The UK Information Commissioner’s Office (ICO) has produced a new form for organisations to report data breaches. While public electronic communications service providers are required to notify the ICO of personal data security breaches, currently there is no obligation on other businesses to do so under UK law. However, according to existing ICO guidance, serious breaches should be brought to the attention of the ICO.
The instructions outlined in the new form indicate that, before completing the form, data controllers should read the ICO’s earlier guidance, “Notification of Data Security Breaches to the Information Commissioner’s Office.” This guidance sets out various factors to be taken into account in deciding whether a breach is serious enough to merit reporting to the ICO and also sets out the types of information that should be provided when making a notification.
The questions contained in the new form largely correspond to the types of information sought by the ICO as per its earlier guidance and also asks the data controller to indicate whether there has been any media coverage of the incident.
It is clear that the form is intended as an aid to compliance rather than circumscribing the information to be provided to the ICO. It states that, in addition to completing the form, the ICO welcomes other relevant information, e.g. incident reports. While the form is available
, once it is completed it should be submitted by e-mail to the address specified in the form or sent by post.
