You are here


Survey Answer:

A Communications Act 2003
• Public electronic communications network providers and public electronic communications service providers must take appropriate measures (both technical and organisational) to manage security risks to networks and services. Such measures include preventing or minimising the impact of security incidents on both end users and on connections between networks. Network providers must take all appropriate steps to protect the availability of their network.
• A provider must notify Ofcom:
• of a security breach having a significant impact on the operation of a network or a service; or
• of a reduction in availability of a network which has a significant impact on the network.
B The Directive on Security of Network and Information Systems (EU) 2016/1148 (the “NIS Directive”) For more detail please refer to Q3.2 below
C Official Secrets Act 1989
• The Official Secrets Act 1989 creates offences for servants of the Crown and UK government contractors relating to the disclosure of (or failure to secure) information which (i) is damaging to the armed forces, security services or intelligence services, (ii) endangers the lives of British citizens abroad or (iii) damages the UK’s interests abroad. Businesses which this applies to should have been notified of their obligations by the relevant arm of the Government.
D Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)
• Public electronic communications service providers must take appropriate technical and organisational measures to safeguard the security of their services, including to protect personal data which they store or transmit against:
- accidental or unlawful destruction;
- accidental loss or alteration; and
- unauthorised or unlawful storage, processing, access or disclosure; and
• A service provider must notify the Information Commissioner’s Office (“ICO”) of a personal data breach, unless the ICO is satisfied that appropriate technological protections rendered the data unintelligible to any person who is not authorised to use it. If a breach is likely to adversely affect a user’s personal data or a user, the service provider should notify the individual.

Provided By:
Rupert Casey and Martin Sloan: Macfarlanes LLP (England/Wales)/Brodies LLP (Scotland)