ICO and NCSC Clarify the Roles they Play Following Data Breaches
Both organisations vowed to share anonymised and aggregated information with each other to assist with their respective understanding of risk.
The National Cyber Security Centre (NCSC) and Information Commission Office (ICO) have clarified the roles they play in dealing with the aftermath of data breaches.
And, speaking at the second day of the NCSC’s annual conference CYBERUK in Glasgow, NCSC chief executive Ciaran Martin and ICO deputy commissioner James Dipple-Johnstone outlined the understanding between the organisations.
The NCSC manages cyber incidents of national importance to reduce harm caused to victims and to the UK, help with managing the response and learn lessons to help deter future attacks.
The ICO is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the competent authority for Digital Service Providers under the NIS Directive, meaning breached organisations should notify them of incidents, cooperate and take remedial action.
Among the commitments outlined were a greater clarity of the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right authority/organisation at the right time.
The NCSC has vowed to engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath.
It will encourage impacted organisations to meet their requirements under GDPR and the NIS Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned.
It also aims to help the ICO expand its GDPR guidance as it relates to cyber incidents.
Meanwhile, the ICO will focus its early stage engagement to the vital steps required to help ensure impacted organisations mitigate risks to individuals and stand up an effective investigation.
It said it will also establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.
Both organisations will share anonymised and aggregated information with each other to assist with their respective understanding of the risk.
The organisations both also committed to amplify each other’s messages to promote consistent, high quality advice to ensure the UK is secure and resilient to cyber threats.
Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.
“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues.
“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”
Dipple-Johnstone, said: “It’s important organisations understand what to expect if they suffer a cyber security breach.
“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.
“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”
The NCSC will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.