UK Information Commissioner John Edwards and the chief executive of the National Cyber Security Centre (NCSC) Lindy Cameron have signed a memorandum of understanding on how their organisations will co-operate with each other.
The MoU recognises that while both organisations have distinct responsibilities, there are opportunities to align work on some shared issues and deconflict on others.
These include cooperation on the development of cyber security standards and guidance as well as influencing improvements in the cyber security of organisations regulated by the Information Commissioner’s Office (ICO).
The MoU reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO without having first sought the consent of that organisation.
Working closely
Edwards said: "We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure.
“This memorandum of understanding reaffirms our commitment to improve the UK's cyber resilience so people's information is kept safe online from cyber attacks."
Cameron commented: “This new MoU with the information commissioner builds on our existing relationship and will boost the UK’s digital security.
“It provides us with a platform and mechanism to improve cyber security standards across the board while respecting each other’s remits.”
Engagement and incentives
Key provisions in the MoU include that the commissioner will encourage organisations to engage appropriately with the NCSC on cyber security matters, including the response to cyber incidents.
He will also incentivise engagement with the NCSC, including recognising organisations affected by significant cyber incidents that report to and work with it. This is accompanied by an ICO commitment to explore how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties.
Other commitments are that: the ICO will share information with NCSC about cyber incidents; when they are both engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation’s efforts to contain and mitigate harm; they will provide each other with ongoing feedback to improve their collaboration; and they will work together to enhance cyber security guidance and encourage its adoption.
