When it is necessary to transfer a large volume of personal data from one location to another a data controller might consider using a physical disc such as a CD or DVD. In this scenario the data controller must consider the format of the data on the disc and the security of the transfer (eg the postal service used).

Using a recorded delivery method or specialist courier will give assurances that the disc is signed for by the intended recipient. This reduces, but not entirely eliminates, the risk of the personal data being intercepted, lost or stolen.

If the data controller sent the data unencrypted there is a risk that if it was lost or stolen any third party could gain unauthorised access to the personal data.

It is therefore necessary to consider encryption to add an additional layer of protection.

Encrypting the data on the disc ensures that an attacker could only gain access to the personal data by breaking the encryption.

However, in order to decrypt the data the recipient must have access to the correct type of hardware to read the disc (ie access to a CD drive) and compatible software to decrypt the data (in some cases the exact same software will be needed). This can cause some difficulties in corporate environments which have disabled access to CD drives or do not permit users to install unauthorised software.

The sender would also need to consider a method to transfer the key or password to the recipient. To achieve the maximum guarantees that can be offered by the use of encryption the password must be transferred over a separate communication channel, eg by disclosing the password over the telephone upon confirmation that the package has been delivered. Including the password within the same envelope as the disc significantly reduces the protection offered from the encryption.

Example

The Nursing and Midwifery Council were issued with a £150,000 Civil Monetary Penalty after the council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children.

The ICO investigation found the information was not encrypted.