The Information Commissioner's Office (ICO) has a number of memorandums of understanding (MoUs) in place with other authorities. This now includes the National Cyber Security Centre (NCSC), the technical authority charged with defending the UK from cyber risks that is often involved in incident response. Since cyber incidents will frequently affect personal data, or involve organisations subject to the NIS Regulations 2018 where the ICO is the ‘competent authority’, the NCSC and ICO will often each have skin in the game when it comes to incident response – and you know what they say about having too many cooks, or serving two masters. This memorandum of understanding (MoU) therefore seeks to set out the framework for co-operation and information sharing between those two bodies.
The MoU is a statement of intent (i.e. it does not give rise to binding legal obligations) that touches on six areas, from the development of security standards and guidance (with particular focus on how the ICO might use the NCSC’s Cyber Assessment Framework) to public communications and press releases.
In practice, when it comes to how this MoU affects practitioners at the coal face, whilst there is nothing surprising in its content, there are three points of particular interest:
- Benchmarking cybersecurity – the ICO will continue to assess what is ‘appropriate’ when it comes to cybersecurity by reference, albeit non-exclusively, to the NCSC’s technical standards and guidance, as well as use by organisations of its accredited training courses and assurance providers. The ICO will also recognise and encourage “appropriate engagement” with the NCSC on cybersecurity matters, including on incident response – so organisations should not be shy to consider consulting with the NCSC where appropriate, not least because it might just reduce any regulatory sanction further down the line.
- Information sharing with the ICO – organisations have historically been reluctant to consult with the NCSC (or at very least been guarded when doing so) in relation to a security incident for fear of details being disclosed by the NCSC to the ICO, despite past assurances that this would not happen. The MoU was therefore the opportunity for the NCSC to confirm “for the avoidance of doubt” that information from an organisation it is engaged with on a cyber incident will not be shared with the ICO unless that organisation has consented (for those interested, the MoU also refers to the legal provisions which prevent the NCSC from doing so).
- Deconfliction of roles – when it comes to managing incidents, the NCSC and ICO have agreed not to step on each other’s toes. So, for example, the NCSC will not give a view on whether an incident is notifiable to the ICO; and the priority where both the ICO and NCSC are engaged on an incident will be remediation and mitigating harm, with the ICO ensuring that organisations are able to prioritise their engagement with the NCSC and their incident responders in the immediate aftermath. Those subject to the NIS regulations 2018 will also note that the MoU contains some NIS-specific provisions.
Organisations looking for additional assurance and incentive to work with the NCSC when responding to cyber incidents will certainly welcome this MoU, and the hope is that it will play an important role in improving the UK's cyber resilience. How effective it is, however, remains to be seen.
The MoU reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO without having first sought the consent of that organisation.