ICO publishes Encryption Guidance

Nigel Miller
Nigel Miller

Users of WhatsApp will have noticed intriguing messages that WhatsApp is now securing all chat messages and calls with end-to-end encryption.

This coincides with new guidance issued by the UK Information Commissioner’s Office (ICO) on the use of encryption.

The ICO refers to the fact that many data security breaches are caused by data – or the devices on which the data was stored – being inadequately protected.

The ICO takes the view that where encryption software has not been used to protect the data, regulatory action may be taken.

The ICO has shown itself willing to impose hefty fines on organisations that lose data which were unprotected. For example,

  • the ICO imposed a fine of £150,000 on Greater Manchester Police after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal data of over 1,000 people with links to serious organised crime. It was unencrypted and had no password protection;
  • Welcome Financial Services Limited was fined £150,000 after the loss of more than half a million customers’ details. Welcome was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted.

Aside from fines, organisations risk significant damage to their reputation as well as compensation claims if they do not store personal data securely.

The legal requirements

The Data Protection Act (DPA) is not prescriptive as to how data should be secured. It simply says, in Principle 7, that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

While encryption is not a legal requirement, in many cases encryption provides an appropriate safeguard because it is a widely available technology with a relatively low cost of implementation.  However, it is not the only option and should be considered alongside other measures.  The ICO recommends that this is done by carrying out a Privacy Impact Assessment and taking a risk-based approach.

The ICO refers to various typical scenarios where an organisation might consider encryption; for example, transferring data by disc, USB or email; data storage and back-ups, mobile devices, CCTV, call recordings, and drones.

Use of PINs

The guidance refers to the practice of setting a PIN or requiring users to provide a username/password in order to access a device. Whilst this can offer some assurance, the ICO says that it provides little protection to the underlying data which is commonly stored in plain text on the disk and should not be considered as equivalent to encryption.

Email

Email presents a particular everyday problem. A common type of personal data disclosure can occur when an email is sent to the wrong recipients. Data can also be at risk if an individual gains unauthorised access to the email server or online email account. However, encrypted email solutions can be complex to set up and there is still currently no universally-adopted method for sending email securely.

The ICO recommends that data controllers have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be encrypted.  Email can also send information by encrypted attachments e.g. by using a password which can be transferred to the recipient. The password must be sufficiently complex to prevent compromise and should be communicated over a separate channel, e.g. by disclosing the password over the telephone or by SMS.

Mobile devices

Another common problem is the loss or theft of a mobile device such as laptops, smartphones and tablets. By their very nature mobile devices have a high risk of loss or theft. Encryption of the data contained on the device can provide an assurance that, if this happens, the risk of unauthorised or unlawful access is significantly minimised.

Position under the GDPR

Looking ahead, the new EU General Data Protection Regulation, due to come into force in two years’ time, specifically refers to encryption as an appropriate technical and organisational measure.  Furthermore, the GDPR provides that organisations that suffer a data breach may not need to notify the data subjects where the data was encrypted. This could be very helpful in preventing the data breach getting into the news, thereby limiting reputational damage caused by the breach.

Next steps

The simple message from the ICO – encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com