Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

ENISA Report on Breach Notification

Wednesday, June 6, 2012 - 10:32

As discussed here previously, the revision of the European Telecommunications Directives in late 2009 introduced a requirement for telecoms providers to report breaches affecting personal data to their national regulators. Although the revised European Directive has not yet been transposed into national laws, ENISA has been surveying both regulators and telcos on their practice and plans. The results have been published in a, mostly reassuring, report.

There seems to be wide agreement that the main purpose of data breach notification should be to help affected individuals to minimise the damage to themselves, and that the companies that held the information are the best placed to do that. Reporting to regulators is seen as having the secondary purpose of ensuring that companies are fulfilling their duties. There is concern on all sides that breach notification should not overload either reporters, regulators or recipients - creating 'notification fatigue' - and agreement therefore that notifications to users should only be used for significant breaches. A straightforward way to assess the severity of a breach, which may involve a mixture of different types of personal data, is therefore required.

Interestingly the report concentrates almost entirely on the kind of breaches - principally unauthorised access to customer or employee information - that could happen to any organisation. Since the regulators seem agreed that telcos are, in general, pretty good at the security practices needed to protect that information, it seems particularly odd that this sector was singled out for legislation. The report confirms that other types of organisation have a greater need for this kind of regulation, though noting that sectors such as banks already have sector-specific regulation that may be stricter and carry heavier penalties. Avoiding conflicts with these other regulators is therefore important.

Although the UK does not yet have mandatory notification of personal data breaches, the Information Commissioner has published a good practice note on breach reporting for all types of organisation.

Breach Notification
ENISA
ePrivacy Directive
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo