The Information Commissioner’s Office has produced a new form for organisations to report a data breach.
While public electronic communications service providers are required to notify the ICO of personal data security breaches, currently there is no obligation on other businesses to do so. However, according to existing ICO guidance, serious breaches should be brought to the attention of the ICO.
The instructions outlined in the new form indicate that, before completing the form, data controllers should read the earlier guidance: Notification of Data Security Breaches to the Information Commissioner’s Office. This guidance sets out various factors to be taken into account in deciding whether a breach is serious enough to merit reporting it to the ICO and also sets out the types of information that should be provided when making a notification.
It is clear that the form is intended as an aid to compliance rather than circumscribing the information to be provided to the ICO. It states that, in addition to completing the form, the ICO welcomes other relevant information (e.g. incident reports). While the form is available online, once completed, it should be submitted by email to the address specified in the form or sent by post.
The questions contained in the new form largely correspond to the types of information sought by the ICO as per its earlier guidance. However, it is interesting to note that the form also requests information about whether there has been any media coverage of the incident. It is clear from the earlier ICO guidance that, whether or not there has been media coverage, is likely to influence the extent to which the Information Commissioner needs to provide reassurance to the public via appropriate enforcement action.
The ICO has indicated that it will not usually take enforcement action unless a data controller fails to take recommended steps or there are other reasons to doubt compliance or there is a need to provide reassurance to the public. Consequently, where there has been a large amount of publicity in relation to a particular incident, data controllers should brace themselves for some sort of regulatory action.
The new form is available on the ICO website here.