thinking is set out in a draft paper, which I'd very much welcome comments on.