UK cyber-authority promises not to tell ICO of data breaches as matter of course
Chris Hamblin, Editor, London, 25 April 2019
The UK's National Cyber Security Centre will not share information that it receives about transgressions against the European Union's General Data Protection Regulation with the Information Commissioner's Office automatically, it has emerged.
The NCSC's chief executive and the Information Commissioner made this pledge at a conference entitled CYBERUK, which is still in progress in Glasgow. An ICO spokeswoman told Compliance Matters that their actual words were: "The NCSC will encourage impacted organisations to meet their requirements under GDPR and the NIS [network and information systems] Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned."
Bloomberg reported from the conference that this concession "is designed to prevent new data privacy laws from having a chilling effect on businesses’ willingness to share information about cyber attacks with the government."
The NCSC is part of the scandal-struck Government Communications Headquarters or GCHQ, so this attempt to prevent banks and other businesses from viewing it in a chilling way is unlikely to meet with much success. According to Peter Armstrong, who ran the UK's critical national infrastructure desk for GCHQ as the mission director, when speaking at MetricStream's governance, risk and compliance conference in London in 2015, “the director of the agency Iain Lobban lost his job over the Snowden revelations."