Carl Court/Getty Images
show image

NCSC: We won’t pass on confidential data breach info to ICO

The National Cyber Security Centre has vowed that it will only pass on confidential information about a cyber attack to the UK’s data protection watchdog if it has first secured permission from the affected business.

The announcement comes amid fears that companies are failing to seek assistance from NCSC because they are concerned the agency will pass on incriminating evidence to the Information Commissioner’s Office.

In a statement issued at CyberUK, the government’s annual security conference, on Thursday, NCSC chief executive Ciaran Martin sought to clarify the data sharing relationship between the two organisations.

“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues,” he said. “While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”

NCSC also pledged to help the ICO expand the GDPR guidance it provides to businesses in relation to cyber incidents, and encourage victims to meet their legal requirements, such as reporting breaches to regulators.

The ICO, meanwhile, said it would develop the support it provides to help affected businesses protect individuals. The two organisations have also pledged to exchange aggregated data to inform their understandings of the security risks.

ICO deputy commissioner James Dipple-Johnstone said: “It’s important organisations understand what to expect if they suffer a cyber security breach.

“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.

“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

Joseph Carson, chief security scientist at Thycotic, welcomed the clarification. “This is hugely important and the right steps that both the NCSC and ICO have taken. Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO.”