Who needs to notify security breaches under PECR?
Under the revised Regulations, public electronic communications service providers are required to notify us if a personal data breach occurs.
A personal data breach means "a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provisions of a public electronic communications service."
What do I need to do?
1) Keep a log of personal data breaches
You must keep a record of all personal data breaches in an inventory or log. It must contain:
- the facts surrounding the breach;
- the effects of that breach; and
- remedial action taken.
We have produced a template log to help you record the information you need.
2) Notify breaches to the ICO
You must notify the Information Commissioner of any personal data breaches. This notification must include at least a description of:
- the nature of the breach;
- the consequences of the breach; and
- the measures taken or proposed to be taken by the provider to address the breach.
To make this process easier, we suggest that you send your log to us on a monthly basis. This means you won’t have to record the information twice and will meet your requirement to notify any security breaches without unnecessary delay.
However, if the breach is of a particularly serious nature you need to notify us about the breach as soon as possible, by filling in the security breach notification form (PECR).
When thinking about whether a breach is of a serious nature, we recommend that you consider:
- the type and sensitivity of the data involved;
- the impact it could have on the individual, such as distress or embarrassment; and
- the potential harm, such as financial loss, fraud, theft of identity.
Please email all security breach notifications to us at datasecuritybreach@ico.gsi.gov.uk.
Failure to comply with the requirement to submit breach notifications can incur a £1,000 fine.
For more practical information on how to notify us about PECR security breaches please see our guidance for service providers.
3) Notify breaches to your subscribers
You may also need to tell your subscribers. If the breach is likely to adversely affect their personal data or privacy you need to, without unnecessary delay, notify them of the breach. You need to tell them:
- the nature of the breach;
- contact details for your organisation where they can get more information; and
- how they can mitigate any possible adverse impact of the breach.
You do not need to tell your subscribers about a breach if you can demonstrate that you have measures in place which would render the data unintelligible and that those measures were applied to the data concerned in the breach.
If you don’t tell subscribers, the ICO can require you do so, if it considers the breach is likely to have an adverse effect on them.