In brief…
Service providers must take appropriate measures to safeguard the security of their service. What ‘appropriate’ means depends on the nature of the risk, the technology available, and the cost.
Service providers must also inform their customers of any significant security risks.
In more detail…
- Who has security obligations?
- What must we do to comply?
- What are ‘appropriate measures’?
- What must we tell our customers about security risks?
Who has security obligations?
Service providers (eg telecoms providers or internet service providers) must safeguard the security of that service.
Network providers (organisations that operate and maintain the underlying network) must comply with any reasonable security requests made by the service provider.
What must we do to comply?
Security obligations are set out in regulation 5. If you are a service provider, you must take appropriate technical and organisational measures to safeguard the security of your service.
You must also inform your customers of any significant security risks.
What are ‘appropriate measures’?
An appropriate measure is one that is proportionate to the risks it safeguards against. You can take into account the state of technological development and the cost of implementing the measure.
Regulation 5(1A) says these measures must at least:
“(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
(c) ensure the implementation of a security policy with respect to the processing of personal data.”
These provisions are similar to security obligations in the UK GDPR, although PECR security obligations for service providers override the equivalent UK GDPR provisions. However, our Guide to GDPR is still a useful source of guidance on security measures.
Regulation 5(2) says that, if necessary, you should take measures in conjunction with the network provider. This regulation aims to ensure reasonable cooperation between service and network providers.
The ICO has the power to audit a service provider's security measures.
What must we tell our customers about security risks?
If you take appropriate measures but there is still a significant risk to the security of the service, you must inform subscribers of:
- the nature of the risk;
- any measures they can take to safeguard against it; and
- the likely cost to them of taking those measures.
You must provide this information free of charge, except for any nominal costs the subscriber may have in receiving or collecting the information (eg the cost of downloading an email).