The UK's Information Commissioner’s Office ("ICO") has released updated guidance on encryption, amidst concerns that there was a general lack of understanding of when and how to use encryption software to protect the security of personal data. The guidance aims to provide advice to companies on protecting personal data through the use of encryption. It is emphasized by the ICO that encryption should be considered alongside other technical and organizational security measures
The ICO recommends that companies conduct a Privacy Impact Assessment to determine the most suitable security measures to implement in any given scenario, and gives examples of various scenarios indicating when data controllers will be required to deliberate on encrypting data.
The ICO has identified the encryption of data when it is being stored (data storage) and when it is being transferred (data transfer), as providing effective protection against unauthorized or unlawful processing:
- Data storage: Companies that use encryption for data stored by them, should put in place encryption policies in order that employees understand when encryption should be used, and also how to ensure that encrypted devices remain protected.
- Data transfer: The ICO recommends using an encrypted communication protocol as the best way to guarantee the safety of data during transfer.
As with many other regulatory authorities, the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. The guidance highlights the fact that many of the recent penalties that the ICO has issued against organizations, where data loss has occurred, may have been avoided if the data in question had been encrypted. This recent concentration on encryption by the ICO, stressing its application to many forms of data storage and many methods of data transfer, is designated to serve as an important reminder to companies to keep personal data secure, failing which regulatory action will follow.