02 August 2011

Consultation on Personal Data Breach Notification

European organisations that are telecoms operators and internet service providers are subject to personal data breach notification under the revised ePrivacy Directive (2009/136/EC) which was passed on 25th May 2011, and is part of the Telecoms Reform package. The European Commission is now consulting stakeholders to gather evidence about existing practices and initial experience of the new rules.

A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the subscriber or individual concerned. Therefore, as soon as the provider of publicly available electronic communications services becomes aware that such a breach has occurred, it should notify the breach to the competent national authority.

You might wonder if this has any relevance if your organisation is neither a telecoms operator nor internet service provider. Well, personal data breach notification could become more widespread in the future, and therefore I think it is important to get this right as far as possible for the "pioneer" sectors.

The subscribers or individuals whose data and privacy could be adversely affected by the breach should be notified with­out delay in order to allow them to take the necessary pre­cautions.

The public consultation ePrivacy Directive: Circumstances, Procedures and Formats for Personal Data Breach Notifications as the name suggests is seeking input on three issue areas:

  • Circumstances: how organisations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual, and examples of protection measures that can render data unintelligible
  • Procedures: the notification deadline, the means of notification and the procedure for an individual case
  • Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

The information already gathered by ENISA will be very useful here together with the Article 29 Working Group's Opinion 01/2011 (WP 184).

The consultation asks respondents to reply to 28 particular questions which give a good indication of how specific subsequent guidance will be. The majority are aimed at organisations in these two sectors, but the issues of incident handling procedures, technological protection measures to render data unintelligible, speed of response and record keeping have wider applicability. So perhaps there will be some useful information for your own web/system incident response plan.

The consultation closes on 9th September 2011.

Posted on: 02 August 2011 at 08:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Consultation on Personal Data Breach Notification
http://www.clerkendweller.com/2011/8/2/Consultation-on-Personal-Data-Breach-Notification
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/8/2/Consultation-on-Personal-Data-Breach-Notification
Requested by 38.107.179.224 on Thursday, 17 May 2012 at 23:22 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2012 clerkendweller.com