On September 12, 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC) of the UK, Lindy Cameron, signed a joint Memorandum of Understanding (MoU) that sets forth a framework for cooperation and information sharing between the ICO and the NCSC. The MoU states the general aims “are to codify and enhance working” between the ICO and NCSC so as to “assist them in discharging their functions.”
The MoU details how the ICO and NCSC will work together in the following areas:
- The development of cybersecurity standards and guidance by each party. For example, should the ICO wish to use the NCSC Cyber Assessment Framework (CAF), which is available to cyber security regulators to use, NCSC will provide advice on how CAF is intended to be used and technical support about its application.
- Assessing and influencing improvements in cybersecurity practices of regulated organizations. For example, where appropriate, The NCSC may provide to the ICO cybersecurity advice and assistance, which is technical in nature and focuses on cybersecurity risk management.
- Information sharing. For example, in relation to relevant cyber threat information. The MoU clearly states that the NCSC will not share with the ICO information from an organization with which it is engaged regarding a cyber incident, unless it has the organization’s approval to do so.
- The NCSC supporting the ICO’s own cybersecurity. For example, the NCSC may provide consultancy advice to the ICO.
- Harmonization between the NCSC and the ICO in relation to incident management. For example, when an organization reports a cyber incident to the ICO that the ICO deems may be a nationally significant cyber incident, the ICO will recommend and encourage notification to the NCSC.
- Public communications and press releases. For example, to the extent practicable, public communications on matters involving both the ICO and NCSC will be agreed upon in advance to support consistency.