PECR: Personal Data Breach (Regulation 5A)
Personal Data Breach [Reg 5A]
Rule: Providers of public electronic communications services must notify the ICO of personal data breaches.
Notification requirements
| Requirement | Details | Citation |
|---|---|---|
| Notify ICO | Of any personal data breach | Reg 5A(2) |
| Without undue delay | As soon as practicable | Reg 5A(2) |
| Notify subscriber | If breach likely to adversely affect personal data/privacy | Reg 5A(3) |
| Timing to subscriber | Without undue delay | Reg 5A(3) |
Content of notification [Reg 5A(5)]
| Information | Required? |
|---|---|
| Nature of breach | Yes |
| Contact point for more info | Yes |
| Recommendations to mitigate adverse effects | Yes |
| Consequences of breach | Yes |
When subscriber notification not required [Reg 5A(4)]
| Exception | Details | Citation |
|---|---|---|
| Data rendered unintelligible | Encryption or other measures | Reg 5A(4) |
| ICO satisfied | Commissioner satisfied protections in place | Reg 5A(4) |
Source Text
5A.—(1) In this regulation “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.
(2) If a personal data breach occurs, the provider of the public electronic communications service shall, without undue delay, notify the breach to the Information Commissioner.
(3) Subject to paragraph (4), if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the provider of the public electronic communications service must also, without undue delay, notify the breach to the subscriber or user concerned.
(4) The notification referred to in paragraph (3) is not required if the provider has demonstrated to the satisfaction of the Information Commissioner that the provider has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it…