The UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC), Lindy Cameron, have today signed a joint Memorandum of Understanding (MoU) that sets out how both organisations will cooperate.
The MoU recognises that whilst both organisations have distinct responsibilities, there are opportunities to align work on some shared issues and deconflict on others.
These include cooperation on the development of cyber security standards and guidance as well as influencing improvements in the cyber security of organisations regulated by the Information Commissioner’s Office (ICO).
The MoU reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO without having first sought the consent of that organisation.
UK Information Commissioner John Edwards said:
“We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure.
“This Memorandum of Understanding reaffirms our commitment to improve the UK’s cyber resilience so people’s information is kept safe online from cyber attacks.”
NCSC CEO Lindy Cameron said:
“This new MoU with the Information Commissioner builds on our existing relationship and will boost the UK’s digital security.
“It provides us with a platform and mechanism to improve cyber security standards across the board while respecting each other’s remits.”
Key provisions in the new MoU include:
a. The Commissioner will encourage organisations to engage appropriately with the NCSC on cyber security matters, including the response to cyber incidents.
b. The Commissioner will also incentivise engagement with the NCSC, including recognising organisations affected by significant cyber incidents that report to and work with the NCSC. The ICO also commits to exploring how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties.
c. The ICO will support the NCSC’s visibility of UK cyber attacks by sharing information with NCSC about cyber incidents, on an anonymised and aggregate basis, as well as incident specific details where the matter is of national significance. Doing so will help NCSC make the UK the safest place to live and work online, ensure its advice and guidance remains fit for purpose, and that NCSC services keep pace with the evolving threat landscape.
d. Where NCSC and ICO are both engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation’s efforts to contain and mitigate harm. In doing so, the Commissioner will seek to enable organisations to prioritise engagement with the NCSC and their partners in the immediate aftermath where that will prioritise mitigative work.
e. NCSC and ICO will provide each other with ongoing feedback with a view to continuous improvement in relation to their collaboration.
f. The NCSC and ICO will work together to enhance cyber security guidance available and encourage its adoption.
Notes to Editors
- The NCSC, a part of GCHQ, is the UK’s technical authority for tackling cyber threats and works to defend the UK from cyber risks, deterring adversaries and developing cyber security capability, consistent with delivering the UK’s National Cyber Strategy. The NCSC also manages serious cyber incidents to reduce harm to the UK.
- The ICO is the independent regulator for upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner is empowered to take a range of regulatory actions including enforcement of the Data Protection Act 2018 and the UK General Data Protection Regulation and the Network and Information Systems Regulations 2018 in respect of Digital Service Providers for which the ICO serves as competent authority.