Under the revised Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), public electronic communications service providers are required to notify the ICO when a personal data breach occurs.
The regulations require that -
- a record of all security breaches is kept in a log of personal data breaches
- the Information Commissioner is notified of any security breaches
- subscribers need to be informed of the breach without delay if is likely to adversely affect their personal data or privacy
For now, this law only applies to providers of public electronic communications services, (not users of the JANET network) but the European Commission are keen that similar requirements be extended to all other organisations handling personal data. So it’s probably worth planning for when (not if) these requirements come to cover all colleges and universities.
The new guidance on how to respond to security breaches can be found on the ICO website.