Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
The NIS Regulations 2018 transpose the requirements of the Network and Information Security Directive into UK law. These regulations impose cyber-related regulations on two classes of organisations:
- relevant digital service providers; and
- operators of essential services (OESs) that operate in specific sectors and meet threshold operating requirements.
Schedule 2 of the NIS Regulations applies to OESs – which include operators of essential services in the key sectors of energy, transport, health, drinking water supply and distribution, and digital infrastructure – where the operator relies on network and information systems.
Financial services are subject to security and governance obligations under the Financial Conduct Authority (FCA). The FCA Handbook contains provisions that regulate financial services for all matters. Financial services providers are obliged to report cyber-related incidents to the FCA (Principle 11 of the FCA Handbook).
The FCA advises financial institutions to use the resources available on the NCSC for general cybersecurity guidance in connection with protecting information and systems.
In the United Kingdom, the Office of Communications – the UK communications regulator – has been working with EU and international regulators to share lessons and, where possible, to harmonise approaches. Another example of regulatory collaboration in the United Kingdom is the creation of a formal body known as the Digital Regulation Cooperation Forum. Members include:
- the Information Commissioner’s Office, which leads on data protection;
- the FCA, which deals with financial services; and
- the Competition and Markets Authority, which deals with competition matters.
The aim of the Digital Regulation Cooperation Forum is clear, consistent and coordinated regulation. Building a collective view of important industry trends and innovations and responding to changes in the market is important. Collaboration and cooperation across governments, industry, academia and other stakeholders are at the heart of this effort.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The processing of personal data is regulated by the UK GDPR and the Data Protection Act 2018. Particularly sensitive personal data (‘special category data’) is subject to more stringent processing requirements than personal data. Special category data includes:
- data revealing an individual’s political opinions, race or ethnic origin, sexual orientation, sex life, religion or philosophical beliefs;
- biometric data;
- trade union membership data; and
- health or genetics data (Article 9 of the UK GDPR).
Personal data relating to criminal convictions and offences is not considered special category data; however, appropriate safeguards must be in place when processing this type of personal data. These are dealt with in Sections 10 and 11 and Schedule 1 of the Data Protection Act 2018.
Classified information is regulated by the Official Secrets Act 1989 and Part 4 and Schedule 11 of the Data Protection Act 2018.
Criminal offence data is regulated by Part 3 of the Data Protection Act 2018.