On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption. The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption. There is no legally-binding requirement under UK data protection law to encrypt data, either when static or in transit. However, Principle 7 of the Data Protection Act 1998 states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Encryption of personal data is therefore one way that companies can demonstrate their commitment to this Principle.
The guidance highlights the fact that many of the recent fines that the ICO has issued against companies, where data loss has occurred (see, for example, our blogpost here on the fine imposed by the ICO on online travel insurer, Staysure, in 2015), may have been avoided if the data in question had been encrypted. Accordingly, “The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.”
That said, the ICO does also stress that encryption is not a completely watertight solution, and should be considered alongside other technical and organisational security measures. They recommend that companies conduct a Privacy Impact Assessment to determine the most appropriate security measures to implement in any given scenario.
As to when encryption should be used, the ICO splits its guidance into two categories: the use of encryption when storing data (such as on laptops or in databases), and the use of encryption when transferring data (such as transferring data to the cloud).
- Data storage: The ICO explains that encrypting stored data is a good way of mitigating the risk that the data will be accessed or processed without authorization, even if it ends up in the wrong hands. Companies that use encryption for data that they store should put in place encryption policies so that employees understand when encryption should be used, and also how to ensure that encrypted devices remain protected (for example, by not handing out decryption keys to those not authorized to receive them).
- Data transfer: Encrypting data whilst in transit reduces the risk of interception of that data, particularly if the transfer is taking place over an unsecured wireless network. The ICO recommends using an encrypted communication protocol, such as “Transport Layer Security” (or “TLS”) as the best way to guarantee the safety of data during transfer. However, the downside to only encrypting data whilst on the move between two connection points, is that the data usually arrives at its destination in a decrypted format, making it vulnerable to compromise at that stage. The ICO therefore encourages companies to encrypt data both when it is transferred and at the point of storage.
In addition to describing the pros and cons of the use of encryption techniques, the ICO provides helpful guidance on the various types of encryption that companies can use as well as practical, technical advice for companies on implementing encryption.
Finally, the ICO devotes the latter part of its guidance to setting out various data processing scenarios, and describing when the use of encryption could be appropriate in those cases. As a sign of the importance the ICO is attaching to encryption, they provide 17 different scenarios for consideration. At the end of many of these, they provide real life examples of companies that faced fines or other regulatory action for failing to take appropriate measures to safeguard personal data. The situations presented range from describing the use of encryption when transferring data stored on physical devices (such as USBs) and the use of encrypted email solutions, to safeguarding personal data stored on body worn video devices and on drones.
Organizations that regularly process personal data would be well advised to read through the ICO’s guidance on encryption in order to understand what is now expected as the “norm” for securing personal data. It is also worth noting that although the proposed text of the General Data Protection Regulation does not mandate the use of encryption, it is referred to in a number of places as being one of several mechanisms that can be used to demonstrate compliance with secure processing obligations.