Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

More on Breach Notification

Further to my last posting on breach notification, my attention has been drawn to a recent (22nd October 2009) draft text of the proposed Directive to amend the EC telecoms directives.

As an amendment to the existing Directive 2002/58/EC the new proposals would apply in the first instance only to public telecommunications networks and services. However, as expected, this draft calls for a wider breach notification law: “The interest of users in being notified is clearly not limited to the electronic communications sector, and therefore explicit, mandatory notification requirements applicable to all sectors should be introduced at Community level as a matter of priority” (recital 59).

The current proposals would require communications providers to notify their national regulator (presumably the Information Commissioner in the UK) whenever they suffer from a security breach that affects personal data. In addition the individuals affected should be informed where the breach could result “for example, [in] identity theft or fraud, physical harm, significant humiliation or damage to reputation” (Recital 61): the draft recognises that there may be circumstances where such misuse is unlikely and therefore notification unnecessary, for example if the personal information was encrypted (Article 2 4(c) on pages 74-76). Notifications should include information about what the provider has done to address the breach as well as what individuals may do themselves.

It has been argued that this in fact goes no further than current good practice in the UK, as contained in the Information Commissioner’s existing guidance on data security breach management and notification of data security breaches. It will be interesting to see what the UK implementation, required within 18 months of the Directive being finally published, makes of this.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *