When it comes to personal data you can't expect a branch of GCHQ to be on the same side as the ICO. Apart from anything else there's always the possibility of picking up a little more personal data when they investigate the breach.
The new National Cyber Security Centre is pitching itself to CEOs as a friendly government organisation which won't get the regulators involved after data breaches. Those gathered this morning on the 18th floor of 125 London Wall heard one of the NCSC's deputy directors address CEOs on how they should lead their businesses' …
the high-rez version seems to be here(*), less jpg artefacts, less beard - nails still ukky but a steganographic message in cyrillic no-less on the ring? hence obviolustly gov infosec related
stegano revealed as J.C SHOW ME MERCY but it probably has a double meaning, as I just watched something called "Inferno" yesterday
How does a relatively secret organisation prove who they are on the phone?
Separately, if you don't get a phone call following a breach does that mean that either:
1) you are insignificant/unimportant in the eyes of our political masters or
2) that might indicate that said breach was done on behalf of one of "our friends"
Lastly, whilst I appreciate the sentiment of non-disclosure in the interest of free discussion and the dilemma around this topic, it does suggest a certain institutionalised contempt for the ICO, and also may provide a refuge for certain "less than entirely forthright" companies who, when breached, may go to this organisation whilst publicly denying anything has happened, and later trying to use that as protection against redress claiming some spurious "national security interest"
While I strongly support the ICO (and, indeed, the public) being informed of all data breaches it does seem reasonable that this organisation would say "you have a duty to report that to the ICO, but we are not going to get involved in that". There is a role for an expert group who can advise companies without insisting they make the report.
Of course, these sorts of chinese walls, for the public good, are exactly what the government seem determined to break down in our personal lives. I see no reason why companies should be able to get the benefit of good advice while possibly breaking the law and yet individuals do not have the option to keep data required by one government department separate from data supplied to another.
For example, it is in the public interest that people get prompt treatment for possibly communicable illnesses so we need to make sure that doesn't mean they will be grassed up to other government depts.
The detail is in what they are not saying, while they are saying they won't report breaches that may have broken regulations to the ICO, they are not saying what they may do with that information later.
The world of spookery in general is about misdirection and often not saying all there is to say or downright lying and sometimes blackmailing for their own benefit, I doubt if any part of GCHQ is any different.
Biting the hand that feeds IT © 1998–2021