Cyber optics: ICO and NCA sign collaborative memorandum to improve the UK’s cyber resilience

On 10 September 2024, the ICO announced it had signed a memorandum of understanding with the National Crime Agency (“NCA”). The joint statement of intent sets out how the regulators will cooperate and work constructively with one another in relation to the cybersecurity of regulated organisations. This follows the memorandum signed by the ICO and the National Cyber Security Centre (“NCSC”) in autumn 2023 (see our Lens blog), and contains sections that are near-identical. 

Organisations are often concerned about how the two institutions share information with one another. They will therefore be pleased that the memorandum reaffirms that the NCA (like the NCSC) will never pass information it receives from an organisation it has engaged with on a cyber incident to the ICO, without having first sought the consent of that organisation. 

In addition, the memorandum confirms that where organisations report an incident to the NCA and it considers that the case may be legally reportable to ICO, the NCA will “remind organisations to be mindful of their regulatory obligations, but will not opine on whether an organisation may be under an obligation to notify nor make notifications to the [ICO] on the organisation’s behalf.” 

The memorandum also discusses:

• Information flows: These could include: (i) the NCA sharing cyber threat assessments likely to affect Relevant Digital Service Providers (as defined under the NIS Regulations) and ICO-regulated organisations; and (ii) the ICO sharing information about cyber incidents (either on an anonymised, systemic and aggregated basis, or on an organisation-specific basis where appropriate) to aid the NCA in protecting the public from serious and organised crime.
• Data subject rights requests: Each regulator commits to consult with the other prior to responding to any data subject rights requests that capture information received from the other regulator. The regulator that shared the captured information commits to providing the other with reasonable assistance in relation to the particular request. 
• “Deconfliction” during incident management: The ICO and NCA will seek to reasonably coordinate their work in relation to a particular cyber incident, in pursuit of the goal of minimising disruption to an organisation’s efforts to contain and mitigate harm. Further, the regulators will provide feedback to one another where they view the other’s intervention as disruptive to achieving this goal. 
• Learning, guidance and standards: Finally, like the NCSC memorandum, this one reaffirms the ICO and NCA’s joint commitments to work together and support one another to promote learning, provide consistent guidance and improve standards in relation to cybersecurity and the reporting of cybercrime, consistent with their obligations under the UK's National Cyber Strategy (see our Lens blog).