Annex A
PROPOSED NEW GENERAL CONDITION OF ENTITLEMENT
(PURSUANT TO SECTION 45(1) OF THE COMMUNICATIONS ACT 2003)
1. The following is a draft of a new information
security and network integrity General Condition of Entitlement.
It replicates the obligations already placed upon service providers
by Regulation 5 of the Privacy and Electronic Communications Regulations
2003, but by making them a General Condition of Entitlement they
can be enforced by Ofcom. In addition, the Condition includes
obligations to take into account appropriate standards and specifications,
using paragraphs that are near identical to those in Condition
2 of the General Conditions of Entitlement.
INFORMATION SECURITY
AND NETWORK
INTEGRITY
2. The Communications Provider shall take
appropriate technical and organisational measures to safeguard
the security of its Public Electronic Communications Services
and the security and integrity of End-users' equipment used in
connection with those Public Electronic Communications Services.
3. If necessary, the measures required by
paragraph 2 may be taken by the Communications Provider in conjunction
with the provider of the Electronic Communications Network by
means of which the Public Electronic Communications Service is
provided, and that Electronic Communications Network provider
shall comply with any reasonable requests made by the service
provider for these purposes.
4. Where, notwithstanding the taking of
measures as required by paragraph 2, there remains a significant
risk to the security of the Public Electronic Communications Service
or the security and integrity of End-users' equipment used in
connection with those Public Electronic Communications Services,
the Communications Provider shall inform its End-users of-
(a) the nature of that risk;
(b) any appropriate measures that the End-user
may take to safeguard against that risk; and
(c) the likely costs to the End-user involved
in the taking of such measures.
5. For the purposes of paragraph 2, a measure
shall only be taken to be appropriate if, having regard to:
(a) the state of technological developments;
and
(b) the cost of implementing it.
It is proportionate to the risks against which
it would safeguard.
6. Information provided for the purposes
of paragraph 4 shall be provided to the End-user free of any charge
other than the cost to the End-user of receiving or collecting
the information.
7. The Communications Provider shall ensure
that any restrictions imposed by it on access to and use of a
Public Electronic Communications Service on the grounds of ensuring
its compliance with paragraph 2 above are proportionate, non-discriminatory
and based on objective criteria identified in advance.
8. The Communications Provider shall take
full account of any relevant voluntary standards and/or specifications
adopted by the European Standards Organisations in assessing the
appropriateness of any measure for the purposes of paragraph 2
or, in the absence of such standards and/or specifications, international
standards or recommendations adopted by the International Telecommunication
Union (ITU), the International Organisation for Standardisation
(ISO) or the International Electrotechnical Committee (IEC).
9. In the absence of such standards and/or
specifications referred to in paragraph 8 above, the Communications
Provider shall take full account of any other standard specified
by Ofcom in a direction under this Condition to define appropriate
technical or organisations measures, provided that Ofcom shall
not make such a direction if an appropriate European or other
international standard is expected to be promulgated within a
reasonable time.
10. For the purposes of this Condition:
(a) "Communications Provider" means
a provider of a Public Electronic Communications Service; and
(b) "European Standards Organisations"
means the European Committee for Standardisation (CEN), the European
Committee for Electrotechnical Standardisation (CENELEC), and
the European Telecommunications Standards Institute (ETSI).
|