Introduction

In recent years there have been numerous incidents where personal data has been stolen, lost or subject to unauthorised access. In many of these cases, these were caused by data being inadequately protected or the devices the data was stored on being left in inappropriate places – and in some cases both. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.

This guidance explores use of encryption through a range of practical scenarios to highlight when and where different encryption strategies can help provide a greater level of protection.

Overview

  • Encryption protects information stored on mobile and static devices and in transmission.
  • It is a way of safeguarding against unauthorised or unlawful processing of data.
  • There are a number of different encryption options available.
  • Organisations should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer.

What the DPA says

Principle 7 states:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

What is encryption?

Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information.
In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.

Example

An organisation issues laptops to employees for remote working together with secure storage lockers for use at home and locking devices for use outside the home. However there is still the risk of loss or theft of the devices (eg whilst being used outside of the office).

Therefore the data controller requires that all data stored on laptops is encrypted. This significantly reduces the chance of unauthorised or unlawful processing of the data in the event of loss or theft.

Encryption in practice

Information is encrypted and decrypted using a secret key (some algorithms use a different key for encryption and decryption). Without the key the information cannot be accessed and is therefore protected from unauthorised or unlawful processing.

Whilst it is possible to attempt decryption without the key (by trying every possible key in turn), in practical terms it will take such a long time to find the right key (ie many millions of years) that it becomes effectively impossible. However, as computing power increases, the length of time taken to try a large number of keys will reduce so it is important to keep algorithms and key sizes under consideration, normally by establishing a review period.

Encryption should be considered alongside a range of other technical and organisational security measures.

Organisations will need to ensure that use of encryption is effective against the risks they are trying to mitigate, as it cannot be used in every processing operation.

Organisations should consider the benefits that encryption will offer as well as the residual risks and whether there are other security measures that may be appropriate to put in place. A Privacy Impact Assessment will help document any decisions and the reasons for them. This can also ensure that the organisation is only using the minimum of personal data necessary for the purpose.

The importance of good key management should also not be underestimated. Organisations should ensure that they keep the keys secret in order for encryption to be effective.

Encryption can take many different forms. Whilst it is not the intention to review each of these in turn, it is important to recognise when and where encryption can provide protection to certain types of data processing activities.

Encryption is also governed by laws and regulations, which may differ by country. For example, in the UK data owners may be required to provide access to the key in the event they receive a court order to do so.

Not all processing activities can be completely protected from end to end using encryption. This is because at present information needs to exist in a plain text form whilst being ‘actively processed’. For example, data contained within a spreadsheet can be stored in an encrypted format but in order to be opened by the spreadsheet software and analysed by the user it must first be decrypted. The same is true for information sent over the internet – it can be encrypted whilst it is in transit but must be decrypted in order for the recipient to read the information.

When is encryption useful?

When processing data, there are a number of areas that can benefit from the use of encryption. The benefits and risks of using encryption at these different points in the lifecycle should be assessed separately. The two main purposes for which data controllers may wish to consider using encryption are data storage and data transfer. These two activities can also be referred to as data at rest and data in transit.

Recommendation

Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.

For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format.

Data controllers should also be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data.