The Information Commissioner’s Office (“ICO”) and National Crime Agency (“NCA”) have signed a Memorandum of Understanding (“MoU”) establishing a framework for cooperation and information sharing between the two bodies.

The MoU states that its aim is to “codify and enhance working” between the two bodies and explain how they will work together in the following areas:

1. Assessing and influencing improvements in the cyber security of regulated organisations.

The MoU states that a “key part of the ICO’s work is understanding what cyber security standards have been achieved in the organisations within its remit, what changes are most urgently needed, and how these changes can be implemented”. It outlines that the ICO will continue to encourage good practice in cyber security, and will refer to, and work with, the NCA in relation to the development of its guidance.

2. Information sharing relating to entities subject to attack.

The MoU makes clear that the NCA will not share information from any organisations that it is engaged with due to a cyber incident with the ICO unless the organisation permits it to do so. Similarly, the ICO will not make any onward disclosure of data shared with it by the NCA without the consent of the NCA.

However, the two bodies will share information “to the extent permitted by law, and as appropriate and relevant to their respective missions, statutory functions and objectives”. For example, this might include the NCA sharing information about cyber threat assessments that are likely to affect organisations regulated by the ICO, or the ICO sharing information about cyber incidents with the NCA to assist it in its work of protecting the public from serious and organised crime. The MoU stresses that any such sharing of information will be “both on an anonymised, systemic and aggregated basis, and on an organisation-specific basis where appropriate”.

3. Deconfliction between the NCA and the Commissioner in relation to incident management.

The MoU states that “where organisations report an incident to the NCA and the NCA identifies that the case may be legally reportable to Commissioner, the NCA will remind organisations to be mindful of their regulatory obligations, but will not opine on whether an organisation may be under an obligation to notify nor make notifications to the Commissioner on the organisation’s behalf.”

On the other hand, it sets out that “where organisations have notified the Commissioner of a cyber incident and it is identified through engagement with the affected organisation that the case may be relevant to the work of the NCA, the Commissioner will recommend and encourage the organisation to notify the NCA”.

The MoU also outlines that where both the NCA and ICO are engaged in managing an incident, they will co-ordinate as much as reasonably practicable in pursuit of a collective ambition to resolve the incident and mitigate harms to the organisation in question.

4. Public communications and press releases

Finally, the MoU states that public communications on matters involving both bodies will be agreed between them as far as reasonably practicable, that they will seek to amplify each other’s messages, and that any such communications will “be mindful of the need to set out the distinct roles” of the ICO and NCA.

To read the MoU in full, click here.