Information Commissioner's Office
Change to regulation concerning communication service providers
The Information Commissioner’s Office (ICO) has written to communication service providers (CSPs) about their obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).
Regulation 5A requires a CSP to notify the ICO within 24 hours of any personal data breach, no matter how small, that has occurred. If a report is not received in time, the ICO can issue a fixed penalty of £1,000 to a CSP.
The ICO has decided to stop enforcing personal data breach reports made under Regulation 5A. That’s because our analysis of these reports indicates that incidents usually relate to human error involving one individual and are quickly resolved, and the providers put remedial measures in place to ensure the error does not happen again.
This decision will not affect the duty of CSPs to report significant personal data breaches within 72 hours in line with UK GDPR.
As part of ICO25 – our three-year strategic plan – we are aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance, as well as focussing our resources where we can have the greatest impact.
The change to how we regulate 5A will reduce what the ICO believes is a disproportionate burden on CSPs to report low risk incidents. The ICO currently receives notification of around 10,000 incidents per year under the regulation. We will still expect CSPs to report high risk incidents and we will review them in line with UK GDPR.
This change will also allow the ICO to better use resources on investigations where significant harm has been, or is likely to be, caused to individuals and where we can have the greatest impact as a proportionate regulator.
Latest News from
Information Commissioner's Office
Update on the ICO’s change of approach to regulating communication service providers03/02/2023 15:10:00
The Information Commissioner’s Office (ICO) published a statement on 20 January 2023 about the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).
New FOI resources to support public authorities03/02/2023 10:25:00
A blog by Deborah Clark, ICO Upstream Regulation Manager
Former RAC employee fined for stealing data of victims of road traffic incidents02/02/2023 12:15:00
A former employee of breakdown services company RAC has plead guilty and been fined for the stealing of data of victims of road traffic accidents.
Using FRT in schools – letter to North Ayrshire Council31/01/2023 12:05:00
We have issued a letter to North Ayrshire Council (NAC) following their use of Facial Recognition Technology (FRT) to manage ‘cashless catering’ in school canteens.
Building better business by responsibly unlocking the value of personal information24/01/2023 12:20:00
Ahead of Data Protection Day, the Information Commissioner’s Office (ICO) is encouraging the UK’s 5,501,000* small-and-medium-sized businesses (SMEs) to check they have the right data protection practices in place to help sustain and develop their businesses.
Empowering people to foster trust in tomorrow’s technological advancements20/01/2023 14:05:00
The ICO is encouraging developers to consider privacy at an early stage when implementing new technologies to maintain public trust and confidence.
Blog: Addressing concerns on the use of AI by local authorities19/01/2023 14:10:00
A blog by Stephen Bonner, Deputy Commissioner – Regulatory Supervision
Blog: Commissioner responds to misdirected criticism of journalism code21/12/2022 16:20:00
A blog by John Edwards, Information Commissioner
Five businesses fined a total of £435,000 for making nearly half a million unlawful marketing calls08/12/2022 13:05:00
The Information Commissioner’s Office (ICO) has fined five companies a total of £435,000 for making nearly half a million unlawful marketing calls to people registered with the Telephone Preference Service (TPS).