In order to allay concerns of organisations that NCSC may share incriminating information with the ICO resulting in punitive action, the NCSC has decided not to share confidential information with the ICO without first seeking the consent of the organisation concerned.
The NCSC (National Cyber Security Centre) encourages organisations to take advantage of its guidances to improve their cyber securty and to minimise the chances of breaches in the future. In the event of a breach, NCSC also takes active steps and works with organisations to reduce harm caused to victims and to the UK.
In contrast, the mandate of the Information Commissioner's Office is to investigate breaches suffered by organisations, advise organisations to undergo data protection assessments, and issue monetary fines under data protection laws if it finds that an organisation suffered a breach due to non-compliance with such regulations. Like NCSC, it also offers extensive guidance to organisation on how to improve their cyber security and adhere to existing laws and regulations.
Both NCSC and the ICO frequently coordinate their efforts to promote consistent, high quality advice to ensure organisations in the UK are secure and resilient to cyber threats. While a large number of businesses, small and large, regularly contact the National Cyber Security Centre to obtain advise on how to defend against a cyber threat or how to react to a breach, many organisations are not approaching NCSC out of fear that it may share incriminating information with the ICO which may result in punitive action.
NCSC & ICO to play separate roles
In order to allay their concerns, NCSC and the ICO recently released a joint statement announcing that going forward, they will have separate roles and responsibilities to make it easier for organisations to deal with the right authority / organisation at the right time.
In conformance to their new roles, NCSC will not share confidential information with the ICO without first seeking the consent of the organisation concerned and will engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath.
On its part, the ICO will establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.
Only anonymised information will be shared
While coordinating their activities, both NCSC and the ICO will share anonymised and aggregated information with each other to assist with their respective understanding of the risk and amplify each other’s messages to promote consistent and high quality advice to organisations.
"While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim," said Ciaran Martin, chief executive of NCSC, adding that the new framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.
Reiterating the ICO's responsibilities, James Dipple-Johnstone, deputy commissioner of the ICO, said that the watchdog will continue to investigate the impact cyber incidents have on the people whose personal data is lost, stolen or compromised and that organisations "need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed."