Memorandum of Understanding signed between the National Crime Agency and the Information Commissioner’s Office

On 10 September 2024, the Information Commissioner's Office (“ICO”) and the National Crime Agency (“NCA”) signed a Memorandum of Understanding (“MOU”) setting out how the organisations intend to cooperate with a common aim of improving cyber resilience in the UK.

MOU Objectives

Described by the ICO as a tool to provide “relevant, up to date information sharing on cyber security matters, to support improved cyber security, and to provide guidance on how change can be implemented” - the MOU seeks to:

• encourage organisations to engage with the NCA on cyber security matters,
• ensure that the NCA seeks consent on an organisational level before passing on information that has received,
• minimise disruptions to organisations in respect of their efforts to contain and mitigate cyber-related harm,
• support and improve the NCA’s visibility of cyberattacks within the UK by sharing anonymised, systemic and aggregated information (on an organisation-specific basis),
• promote learning, provide consistent guidance and improve standards on matters which are cyber-related, and
• assist the NCA in protecting the public from serious and organised crime.

How is the MOU structured?

The MOU can be broken down into five key components:

1. Roles and Powers
   
   The MOU provides an executive summary of each of the ICO’s and NCA’s powers and roles in line with current legislation.
   
   
2. Information Sharing
   
   The ICO and NCA have committed to information sharing as permitted by law,  to support their respective missions, objectives and statutory functions. To achieve this, information sharing will be conducted through well-established processes like the Monthly Agency Incident Deconfliction (“MAID”) meetings and via e-mail. The NCA have agreed that they will not share information from organisations who are involved in cyber incidents, without their prior consent. Each of the ICO and NCA have explained that they will be a data controller for the purposes of any information that they are in receipt of and will therefore be responsible for complying with the principles of the Data Protection Act 2018 (“DPA 2018”). 
   
   
3. Incident Management
   
   The ICO and the NCA have committed to answering any subject access or other rights requests that they receive in relation to the processing they are undertaking, whilst they are still processing the information received. Where organisations report an incident to the ICO and/or the NCA, both parties have agreed to ensure that any interventions which occur align with the priority of incident remediation and harm mitigation. In doing so, the ICO and the NCA will coordinate any responses to cyber incidents,  to minimise disruption to the affected organisation(s).
   
   
4. Press Releases
   
   The ICO and the NCA have committed to ensuring that any public facing communications that involve both parties will be agreed upon in advance prior to release,  to ensure consistency in approach to cyber-related matters. Each of the ICO and the NCA will seek to “amplify” each other’s messages and promote consistent guidance on information and cyber security. The parties have also committed to consult with their respective partner agencies and bodies.
   
   
5. Management of the MOU
   
   The ICO and the NCA have nominated Stephen Bonner (Deputy Commissioner) and Paul Foster (Deputy Director)  to monitor and manage the MOU to ensure its effectiveness. The MOU will be reviewed every two years, with minor changes agreed upon in writing between the nominated representatives. 

A link to the MOU can be found here.

Our Views

The pledges made by both the ICO and the NCA (as set out in the MOU) demonstrate a positive commitment towards good collaboration and effective information sharing to enhance cyber security and prevent serious/organised crime within the UK.

This is likely to be welcomed by organisations, particularly as they will be able to take comfort from information not being shared without their consent. They will also be reassured that both bodies will take increased measures to prevent further disruption where a cyber-related event occurs.