On 12 September 2023, the UK Information Commissioner and the Chief Executive of the National Cyber Security Centre (NCSC), signed a joint Memorandum of Understanding (MoU), which establishes how the NCSC and the Information Commissioner’s Office (ICO) will cooperate. The NCSC is the technical authority in the UK that provides standards and guidance to organisations on cyber security. The ICO is responsible for providing guidance and enforcement of the data protection rules in the UK, including the obligation of organisations to apply security measures around personal data.
The MoU sets out a collaboration framework, with its aims being to codify and enhance working between the parties, and to assist them in discharging their functions. In particular, the MoU addresses the following areas:
- Development of cyber security standards and guidance by each party: the NCSC developed the Cyber Assessment Framework (CAF) to be used by regulators. The ICO will provide feedback on its use of the CAF and the NCSC will provide technical support regarding the CAF’s application. The ICO and the NCSC will exchange information on the developments in international standards and guidance on cyber security to support each other’s abilities in this space.
- Assessing and influencing improvements in cyber security practices of regulated organisations: the ICO’s guidance will promote the application of the NCSC’s technical standards and guidance to mitigate cyber risk within the organisations it regulates. The NCSC may provide technical cyber security advice and assistance to the ICO.
- Information Sharing: the NCSC will only share cyber incident information with the ICO, where it has first sought consent from the affected organisation. Disclosure of this information without consent, may be a breach of statutory duty of the Director of GCHQ. The ICO may share information on cyber security incidents with the NCSC in an anonymized and aggregated basis, and on an organization-specific basis, where appropriate, to reduce harm from such incidents.
- The NCSC supporting the ICO’s own cyber security: the NCSC will support the ICO’s own cyber security through the provision of technical tools and guidance, for example, by providing consultancy advice.
- Deconfliction between NCSC and ICO in relation to incident management: the NCSC will remind organisations of their regulatory obligations where an incident that is reported may be notifiable to the ICO. The ICO will recommend notifying an incident that is believed to be nationally significant to the NCSC. The NCSC and ICO’s priorities are incident remediation and mitigation of harm to the organisation, its customers and the UK generally.
- Public communications: where possible, public communications on incidents involving both parties will be agreed between the Commissioner and the NCSC in advance.
This roadmap represents a step towards the UK becoming a safer place for organisations to operate in a digitalised world, with a key objective being to achieve higher national cyber security standards. It is envisaged that cooperation between the NCSC and the ICO will encourage transparency, better protect businesses and improve the chances of recovery against cyber threats.