Service providers are required to notify the ICO if a ‘personal data breach’ occurs. They must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.
In more detail…
- What is a ‘personal data breach’?
- What must we do if there is a breach?
- When and how do we notify the ICO?
- When and how do we notify our customers?
- What do we need to record in our breach log?
A personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.
Service providers (eg telecoms providers or internet service providers) have certain obligations if a personal data breach occurs. These are set out in regulation 5A.
If you are a service provider, you must:
- notify the ICO;
- consider whether to notify your customers; and
- record details in your own breach log.
This takes the place of GDPR breach reporting obligations. You don’t need to take any separate action to comply with the GDPR.
You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification must include at least:
- your name and contact details;
- the date and time of the breach (or an estimate);
- the date and time you detected it;
- basic information about the type of breach; and
- basic information about the personal data concerned.
If possible, you should also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, you must provide them as soon as possible. You must submit a second notification form to us within three days, either including these details, or telling us how long it will take you to get them.
Failure to submit breach notifications can incur a £1,000 fine.