An electronic communications service is defined in the Communications Act 2003 as ‘a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service’. A public electronic communications service is any such service that is provided so as to be available for use by members of the public.
A provider of a public electronic communications service must take appropriate technological and organisational measures to safeguard the security of its services. An appropriate measure is one that is proportionate to the risks it would safeguard against, taking account of the state of technological development and the cost of implementing the measure.
These measures must at least:
(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
(c) ensure the implementation of a security policy with respect to the processing of personal data.
These provisions are similar to the obligations on a data controller under the seventh data protection principle.
Regulation 5(2) states that, if necessary, such measures should be taken by the electronic communications service provider with the provider of the electronic communications network. An electronic communications network is defined in the Communications Act 2003 as:
‘(a) a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description; and
(b) such of the following as are used, by the person providing the system and in association with it, for the conveyance of the signals -
(i) apparatus comprised in the system;
(ii) apparatus used for the switching or routing of the signals; and
(iii) software and stored data’.
The Regulation aims to ensure reasonable co-operation between service and network providers.
Security risks
If service providers take appropriate measures but there is still a significant risk to the security of the service, they must inform the subscribers concerned of:
- the nature of the risk;
- any appropriate measures the subscriber may take to safeguard against the risk; and
- the likely costs to the subscriber involved in taking such measures.
They must provide this information to the subscriber free of charge except for any nominal costs the subscriber may incur while receiving or collecting the information, for example through downloading an email. Security is not to be regarded as compromised if: