Security of public electronic communications servicesU.K.
5.—(1) Subject to paragraph (2), a provider of a public electronic communications service (“the service provider”) shall take appropriate technical and organisational measures to safeguard the security of that service.
[F1(1A) The measures referred to in paragraph (1) shall at least—
(a)ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
(b)protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
(c)ensure the implementation of a security policy with respect to the processing of personal data.]
(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of—
(a)the nature of that risk;
(b)any appropriate measures that the subscriber may take to safeguard against that risk; and
(c)the likely costs to the subscriber involved in the taking of such measures.
(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to—
(a)the state of technological developments, and
(b)the cost of implementing it,
it is proportionate to the risks against which it would safeguard.
(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.
[F2(6) The Information Commissioner may audit the measures taken by a provider of a public electronic communications service to safeguard the security of that service.]
Textual Amendments
F1Reg. 5(1A) inserted (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208), regs. 1(1), 4(1)
F2Reg. 5(6) inserted (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208), regs. 1(1), 4(2)