Service providers are required to notify the ICO if a ‘personal data breach’ occurs. They must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.
In more detail…
- What is a ‘personal data breach’?
- What must we do if there is a breach?
- When and how do we notify the ICO?
- When and how do we notify our customers?
- What do we need to record in our breach log?
A personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.
Service providers (eg telecoms providers or internet service providers) have certain obligations if a personal data breach occurs. These are set out in regulation 5A.
If you are a service provider, you must:
- notify the ICO;
- consider whether to notify your customers; and
- record details in your own breach log.
This takes the place of UK GDPR breach reporting obligations. You don’t need to take any separate action to comply with the UK GDPR.
You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification must include at least:
- your name and contact details;
- the date and time of the breach (or an estimate);
- the date and time you detected it;
- basic information about the type of breach; and
- basic information about the personal data concerned.
Please use our breach notification form. You can attach documents to the form if necessary.
If possible, you should also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, you must provide them as soon as possible. You must submit a second notification form to us within three days, either including these details, or telling us how long it will take you to get them.
Failure to submit breach notifications can incur a £1,000 fine.
If the breach is likely to adversely affect the personal data or privacy of your subscribers or users, you need to notify them of the breach without unnecessary delay. You need to tell them:
- your name and contact details;
- the estimated date of the breach;
- a summary of the incident;
- the nature and content of the personal data;
- the likely effect on the individual;
- any measures you have taken to address the breach; and
- how they can mitigate any possible adverse impact.
You do not need to tell your subscribers about a breach if you can demonstrate that the data was encrypted (or made unintelligible by a similar security measure).
If you do not tell your customers, the ICO can require you to do so if we consider the breach is likely to adversely affect them.
You must also keep your own record of all personal data breaches in an inventory or log. It must contain:
- the facts surrounding the breach;
- the effects of the breach; and
- remedial action taken.
For more information, see our detailed guidance for service providers on notification of PECR security breaches.