Encrypting data whilst it is being transferred from one device to another (eg across the internet or over a wireless connection) provides effective protection against interception of the communication by a third party whilst the data is in transfer.

It is also good practice to use encrypted communication when transmitting any data over a wireless communication network (eg Wi-Fi) or when the data will pass through an untrusted network.

Data can be transformed into an encrypted format (see Individual file encryption above) and transferred over a non-secure communication channel yet still remain protected. An example would be sending an appropriately encrypted attachment via email.

However, use of secure communication methods such as Transport Layer Security (TLS) or a Virtual Private Network (VPN) will provide assurance that the content of the communication cannot be understood if intercepted provided the method is implemented correctly.

It is important to remember that without additional encryption methods in place (such as encrypted data storage) the data will only be encrypted whilst in transit and will be stored on the recipient’s system in the same form as it is stored on the data controller’s system (ie in plain text).

Example

A data controller intends to use a cloud-based data storage service as a repository to archive data.

Data transfer
The data controller uses TLS to encrypt data whilst in transit such that is cannot be intercepted.

Data storage
The data controller recognises that Transport Layer Security will only provide appropriate protection whilst the data is in transit. Once received by the cloud provider the data would normally exist in a decrypted state. Therefore the data controller encrypts each file on his system prior to upload. The cloud provider, or other third-party, is therefore unable to gain access to the personal data whilst it is stored in the cloud.

Residual risks with encrypted data transfer

Data controllers should recognise that even if a system uses encrypted data transfer there are still occasions where data can be subject to unauthorised access. It is important to be aware of these residual risks and address these as part of an encryption policy which can also include employee awareness training. Some examples include:

  • certain data relating to the communication may still be exposed (eg metadata) in an unencrypted form; and
  • implementations relying on public-key infrastructure must implement strict certificate checking to maintain trust in end-points.

Recommendation

When transmitting personal data over the internet, particularly sensitive personal data, data controllers should use an encrypted communication protocol (eg the latest version of TLS).

This also applies when transmitting any data over a wireless communication network (eg Wi-Fi), or when the data will pass through an untrusted network.

Many web hosts will also offer options to add TLS to existing websites.

Read our further guidance on protecting personal data in online services for more information: