Cyber laws to be updated: How will it strengthen the UK’s resilience?

What happened

• In January 2022, the government launched a public consultation on proposals for legislation to improve the UK’s cyber resilience, particularly relating to organisations that play an important role in the UK economy, such as managed IT service providers (MSPs)
• This followed updates to the EU’s cybersecurity regulations (the European Council formally adopted the second Network and Information Security Directive (NIS2 Directive) at the end of November 2022).
• The government’s response to the consultation has been agreement to proceed with all its original proposals and amend the UK’s NIS Regulations accordingly.
• The key proposed changes are: (i) bring managed service providers (MSPs) into scope to keep digital supply chains secure (ii) improve cyber incident reporting to regulators (iii) establish a cost recovery system for enforcing the regulations (iv) give the government the power to amend the NIS regulations in future to ensure they remain effective and (v) enable the ICO to take a more risk-based approach to regulating digital services.  
• The implementation timeframe is unclear and is likely to be ‘once parliamentary time allows’, however, an updated regime is unlikely to be in place before 2024.  

Why it matters

• A number of high-profile cyber-attacks has shown that regulatory reform is needed. These have highlighted that malicious actors can compromise a country’s national security, interfere with its critical infrastructure and cause significant economic harm and disruption. 
• The most significant change proposed is the broadening of the scope of the NIS Regulations to catch additional digital service providers (mainly those offering managed services) and these will now also be ‘relevant digital service providers’ within the Regulations.
• Data centres will not be regulated but will be kept under review. Some might already be captured due to their use by cloud service providers, and some might also fall in scope indirectly, being part of the network and information systems that support the provision of a managed service.
• Although there is no indication that penalties for non-compliance will increase above the £17m current threshold, the government has said it will aim through its reforms to enable regulators to recover their enforcement costs

What happened

• The new approach to regulatory and enforcement action adopted by the ICO looks set to continue in 2023.
• The ICO will modify its attitude towards regulatory action relating to public sector organisations.
• The ICO has stated that enforcement does not necessarily equate to fines but includes other ‘corrective powers’, e.g. warnings, reprimands, compliance orders, limitation orders, erasure of data and suspension of data flows. The number of fines should not be used as a yardstick by which to judge the ICO’s success.
• The ICO will regulate for outcomes rather than for outputs.
• The ICO believes that imposing fines on public bodies can penalise the victims of UK GDPR non-compliance by reducing the monies available to deliver public services, which is of little social benefit in times of economic crisis.
• Monetary penalties will remain an important tool, used where breaches have harmed or could harm individuals the most.
• All reprimands issued by the ICO will now be published. 

Why it matters

• The ICO believes that by educating others, it can drive behavioural change in compliance and the requirement for better accountability.
• It’s important that the whole economy is aware of data protection infringements and what action is taken.  
• When monetary penalties are considered for public authorities but reprimands are issued instead, the ICO will confirm the amount of the contemplated fine to warn others of the likely level of fines that could be imposed.
• The ICO wants to achieve greater certainty about the nature and extent of organisations’ data protection obligations and to provide a predictable and well-publicised approach to enforcement.
• It will be interesting to see the impact of this new approach. While fines hit revenue figures, other ‘reprimands’ might expose organisations to reputational risks.
• You can find John Edwards’ keynote speech on the ICO’s new strategic approach at the NADPO annual conference on 22.11.22 at How the ICO enforces: a new strategic approach to regulatory action | ICO.

What happened

• The ICO has issued this second draft guidance for consultation (the first draft related to monitoring employees at work)
• This ‘sensitive’ data includes sickness, injury and absence records, genetic testing and health monitoring.
• The ICO says that it is important to consider where this data might be obtained, how employers can limit the amount of data collected and who has access to it.
• It’s also important to consider who employers share the data with and how it is stored.
• Key themes are the lawful basis, data minimisation, data sharing and security.
• Employers are asked to contribute to the consultation by 26 January 2023.   

Why it matters

• The guidance is intended to help organisations understand their responsibilities. Workers’ health information represents some of the most sensitive information, so it is vital for employers to know how to handle it in a compliant way.
• A data protection impact assessment (DPIA) should be completed prior to the processing of the sensitive information to assess all the risks.
• Employers must also be aware of their obligations under employment law, health and safety and other legislation/industry standards.
• You can review the draft guidance at employment-practices-workers-health-draft.pdf (ico.org.uk)