In September 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC), Lindy Cameron, signed a joint Memorandum of Understanding (MoU) that set out how both organisations will increase levels of collaboration and cooperation.

The main areas of collaboration between the organisations will involve developing cybersecurity standards and guidance, as well as improvements in the cybersecurity of regulated organisations. The MoU also covers information sharing, cooperation between the NCSC and the Information Commissioner’s Office (ICO) in relation to incident management, and also sets out information on how the NCSC will support the ICO's own cybersecurity measures.

Background

The ICO is the UK’s independent regulator and acts to uphold information rights in the public interest, promote openness by public bodies and protect data privacy rights for individuals. The NSCS is part of the Government Communications Headquarters which was put on a statutory footing by the Intelligence Services Act 1994. The NCSC is the UK’s technical authority for tackling cyber threats; it works to defend the UK from cyber risks, deter adversaries and develop national cybersecurity capability, consistent with delivering the National Cyber Strategy.

Key areas of Co-operation  

The MoU outlines six areas of collaboration between the bodies as follows: 

  1. The development of cyber-security standards by each party 
  2. Assessing and influencing improvements in cybersecurity of regulated organisations
  3. Information sharing
  4. The NSCS supporting the ICO’s own cybersecurity
  5. Cooperation between the NCSC and the ICO in relation to incident management
  6. Public Communications and press releases 

1. The development of cybersecurity standards by each party 

The NCSC and ICO will enhance available cybersecurity guidance and will work to encourage the adoption of this guidance both nationally and internationally. The MoU specifically outlines that if the ICO wishes to use the NCSC Cyber Assessment Framework (CAF), NCSC will provide advice on how CAF is intended to be used and technical support about its application.

2. Assessing and influencing improvements in cybersecurity of regulated organisations

The ICO has agreed that it will encourage organisations to engage appropriately with the NCSC on cybersecurity matters. To support the ICO’s regulatory work, the NCSC may provide cybersecurity advice and assistance to the ICO where appropriate and in accordance with the statutory functions of NCSC. The two bodies will work together on a variety of initiatives including the Cybersecurity Regulators Forum. 

3. Information sharing

The ICO will support the NCSC’s oversight of UK cyber-attacks by sharing information with NCSC about cyber incidents, on an anonymised and aggregate basis. It will share incident-specific details where the matter is of national significance. The ICO states that doing this will help NCSC make “the UK the safest place to live and work online, ensure its advice and guidance remains fit for purpose, and that NCSC services keep pace with the evolving threat landscape”.  However, in relation to relevant cyber threat information, the NCSC will only share information from an organisation if it has the organisation’s approval.

4. The NSCS supporting the ICO’s own cybersecurity

The NCSC will support the ICO’s own cybersecurity through the provision of technical tools and guidance. In some cases, the NCSC may be able to provide consultancy advice to the ICO, for example, where significant changes are planned that may have implications for cybersecurity. The ICO can expect to receive NCSC support in the event it experiences a serious cybersecurity incident. 

5. Deconfliction between the NCSC and the ICO in relation to incident management

Where organisations report an incident to the NCSC and the NCSC identifies that the case may be legally reportable to ICO, the NCSC will remind organisations to be mindful of their regulatory obligations under GDPR. However, the NCSC will not opine on whether an organisation may be under an obligation to notify, nor will it make notifications to the ICO on behalf of the organisation. The ICO is committed to exploring how it can demonstrate that engagement with the NCSC will reduce regulatory penalties.  

Where the NCSC and ICO are both engaged on a cyber incident, they will endeavour to cooperate to minimise disruption to an organisation. In the MoU, the bodies recognise that the priority for an organisation suffering an incident should be remediation and the mitigation of harm; to the organisation, its customers, the UK and its citizens. Both parties will seek to ensure that their interventions align with this priority. 

6. Public Communications and press releases 

To the extent practicable, public communications on matters involving the ICO and NCSC will be agreed upon in advance to facilitate consistency and clarity. Where appropriate, the ICO and NCSC will seek to amplify each other’s messages and an awareness of their differing interests. 

Commentary

UK Information Commissioner John Edwards said: 

"We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cybersecurity and stay secure. This Memorandum of Understanding reaffirms our commitment to improve the UK's cyber resilience, so people's information is kept safe online from cyber-attacks."

NCSC CEO Lindy Cameron said: 

“This new MoU with the Information Commissioner builds on our existing relationship and will boost the UK’s digital security. It provides us with a platform and mechanism to improve cybersecurity standards across the board while respecting each other’s remits.”

Key takeaways

The MoU is a positive step forward for the regulation of cybersecurity within the UK. It will be interesting to observe how this collaboration works moving forward. Ultimately, it is important to note that the MoU is a statement of intent that does not give rise to legally binding obligations on the part of either the NCSC or the ICO. 

If you would like any further information, please contact David Varney or another member of our Data Protection and Technology team.

This article was written by Abbie McGregor.