New Breach Notification Law

The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 have now been published, amending the previous Privacy and Electronic Communications (EC Directive) Regulations 2003 as required by the new EC Telecommunications Directives.

As well as new law on cookies that has been discussed previously (Regulation 6), the regulations introduce into UK law a requirement to notify the Information Commissioner, and in some cases the affected users, of breaches affecting the security of personal data. For now, this law only applies to providers of public electronic communications services, but the European Commission are keen that similar requirements be extended to all other organisations handling personal data. So it's probably worth planning for when (not if) these requirements come to cover all of us.

Regulation 5 (inserting regulation 5A into the original law) requires all security breaches affecting personal data to be notified to the Information Commissioner, giving information about the nature of the breach, the consequences, and the measures taken to remedy it. If the breach is likely to "adversely affect the personal data or privacy of a user or subscriber" then the service provider must also inform affected users and subscribers of what they can do to protect themselves against the breach: this requirement is waived if "appropriate technological protection measures" were applied to the personal data - encryption seems likely to be one such measure.

Given my concern that notification of breaches will be seen as failure, thus creating an incentive for organisations to hide their breaches, it's a bit disappointing to see that the punishment for failing to notify appears to be only a fixed penalty of £1000 (reduced to £800 for prompt payment). But at least the legislation concentrates on helping affected users recover from problems, rather than the naming-and-shaming approach that has been the focus in some other breach notification laws.