Privacy Advisor

UK—ICO Publishes New PECR Breach Notification Guidance for Telcos and ISPs

October 22, 2013

By Brian Davidson, CIPP/E

The ICO has published new data breach notification guidance for telecom providers and Internet Service Providers operating under the Privacy and Electronic Communications Regulations 2003 (PECR).

PECR contains the relevant rules on marketing and advertising using different communication mediums–such as email, fax, etc., in addition to the notice and consent rules concerning the serving of cookies and the rules that telecoms providers and ISPs must follow in the event that they suffer a data security breach. Such organisations are required to notify the ICO within 24 hours of becoming aware of the basic facts of a security breach.

The guidance explains the new procedures in detail and requires organisations to notify the ICO within 24 hours of detecting a breach using a centralised online form that requires the disclosure of basic details of the organisation and the information that they are providing for the breach. Previously, this was done by emailing the ICO using a template form.

Organisations submitting this initial form are then expected to submit a second notification form containing further details of the breach within three days and then a final notification containing any outstanding details as soon as possible after that. Applicable service providers are also asked to submit their monthly breach logs using the new secure online form. If the breach is likely to “adversely affect” individuals then the service provider must also notify those individuals “without undue delay” as well as notifying the ICO.

A copy of the guidance is available here.

A copy of the notification form is available here.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.