The National Cyber Security Centre (NCSC) will not automatically share information relating to companies that suffer data breaches with the UK's data regulator.
The cyber security agency's chief executive Ciaran Martin said that the framework would help both the NCSC and the Information Commissioner's Office best serve the UK during data breaches, while at the same time respect each other's remits and responsibilities to business.
The agreement, which has been agreed upon by the ICO, means that companies that are subject to data breaches will be offered confidentiality, specifically from the ICO, should they seek advice from the NCSC. The hope is that this will encourage companies to come forward to discuss the nature of a data breach, those which may otherwise be put off by the fear of regulatory action.
"The development of this understanding is as a result of a constructive working relationship between our organisations and we remain committed to an open dialogue on strategic issues," he said.
"While it's right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim."
General Data Protection Regulation (GDPR) Almost 60,000 data breaches reported since May What is the Information Commissioner’s Office (ICO)?
As part of this new arrangement, the NCSC will engage directly with victims to understand the nature of the incident and provide free and, crucially, confidential advice. It will also encourage impacted organisations to comply with the GDPR, but it will not report information to the ICO without first seeking consent from the victim.
"This is hugely important and the right steps that both the NCSC and ICO have taken," said Joseph Carson, chief security scientist at Thycotic. "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO.
During a cyber breach, working with the NCSC can help the business potentially recover quickly and ensure it can be investigated giving the business time to identify whether or not they are required to report the incident to the ICO."
While the NCSC's role is to manage cyber incidents of national importance and advise businesses of best security practices, it also offers guidance on remedial steps after an incident. The ICO, on the other hand, is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR). Under the legislation, organisations that suffer breaches of data are required to notify the ICO of incidents, cooperate and take remedial action.
It represents a particularly unusual arrangement between two national agencies, with the NCSC potentially being made aware of a major cyber incident before any other government office, and having no legal obligation to report that to the ICO.
What's more, despite encouragement from the NCSC to report a breach, the agreement could provide further protections to those companies seeking to avoid large fines from an ICO investigation - fines which would only surface if the company has been negligent with the processing of user data. Therefore there's a risk that by trying to encourage companies to come forward confidentially the NCSC could find itself impeding the work of the ICO.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
