ICO responds to Culture, Media and Sport Committee's report on cyber security

The Information Commissioner, Ms Elizabeth Denham, has responded to the Culture, Media and Sport Committee's First Report of Session 2016-17 on Cyber security: Protection of Personal Data Online (HC 148, 20 June 2016) (see Legal update, Culture, Media and Sport Committee publishes report into cyber security recommending custodial sentence for data breach offences). Generally, the Commissioner welcomes the report and drew the Committee's attention to those aspects of the General Data Protection Regulation (GDPR) which will help to protect personal data online.

Of particular note, the Commissioner confirmed that the ICO had published the outcome of its investigation into the TalkTalk data breach (see Legal update, ICO issues record £400,000 monetary penalty notice for TalkTalk data breach). The Commissioner stated that the ICO's ability to levy a £1000 fine on communications service providers for failing to report a data breach within 24 hours derives from the E-Privacy Directive which is currently under review (see Legal update, European Commission consults on E-Privacy Directive). Further, she said that although the ICO does not have the jurisdiction to conduct a review as to whether adequate redress is provided by the small claims court for individuals to claim compensation for a data breach, it would support such a review.

The Commissioner confirmed that the need to introduce custodial sentences to reflect the seriousness of the offence is being brought into increasing focus as a result of the recent Advocate General's Opinion in case C-698/15 (see Legal update, Advocate General of the ECJ advises that bulk data collection is only lawful in serious crimes cases). Ms Denham said that the ICO would welcome the introduction of non-consensual audit powers for all organisations, regardless of the sector or industry, rather than the current piecemeal approach (currently the ICO has the power to audit central government and public sector health bodies). Also, she confirmed that work on the privacy seal scheme continues and the ICO is aiming to make an announcement by the end of the year (see Legal update, ICO publishes summary of responses to privacy seals consultation).

Source: Culture, Media and Sport Committee, Fourth Special Report, Appendix: Information Commissioner's response, 12 October 2016.