ICO Blog: Why encryption is important to data security
In this section
- Road to reform proves long and winding
- Why developers must respect privacy to have an ‘Appy Christmas’
- Using public concerns and self-reported incidents to regulate information rights practice.
- Looking ahead, staying ahead
- ICO to write to 1,200 potential blacklisted workers
- Privacy Policies Code of Practice
- One small step for EU Parliament could prove one giant leap for data protection
- Data leaks in local government
By Simon Rice
28 August 2013
Storing any personal information is inherently risky. By recording it, you risk losing it, and that risks upsetting people, and no-one likes upsetting people. But quite often, if you don’t store personal data, you can’t provide a proper service. And that risks upsetting people too.
This is why, if you are collecting personal information, you must make sure you are looking after it in a safe and secure manner.
In order to do this effectively action must be taken to reduce the risks of inappropriate disclosure. Given that a large amount of data can now be stored on something as small as a smartphone or tablet PC, there is a real danger that personal information could be compromised should such a device end up being lost or stolen.
Using appropriate encryption can be a simple and effective means to protect personal data in these circumstances, and one which we advise all organisations to take if the loss of the data could cause damage and distress to the individuals affected. However evidence shows that data controllers are still not addressing the problem.
This blog article aims to provide you with a useful insight into how encryption works and the encryption options available to you and your organisation to help you keep personal information secure.
The big misconception
Let’s get this one out of the way first. A common misconception is that just requiring users to login to a device, or service, with a username and password provides an equivalent level of protection to encryption. This isn’t the case. A password or PIN to control access to a device isn’t encryption and it isn’t enough to protect against unauthorised or unlawful access. In practice a password can be easily circumvented and full access to the data can be achieved.
How does encryption work?
Encryption software uses a complex series of mathematical algorithms to protect and encrypt information. This hides the underlying data and prevents any inadvertent access to, or unauthorised disclosure of, the information. This means that even if a device containing personal information is lost or stolen, the information will remain secure as long as the would-be data thief isn’t able to access the encryption key required to crack the algorithm.
Appropriate encryption products are widely available, but it is important that organisations understand the type of protection a particular encryption product offers and the circumstances under which personal data will be protected from unauthorised or unlawful access.
What encryption software should I use?
There are a variety of different encryption options available. The option that will be the most appropriate for your organisation will depend on the sensitivity of the information you are using and how it is being stored and processed.
For this reason it is difficult to provide a comprehensive list of software as everyone’s needs are different. You can however look out for internationally recognised standards such as those described on the encryption section of our website.
Full disk encryption
This is a process which encrypts the entire disk including all of the information and personal data it contains. It is commonly used when encrypting laptops, desktops and mobile devices, such as mobile phone and tablets. The disk will need to be decrypted with a key, which is often protected by a password entered by the user, before the operating system boots up.
However, this may mean that there are circumstances when the data could still be at risk. For example, if someone left a tablet unlocked and unattended in a restaurant then anyone who picked up that device would have an opportunity to extract the unprotected data. It is also important to recognise that if a file is transferred off the disk, for example if you sent the information in an email or saved it to a different device, then the file will no longer be encrypted.
Full disk encryption is provided through a range of widely available third-party software and some modern operating systems have a full disk encryption mode built-in, but they will usually require the user to enable the protection.
Individual file encryption
This is a process which will encrypt an individual file or create an encrypted container into which a set of files can be stored. When the container is closed it is encrypted. This means that if the container itself is transferred to a different device, for example if it is emailed or saved to a USB drive, then the personal data remains encrypted. However once the file is removed from the container it is no longer encrypted.
Some modern operating systems are able to create encrypted containers, while a range of third-party software can also offer the same level of encryption. However it is important that this encryption technique is not confused with adding password protection to a file or folder, as this process will not result in the data being encrypted.
Most email client software will also support sending emails with the message content and any attachments in an encrypted format. This approach does however require some initial configuration of both the sender and recipient’s email software.
Encrypting data in transit
It is also important to know the difference between the encryption techniques used for data storage and the encryption techniques used in data transfer.
You can transfer data using an encrypted data transfer protocol, such as Secure Sockets Layer (SSL) or Transfer Layer Security (TLS). This is the technology that displays the padlock symbol in protected web browsing. It provides assurance that the communication between client and server cannot be intercepted. Furthermore it provides you with a means to validate where the data is being transferred to.
The use of an encrypted transfer protocol does not provide any guarantee that data will remain encrypted, or otherwise processed securely, once it is received at its destination. This will need to be assessed separately.
The importance of keeping the key secret
You wouldn’t install high end locks on your house, only to leave the front door key under the mat. The same applies for storing a laptop encryption key or password in the same bag as an unencrypted laptop, or equally, sending encrypted data as an email attachment with the means to decrypt it included in the body of the email.
If you do any of these then the safeguards provided by the act of encryption are illusionary, because all of the necessary information required to decrypt the data is readily available. The secrecy of the key used to encrypt the data is therefore of paramount importance.
To ensure the maximum level of protection offered by encryption, the key or password should be transmitted using an alternative means of communication. For example the encrypted data could be sent by email and the key provided over the telephone once the intended recipient has confirmed that the data has been successfully received. By adopting this approach, even if you accidentally send the data to the wrong recipient, the information will remain secure as the person will not have the necessary key to access it.
While encryption sounds like a complicated means of protecting sensitive personal information, the crucial aspect to making it work is to identify the most suitable form of encryption and follow a common sense approach to keeping the key, and therefore the data, secure. Using effective encryption is usually easier to manage than adopting an alternative means of providing a similar level of data security.
And the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn’t used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people…
Group Manager, Technology
28 August 2013