Data Encryption – ICO Guidance Update

Cathrine Ripley summarises the key changes introduced by the ICO’s recent updates to its guidance on data encryption. 

With 2,260 confirmed data breaches across 82 countries, as published in Verizon’s 2015 Data Breach Investigations Report, avoidable data security breaches are still proving all too common for businesses. To promote better data security in the UK, the Information Commissioner’s Office/ICO (the public body responsible for enforcing data protection law in the UK) has recently published updated guidance on protecting data through encryption.

What is encryption?

Encryption is a technique for converting data into another form which cannot be read by third parties. To use the data, the intended recipient must convert or decrypt the result back into its original form, normally based on a mathematical algorithm. Typically, data can be encrypted while being stored (e.g. on a laptop, mobile, USB or back-up media, databases and file servers) or while being transferred from one device to another (e.g. across the internet or over a wireless connection).

Is encryption a legal requirement for your business?

The Data Protection Act (DPA) does not specify that organisations must use encryption, instead it simply requires them to take “appropriate technical and organisational measures” against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Encryption is one of many measures that can be employed by businesses to assist in complying with the DPA.

ICO guidance on common business scenarios

Given the increasing use of encryption as a business tool the ICO has recently given guidance on how organisations can use it in common business scenarios involving the processing of personal data, for example:

  • Transferring data by CD or DVD – data stored in this medium can be sent by recorded delivery or a courier service and the data can be encrypted to add an additional layer of protection. Any password or key should be transferred separately through a different communication method such as telephone, to ensure it remains secure.
  • Transferring data by USB – files containing personal data can be placed within an encrypted container on the device. Any prior data on the device should be fully wiped before re-use. USBs should be used with care as they enable large volumes of personal data to be lost or stolen with relative ease.
  • Use of mobile devices such as laptops, smartphones and tablets – these devices are considered high risk. Encryption of the data stored on mobile devices can significantly reduce the risk of the data being accessed unlawfully. Also available are hardware encrypted mobile devices which allows the data to be decrypted without the user having to install additional software.
  • Emails – encryption can reduce the likelihood that the body of an email, and any attachment, is made accessible to any unintended recipient or third-party who intercepts the communication (provided the recipient does not have a decryption key/software). Some types of encrypted email solutions can be complex and as a result certain sectors have developed their own secure email systems, such as the NHS. A simpler method maybe to require the sender to upload encrypted data to a web application for secure retrieval by the recipient. There is however no universally adopted method for sending emails securely.

Enforcement by the ICO

Given the increasing use of encryption, the ICO now takes the view that regulatory action and fines may be appropriate where failure to use encryption has led to data loss. It is hoped by the ICO that these penalties, together with the inherent reputational damage for businesses associated with data breaches, will help encourage relatively low cost security measures such as encryption to be widely adopted by organisations.

But how easy will it be for organisations to implement data encryption into their corporate environments? For some, their current IT infrastructure may block the installation of software needed to decipher encrypted data, e.g. because they use server-based malware scanning products. However the time, cost and inconvenience of working around such issues so that encryption and other data security measures are able to work effectively has to be weighed up against the potential financial and reputational risk of non-compliance. Saying it is too difficult to implement available technology may not wash with the ICO.